pkg_admin audit: false alarm for clamav-0.99.2 (CVE-2016-1405)?

To: pkgsrc-users%netbsd.org@localhost
Subject: pkg_admin audit: false alarm for clamav-0.99.2 (CVE-2016-1405)?
From: Matthias Ferdinand <mf+ml.pkgsrc-users%netzwerkagentursaarland.de@localhost>
Date: Thu, 2 Feb 2017 19:23:23 +0100

perhaps another one, but the situation is less clear this time:

    Package clamav-0.99.2nb3 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1405

This CVE is not mentioned in the changelogs for 0.99.2, but at least
Ubuntu claims that they fixed it by upgrading to upstream 0.99.2 (from
0.98.1): https://www.ubuntu.com/usn/usn-3093-1/

But they don't seem to know for sure what exactly caused/fixed the
vulnerability ("still no details as to what the fix is as of
2016-08-31"):
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1405.html


Does anybody know for sure?

Matthias

References:
- pkg_admin audit: false alarm for bash-4.4.012 (CVE-2016-9401)?
  - From: Matthias Ferdinand
- Re: pkg_admin audit: false alarm for bash-4.4.012 (CVE-2016-9401)?
  - From: Sevan Janiyan

Prev by Date: Re: Bootstrapping pkgsrc on Android, was: Can anybody come with a creative solution to the "/bin/sh: bad interpreter" problem?
Next by Date: Re: Bootstrapping pkgsrc on Android, was: Can anybody come with a creative solution to the "/bin/sh: bad interpreter" problem?
Previous by Thread: Re: pkg_admin audit: false alarm for bash-4.4.012 (CVE-2016-9401)?
Indexes:

Home | Main Index | Thread Index | Old Index