Date: Tue, 10 Sep 2024 03:58:14 GMT From: Yasuhiro Kimura <yasu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: b689d061639d - main - security/vuxml: Document multiple vulnerabilities in ClamAV Message-ID: <202409100358.48A3wEsm053793@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=b689d061639db8480e916ee7872c67f4141bef79 commit b689d061639db8480e916ee7872c67f4141bef79 Author: Yasuhiro Kimura <yasu@FreeBSD.org> AuthorDate: 2024-09-09 22:31:20 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2024-09-10 03:57:15 +0000 security/vuxml: Document multiple vulnerabilities in ClamAV --- security/vuxml/vuln/2024.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 14bbfcb956f0..571820f6d037 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,63 @@ + <vuln vid="996518f3-6ef9-11ef-b01b-08002784c58d"> + <topic>clamav -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>clamav</name> + <range><ge>1.3.0,1</ge><lt>1.3.2,1</lt></range> + <range><ge>1.4.0,1</ge><lt>1.4.1,1</lt></range> + </package> + <package> + <name>clamav-lts</name> + <range><ge>1.0.0,1</ge><lt>1.0.6,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The ClamAV project reports:</p> + <blockquote cite="https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html">; + <dl> + <dt>CVE-2024-20505</dt> + <dd> + A vulnerability in the PDF parsing module of Clam + AntiVirus (ClamAV) could allow an unauthenticated, + remote attacker to cause a denial of service (DoS) + condition on an affected device. The vulnerability is + due to an out of bounds read. An attacker could exploit + this vulnerability by submitting a crafted PDF file to + be scanned by ClamAV on an affected device. An exploit + could allow the attacker to terminate the scanning + process. + </dd> + <dt>CVE-2024-20506</dt> + <dd> + A vulnerability in the ClamD service module of Clam + AntiVirus (ClamAV) could allow an authenticated, local + attacker to corrupt critical system files. The + vulnerability is due to allowing the ClamD process to + write to its log file while privileged without checking + if the logfile has been replaced with a symbolic + link. An attacker could exploit this vulnerability if + they replace the ClamD log file with a symlink to a + critical system file and then find a way to restart the + ClamD process. An exploit could allow the attacker to + corrupt a critical system file by appending ClamD log + messages after restart. + </dd> + </dl> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-20505</cvename> + <cvename>CVE-2024-20506</cvename> + <url>https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html</url>; + </references> + <dates> + <discovery>2024-09-04</discovery> + <entry>2024-09-09</entry> + </dates> + </vuln> + <vuln vid="8fbe81f7-6eb5-11ef-b7bd-00505632d232"> <topic>netatalk3 -- multiple WolfSSL vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409100358.48A3wEsm053793>