[clamav-users] CVE fix status
Steven Morgan
smorgan at sourcefire.com
Mon Nov 20 22:23:17 UTC 2017
I think some may be fixed already. I've opened ticket 11961 in the ClamAV
bugzilla for followup and tracking.
Steve
On Mon, Nov 20, 2017 at 2:54 PM, Zetan Drableg <zetan.drableg at gmail.com>
wrote:
> Hi,
> Anyone know when these CVEs will be fixed? Does clamav provide a 0.99.2
> security fix branch or I need to consume 0.99.3 devel? Does EPEL backport
> fixes?
>
> CVE-2017-6418
> CVE-2017-6419
> CVE-2017-6420
>
> It was discovered that ClamAV incorrectly handled parsing certain e-mail
> messages. A remote attacker could possibly use this issue to cause ClamAV
> to crash, resulting in a denial of service. (CVE-2017-6418
> <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6418>)
>
> It was discovered that ClamAV incorrectly handled certain malformed CHM
> files. A remote attacker could use this issue to cause ClamAV to crash,
> resulting in a denial of service, or possibly execute arbitrary code. This
> issue only affected Ubuntu 14.04 LTS. In the default installation,
> attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419
> <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6419>)
> It was discovered that ClamAV incorrectly handled parsing certain PE files
> with WWPack compression. A remote attacker could possibly use this issue to
> cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420
> <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6420>)
>
> Thank you
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list