SUSE-SU-2021:14592-1: moderate: Security update for clamav
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Jan 5 13:22:30 MST 2021
SUSE Security Update: Security update for clamav
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:14592-1
Rating: moderate
References: #1118459 #1171981 #1174250 #1174255 ECO-3010
Cross-References: CVE-2020-3123 CVE-2020-3327 CVE-2020-3341
CVE-2020-3350 CVE-2020-3481
Affected Products:
SUSE Linux Enterprise Server 11-SP4-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________
An update that fixes 5 vulnerabilities, contains one
feature is now available.
Description:
This update for clamav fixes the following issues:
- Update to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459
- This update incorporates incompatible changes that were introduced in
version 0.101.0.
- Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path to
trick clamscan, clamdscan, or clamonacc into removing or moving a
different file (eg. a critical system file). The issue would affect
users that use the --move or --remove options for clamscan, clamdscan,
and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS)
condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves the
issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV
0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer
dereference. This vulnerability is mitigated for those using the
official ClamAV signature databases because the file type signatures
in daily.cvd will not enable the EGG archive parser in versions
affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption
routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11-SP4-LTSS:
zypper in -t patch slessp4-clamav-14592=1
- SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-clamav-14592=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-clamav-14592=1
- SUSE Linux Enterprise Debuginfo 11-SP3:
zypper in -t patch dbgsp3-clamav-14592=1
Package List:
- SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
clamav-0.103.0-0.20.32.1
- SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
clamav-0.103.0-0.20.32.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
clamav-debuginfo-0.103.0-0.20.32.1
clamav-debugsource-0.103.0-0.20.32.1
- SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
clamav-debuginfo-0.103.0-0.20.32.1
clamav-debugsource-0.103.0-0.20.32.1
References:
https://www.suse.com/security/cve/CVE-2020-3123.html
https://www.suse.com/security/cve/CVE-2020-3327.html
https://www.suse.com/security/cve/CVE-2020-3341.html
https://www.suse.com/security/cve/CVE-2020-3350.html
https://www.suse.com/security/cve/CVE-2020-3481.html
https://bugzilla.suse.com/1118459
https://bugzilla.suse.com/1171981
https://bugzilla.suse.com/1174250
https://bugzilla.suse.com/1174255
More information about the sle-updates
mailing list