From nobody Thu Feb 08 05:30:09 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TVltT3dscz58xS0; Thu, 8 Feb 2024 05:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TVltT38Q8z46ZP; Thu, 8 Feb 2024 05:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707370209; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7HofEiON4TtkQ5c27BPQ1Edm5+ZJ3JZB+zc9Fi7Z88Q=; b=UEJV39Bmt/gPzmXvkQC0QkEGWM4k9E8IYQ8IJJWwZmh9426xjyoCSN64M8P29GPU2WOQaQ CsK1I+85YK+vr90/x1FtUfhXOpLTc6gqrV3Twcyh84spznJWQaOejczOxA1x4AERG1yRRW J+FXlopbtU2eXtLs1OJJcTg72TbpE+dx1qhwG6mS+Hjo2KBhfULZpJuXA3BfMRkgEvydTn H47ZvSoX2DCNTrvfevLaVjYiQjPFkAwX+KOQpou47oPa18BSxjA80adSpBXSxd2+6uj6QI aeJPhgrbjFAtRqd89LgtkCQXvxU3rRkV4jDSyUkBrYhSxSwGlE5ALF1oKIBgag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707370209; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7HofEiON4TtkQ5c27BPQ1Edm5+ZJ3JZB+zc9Fi7Z88Q=; b=d1usqNC7NDr+2GLlLZHC4X/Yu3jh4LAkd3b3Aywj6k1ChwweFEArRYALwGiWxTL54pJl+6 9m736pV9xaZ8ri52F/6BZnL3Jz43pmwQwTl6lIRbTOfkgCVSZHjWyOo8/h0RK/gOZf4eEa hzJqTiXhEJcBIIQYG+hY7nz3A4X7uv+qds0chuvS0qofLnPTnBfOTjYAhfoT1+af1rg2ZZ VgKOyemFvHWrnuqRq5FaSKaq1s/KS4LkGEs0fk8Sah/W8NXj/d9akdyiXHVoz3N23t05+/ 4mZmaitd00zZDzAYf7F+d+EkxKxwKS0EjKuIvl0y7MWjiliSBxcowahoLul+3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707370209; a=rsa-sha256; cv=none; b=u3RLU0CsAKIgEdFp3hdLbAlXyto4qcs9QBRo8w3RWGG3qG2pnwfQ9KEWIaHqZHxpbJe+Mp lk5bjL70XtYljrQiOGF9/NGUQ3RRhIFCidMLmzSvByKtv7NSEZNPsO+i//5eWKRTGihz9P Hft0glLQSGUMNp3FZwQW1IdSc+AGMTLZgONWhb8ACsIYEhtTPGLcYjWFy2Ewt3MRr5eBnr /UVCSq/XaOj2BG+FE5YFfHiDwiq1w8ULysjqAmxuEj1OV5X5rgCsOdHGO8ID+Q6vehmR46 z1tO0gyjh6+z0AMVAAAzf9e4/fFIfrEG2iRqhMxw5S6OovXpSv7HUqP2pH1DWg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TVltT2Cvdzd8t; Thu, 8 Feb 2024 05:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4185U9Zi000238; Thu, 8 Feb 2024 05:30:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4185U927000233; Thu, 8 Feb 2024 05:30:09 GMT (envelope-from git) Date: Thu, 8 Feb 2024 05:30:09 GMT Message-Id: <202402080530.4185U927000233@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Yasuhiro Kimura Subject: git: 22073304c7a8 - main - security/vuxml: Document multiple vulnerabilities in clamav List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: yasu X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 22073304c7a88d8cb06667d73d2385a6b21da91e Auto-Submitted: auto-generated The branch main has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=22073304c7a88d8cb06667d73d2385a6b21da91e commit 22073304c7a88d8cb06667d73d2385a6b21da91e Author: Yasuhiro Kimura AuthorDate: 2024-02-07 23:16:11 +0000 Commit: Yasuhiro Kimura CommitDate: 2024-02-08 05:18:12 +0000 security/vuxml: Document multiple vulnerabilities in clamav --- security/vuxml/vuln/2024.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index fa21c5d8aeb8..4bb0b9c5e77d 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,61 @@ + + clamav -- Multiple vulnerabilities + + + clamav + 1.2.2,1 + + + clamav-lts + 1.0.5,1 + + + + +

The ClamAV project reports:

+
+
+
CVE-2024-20290
+
+ A vulnerability in the OLE2 file format parser of ClamAV + could allow an unauthenticated, remote attacker to cause + a denial of service (DoS) condition on an affected + device. This vulnerability is due to an incorrect check + for end-of-string values during scanning, which may + result in a heap buffer over-read. An attacker could + exploit this vulnerability by submitting a crafted file + containing OLE2 content to be scanned by ClamAV on an + affected device. A successful exploit could allow the + attacker to cause the ClamAV scanning process to + terminate, resulting in a DoS condition on the affected + software and consuming available system resources. +
+
CVE-2024-20328
+
+ Fixed a possible command injection vulnerability in the + "VirusEvent" feature of ClamAV's ClamD + service. To fix this issue, we disabled the '%f' format + string parameter. ClamD administrators may continue to + use the `CLAM_VIRUSEVENT_FILENAME` environment variable, + instead of '%f'. But you should do so only from within + an executable, such as a Python script, and not directly + in the clamd.conf "VirusEvent" command. +
+
+
+ +
+ + CVE-2024-20290 + CVE-2024-20328 + https://blog.clamav.net/2023/11/clamav-130-122-105-released.html + + + 2024-02-07 + 2024-02-07 + +
+ Django -- multiple vulnerabilities