Revision Date: | 2020-12-22 | Version: | 1 |
Title: | Security update for clamav (Important) |
Description: |
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
clamd can now reload the signature database without blocking scanning. This multi-threaded database reload improvement was made possible thanks to a community effort. - Non-blocking database reloads are now the default behavior. Some systems that are more constrained on RAM may need to disable non-blocking reloads as it will temporarily consume two times as much memory. We added a new clamd config option ConcurrentDatabaseReload, which may be set to no. * Fix clamav-milter.service (requires clamd.service to run) * bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode. * Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255) * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue. * CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition. Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250) * CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. (bsc#1171981) * CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash. * CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763). * CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458) * CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
Support for RAR v5 archive extraction. * Incompatible changes to the arguments of cl_scandesc, cl_scandesc_callback, and cl_scanmap_callback. * Scanning options have been converted from a single flag bit-field into a structure of multiple categorized flag bit-fields. * The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by 2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and CL_SCAN_HEURISTIC_ENCRYPTED_DOC * Incompatible clamd.conf and command line interface changes. * Heuristic Alerts' (aka 'Algorithmic Detection') options have been changed to make the names more consistent. The original options are deprecated in 0.101, and will be removed in a future feature release. * For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html
|
Family: | unix | Class: | patch |
Status: | | Reference(s): | 1011348 1021578 1022062 1028744 1029638 1029639 1029706 1029707 1029751 1039513 1044016 1050947 1058425 1064232 1076110 1083635 1085042 1086652 1087081 1089343 1090123 1091171 1094248 1096130 1096480 1096978 1097140 1097551 1098016 1098425 1098435 1099924 1100089 1100416 1100418 1100491 1101557 1102340 1102851 1103097 1103119 1103580 1106119 1111634 1111635 1118459 1119353 1119553 1119554 1119555 1119556 1119557 1119558 1130721 1131060 1135902 1139073 1140402 1141035 1143794 1144504 1149458 1155321 1155988 1156318 1157763 1159329 1160968 1161719 1161799 1163809 1165528 1169658 1170643 1171981 1174250 1174255 988274 CVE-2010-3170 CVE-2011-3172 CVE-2011-3389 CVE-2011-3640 CVE-2013-0743 CVE-2013-0791 CVE-2013-1620 CVE-2013-1739 CVE-2013-1740 CVE-2013-5605 CVE-2014-1492 CVE-2014-1568 CVE-2014-1569 CVE-2015-4000 CVE-2015-7181 CVE-2015-7182 CVE-2015-7575 CVE-2016-1938 CVE-2016-1950 CVE-2016-1978 CVE-2016-1979 CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 CVE-2016-9074 CVE-2016-9574 CVE-2017-11671 CVE-2017-14482 CVE-2017-18344 CVE-2017-6435 CVE-2017-6436 CVE-2017-6437 CVE-2017-6438 CVE-2017-6439 CVE-2018-1000807 CVE-2018-1000808 CVE-2018-13053 CVE-2018-13405 CVE-2018-13406 CVE-2018-14734 CVE-2018-3620 CVE-2018-3646 CVE-2018-4437 CVE-2018-4438 CVE-2018-4441 CVE-2018-4442 CVE-2018-4443 CVE-2018-4464 CVE-2018-5390 CVE-2018-5391 CVE-2018-5814 CVE-2018-9385 CVE-2019-11135 CVE-2019-11139 CVE-2019-12155 CVE-2019-12900 CVE-2019-13164 CVE-2019-14378 CVE-2019-15961 CVE-2019-1787 CVE-2019-1788 CVE-2019-1789 CVE-2019-3880 CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 CVE-2020-10018 CVE-2020-11793 CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 CVE-2020-3123 CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3481 CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 CVE-2020-3899 CVE-2020-6796 CVE-2020-6797 CVE-2020-6798 CVE-2020-6799 CVE-2020-6800 SUSE-SU-2017:2201-1 SUSE-SU-2017:2526-1 SUSE-SU-2017:2529-1 SUSE-SU-2018:4063-1 SUSE-SU-2019:0897-1 SUSE-SU-2019:1195-1 SUSE-SU-2019:2157-1 SUSE-SU-2019:2988-1 SUSE-SU-2020:0261-1 SUSE-SU-2020:1135-1 SUSE-SU-2020:1211-1
|
Platform(s): | openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8
| Product(s): | |
Definition Synopsis |
openSUSE Leap 15.0 is installed AND icoutils-0.31.3-lp150.1 is installed
|
Definition Synopsis |
openSUSE Leap 15.1 is installed
AND Package Information
libtasn1-4.13-lp151.4.3 is installed
OR libtasn1-6-4.13-lp151.4.3 is installed
