-----  B a l a B i t   S e c u r i t y   A d v i s o r y   ( B B S A )  -----
PACKAGE             : clamav
AFFECTED VERSION    : <= 0.93.1-1.zorpos1, <= 0.93.1-1.zorpos33.1
FIXED               : 0.94.dfsg-1~volatile1.zorpos1, 0.94.dfsg-1~volatile1.zorpos33.1
SUMMARY             : multiple vulnerabilities
TYPE                : remote
AFFECTED            : ZorpOS 3.1, ZorpOS 3.3
ZORP-OS SPECIFIC    : NO
BBSA-AUTHOR         : Tamás Pál <tamas.pal@balabit.hu>
BBSA-ID             : BBSA-2008-044
BBSA-ADDRESS        : advisory@balabit.hu
GNUPG FINGERPRINT   : 933E 6763 D32D A01C 1A75  F228 9CB1 81C7 D91E 8915
CVE                 : CVE-2008-3912, CVE-2008-3913, CVE-2008-3914
DATE                : Oct 2, 2008
-----------------------------------------------------------------------------

BACKGROUND:

  Multiple vulnerabilities have been found in ClamAV the open source antivirus
  package:

  CVE-2008-3912:
  libclamav in ClamAV before 0.94 allows attackers to cause a denial of
  service (NULL pointer dereference and application crash) via vectors
  related to an out-of-memory condition.

  CVE-2008-3913:
  Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might
  allow attackers to cause a denial of service (memory consumption) via
  unspecified vectors related to the "error path."

  CVE-2008-3914:
  Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown
  impact and attack vectors related to file descriptor leaks on the "error
  path" in libclamav/others.c and libclamav/sis.c.

SOLUTION:

  We recommend that you update the affected packages immediately.

  Upgrading using apt:
  ~~~~~~~~~~~~~~~~~~~~
  Add the following line to /etc/apt/sources.list (if it doesn't
  contain this line already)

  ZorpOS version 3.1:

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.1/3.1security zorp-os zorp-os-extra

  ZorpOS version 3.3:

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.3/3.3security zorp-os zorp-os-extra

  then issue the following commands as root:

  apt-get update

  apt-get -u dist-upgrade

  The latest upgrades will be downloaded and installed.

REFERENCES:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914