Debian Long Term Support / LTS Security Information / 2021 / Security Information -- DLA-2626-1 clamav

Debian Security Advisory

DLA-2626-1 clamav -- LTS security update

Date Reported:

14 Apr 2021

Affected Packages:

clamav

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 986622, Bug 986790.
In Mitre's CVE dictionary: CVE-2021-1405.

More information:

A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

For Debian 9 stretch, this problem has been fixed in version 0.102.4+dfsg-0+deb9u2.

We recommend that you upgrade your clamav packages.

For the detailed security status of clamav please refer to its security tracker page at: https://security-tracker.debian.org/tracker/clamav

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS