FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
68ae70c5-c5e5-11ee-9768-08002784c58d	clamav -- Multiple vulnerabilities The ClamAV project reports: CVE-2024-20290 A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources. CVE-2024-20328 Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command. Discovery 2024-02-07 Entry 2024-02-07 clamav < 1.2.2,1 clamav-lts < 1.0.5,1 CVE-2024-20290 CVE-2024-20328 https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
996518f3-6ef9-11ef-b01b-08002784c58d	clamav -- Multiple vulnerabilities The ClamAV project reports: CVE-2024-20505 A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an out of bounds read. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. An exploit could allow the attacker to terminate the scanning process. CVE-2024-20506 A vulnerability in the ClamD service module of Clam AntiVirus (ClamAV) could allow an authenticated, local attacker to corrupt critical system files. The vulnerability is due to allowing the ClamD process to write to its log file while privileged without checking if the logfile has been replaced with a symbolic link. An attacker could exploit this vulnerability if they replace the ClamD log file with a symlink to a critical system file and then find a way to restart the ClamD process. An exploit could allow the attacker to corrupt a critical system file by appending ClamD log messages after restart. Discovery 2024-09-04 Entry 2024-09-09 clamav >= 1.3.0,1 lt 1.3.2,1 >= 1.4.0,1 lt 1.4.1,1 clamav-lts >= 1.0.0,1 lt 1.0.6,1 CVE-2024-20505 CVE-2024-20506 https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html

VuXML ID

Description

68ae70c5-c5e5-11ee-9768-08002784c58d

clamav -- Multiple vulnerabilities

The ClamAV project reports:

CVE-2024-20290

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.

CVE-2024-20328

Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.

Discovery 2024-02-07
Entry 2024-02-07
clamav

< 1.2.2,1

clamav-lts

< 1.0.5,1

CVE-2024-20290
CVE-2024-20328
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html

996518f3-6ef9-11ef-b01b-08002784c58d

clamav -- Multiple vulnerabilities

The ClamAV project reports:

CVE-2024-20505

A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an out of bounds read. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. An exploit could allow the attacker to terminate the scanning process.

CVE-2024-20506

A vulnerability in the ClamD service module of Clam AntiVirus (ClamAV) could allow an authenticated, local attacker to corrupt critical system files. The vulnerability is due to allowing the ClamD process to write to its log file while privileged without checking if the logfile has been replaced with a symbolic link. An attacker could exploit this vulnerability if they replace the ClamD log file with a symlink to a critical system file and then find a way to restart the ClamD process. An exploit could allow the attacker to corrupt a critical system file by appending ClamD log messages after restart.

Discovery 2024-09-04
Entry 2024-09-09
clamav

>= 1.3.0,1 lt 1.3.2,1

>= 1.4.0,1 lt 1.4.1,1

clamav-lts

>= 1.0.0,1 lt 1.0.6,1

CVE-2024-20505
CVE-2024-20506
https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html