Debian Security Advisory DSA 1024-1 (clamav)

The remote host is missing an update to clamav announced via advisory DSA 1024-1. Several remote vulnerabilities have been discovered in the ClamAV anti-virus toolkit, which may lead to denial of service and potentially to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-1614 Damian Put discovered an integer overflow in the PE header parser. This is only exploitable if the ArchiveMaxFileSize option is disabled. CVE-2006-1615 Format string vulnerabilities in the logging code have been discovered, which might lead to the execution of arbitrary code. CVE-2006-1630 David Luyer discovered, that ClamAV can be tricked into an invalid memory access in the cli_bitset_set() function, which may lead to a denial of service. The old stable distribution (woody) doesn't contain clamav packages.

For the stable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.8. For the unstable distribution (sid) these problems have been fixed in version 0.88.1-1. We recommend that you upgrade your clamav package. https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201024-1