|Category:||SuSE Local Security Checks|
|Title:||SUSE: Security Advisory (SUSE-SU-2021:14592-1)|
|Summary:||The remote host is missing an update for the 'clamav' package(s) announced via the SUSE-SU-2021:14592-1 advisory.|
The remote host is missing an update for the 'clamav' package(s) announced via the SUSE-SU-2021:14592-1 advisory.
This update for clamav fixes the following issues:
Update to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459
This update incorporates incompatible changes that were introduced in
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path to
trick clamscan, clamdscan, or clamonacc into removing or moving a
different file (eg. a critical system file). The issue would affect
users that use the --move or --remove options for clamscan, clamdscan,
and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS)
condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves the
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV
0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer
dereference. This vulnerability is mitigated for those using the
official ClamAV signature databases because the file type signatures
in daily.cvd will not enable the EGG archive parser in versions
affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption
routines results in an out-of-bounds read which may cause a crash.
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
'clamav' package(s) on SUSE Linux Enterprise Server 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Debuginfo 11-SP3
Please install the updated package(s).
Common Vulnerability Exposure (CVE) ID: CVE-2020-3123|
Cisco Security Advisory: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs59062
Common Vulnerability Exposure (CVE) ID: CVE-2020-3327
Cisco Security Advisory: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-3341
Common Vulnerability Exposure (CVE) ID: CVE-2020-3350
Cisco Security Advisory: 20200617 Cisco AMP for Endpoints and ClamAV Privilege Escalation Vulnerability
Common Vulnerability Exposure (CVE) ID: CVE-2020-3481
Cisco Security Advisory: ClamAV 0.102.4 security patch released
|Copyright||Copyright (C) 2021 Greenbone Networks GmbH|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.