OR libtasn1-6-32bit-4.13-lp151.4.3 is installed
OR libtasn1-devel-4.13-lp151.4.3 is installed
OR libtasn1-devel-32bit-4.13-lp151.4.3 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP2-BCL is installed
AND Package Information
python-cryptography-1.3.1-7.13 is installed
OR python-pyOpenSSL-16.0.0-4.11 is installed
OR python-setuptools-18.0.1-4.8 is installed
OR python3-cryptography-1.3.1-7.13 is installed
OR python3-pyOpenSSL-16.0.0-4.11 is installed
OR python3-setuptools-18.0.1-4.8 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP2-ESPOS is installed
AND Package Information
kernel-default-4.4.121-92.92 is installed
OR kernel-default-base-4.4.121-92.92 is installed
OR kernel-default-devel-4.4.121-92.92 is installed
OR kernel-devel-4.4.121-92.92 is installed
OR kernel-macros-4.4.121-92.92 is installed
OR kernel-source-4.4.121-92.92 is installed
OR kernel-syms-4.4.121-92.92 is installed
OR kgraft-patch-4_4_121-92_92-default-1-3.7 is installed
OR kgraft-patch-SLE12-SP2_Update_24-1-3.7 is installed
OR lttng-modules-2.7.1-9.4 is installed
OR lttng-modules-kmp-default-2.7.1_k4.4.121_92.92-9.4 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP3 is installed
AND Package Information
libfreebl3-3.29.5-57 is installed
OR libfreebl3-32bit-3.29.5-57 is installed
OR libfreebl3-hmac-3.29.5-57 is installed
OR libfreebl3-hmac-32bit-3.29.5-57 is installed
OR libsoftokn3-3.29.5-57 is installed
OR libsoftokn3-32bit-3.29.5-57 is installed
OR libsoftokn3-hmac-3.29.5-57 is installed
OR libsoftokn3-hmac-32bit-3.29.5-57 is installed
OR mozilla-nss-3.29.5-57 is installed
OR mozilla-nss-32bit-3.29.5-57 is installed
OR mozilla-nss-certs-3.29.5-57 is installed
OR mozilla-nss-certs-32bit-3.29.5-57 is installed
OR mozilla-nss-sysinit-3.29.5-57 is installed
OR mozilla-nss-sysinit-32bit-3.29.5-57 is installed
OR mozilla-nss-tools-3.29.5-57 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP3-BCL is installed
AND Package Information
nfs-client-1.3.0-34.22 is installed
OR nfs-doc-1.3.0-34.22 is installed
OR nfs-kernel-server-1.3.0-34.22 is installed
OR nfs-utils-1.3.0-34.22 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP3-ESPOS is installed
AND Package Information
kernel-default-4.4.180-94.107 is installed
OR kernel-default-base-4.4.180-94.107 is installed
OR kernel-default-devel-4.4.180-94.107 is installed
OR kernel-default-kgraft-4.4.180-94.107 is installed
OR kernel-devel-4.4.180-94.107 is installed
OR kernel-macros-4.4.180-94.107 is installed
OR kernel-source-4.4.180-94.107 is installed
OR kernel-syms-4.4.180-94.107 is installed
OR kgraft-patch-4_4_180-94_107-default-1-4.3 is installed
OR kgraft-patch-SLE12-SP3_Update_29-1-4.3 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP3-LTSS is installed
AND Package Information
libgcrypt-1.6.1-16.68 is installed
OR libgcrypt20-1.6.1-16.68 is installed
OR libgcrypt20-32bit-1.6.1-16.68 is installed
OR libgcrypt20-hmac-1.6.1-16.68 is installed
OR libgcrypt20-hmac-32bit-1.6.1-16.68 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed
AND ucode-intel-20180807-13.29 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP4 is installed
AND Package Information
gdk-pixbuf-loader-rsvg-2.40.20-5.6 is installed
OR librsvg-2-2-2.40.20-5.6 is installed
OR librsvg-2-2-32bit-2.40.20-5.6 is installed
OR rsvg-view-2.40.20-5.6 is installed
|
Definition Synopsis |
SUSE Linux Enterprise Server 12 SP4-ESPOS is installed
AND clamav-0.103.0-33.32.1 is installed
|
Definition Synopsis |
SUSE OpenStack Cloud 8 is installed
AND Package Information
libjavascriptcoregtk-4_0-18-2.28.1-2.50 is installed
OR libwebkit2gtk-4_0-37-2.28.1-2.50 is installed
OR libwebkit2gtk3-lang-2.28.1-2.50 is installed
OR typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50 is installed
OR typelib-1_0-WebKit2-4_0-2.28.1-2.50 is installed
OR webkit2gtk-4_0-injected-bundles-2.28.1-2.50 is installed
OR webkit2gtk3-2.28.1-2.50 is installed
|
Definition Synopsis |
SUSE OpenStack Cloud 9 is installed
AND Package Information
xorg-x11-server-1.19.6-4.11 is installed
OR xorg-x11-server-extra-1.19.6-4.11 is installed
|
Definition Synopsis |
SUSE OpenStack Cloud Crowbar 8 is installed
AND Package Information
libjavascriptcoregtk-4_0-18-2.28.2-2.53 is installed
OR libwebkit2gtk-4_0-37-2.28.2-2.53 is installed
OR libwebkit2gtk3-lang-2.28.2-2.53 is installed
OR typelib-1_0-JavaScriptCore-4_0-2.28.2-2.53 is installed
OR typelib-1_0-WebKit2-4_0-2.28.2-2.53 is installed
OR webkit2gtk-4_0-injected-bundles-2.28.2-2.53 is installed
OR webkit2gtk3-2.28.2-2.53 is installed
|