git.ipfire.org Git - ipfire-2.x.git/commit

author	Matthias Fischer <matthias.fischer@ipfire.org>
	Fri, 23 Aug 2019 16:49:04 +0000 (18:49 +0200)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Wed, 28 Aug 2019 08:16:50 +0000 (08:16 +0000)
commit	2b20d0cfc630dc76fe4742634417ea6e006ccc1a
tree	0efb5c995f63fd2f96cf8cea035ad5e42ca317fd	tree \| snapshot
parent	cf2aa683a96a03f75e0f0ec7b7517e0e63487722	commit \| diff

clamav: Update to 0.101.4

For details see:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

"An out of bounds write was possible within ClamAV's NSIS bzip2
library when attempting decompression in cases where the number
of selectors exceeded the max limit set by the library (CVE-2019-12900).
The issue has been resolved by respecting that limit.

Thanks to Martin Simmons for reporting the issue here.

The zip bomb vulnerability mitigated in 0.101.3 has been assigned
the CVE identifier CVE-2019-12625. Unfortunately, a workaround for
the zip-bomb mitigation was immediately identified. To remediate
the zip-bomb scan time issue, a scan time limit has been introduced
in 0.101.4.
This limit now resolves ClamAV's vulnerability to CVE-2019-12625."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>