Upstream clamav version 0.95 fixes few security issues: CVE-2008-6680: libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. Upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1335 Upstream fix: svn diff -c 4980 http://svn.clamav.net/svn/clamav-devel/ CVE-2009-1270: libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang. Upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1462 Upstream fix: svn diff -c 4981 http://svn.clamav.net/svn/clamav-devel/
For the sake of completeness... 0.95 also fixes following RAR check bypass, though RAR code is removed from Fedora build due to licensing resons. CVE-2009-1241: Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive. Upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1467 Upstream fix: svn diff -c 4977 http://svn.clamav.net/svn/clamav-devel/ Reference: http://blog.zoller.lu/2009/04/clamav-094-and-below-evasion-and-bypass.html
Both CVE-2008-6680 and CVE-2009-1270 exist also in the oldest clamav version currently shipped - 0.93.3 in F9.
1963 (clamav): Build on target fedora-5-epel succeeded. 1965 (clamav): Build on target fedora-4-epel succeeded.
Only Fedora 10 (0.94.2) is still affected by this issue; Fedora 11 has 0.95.2 and EPEL has 0.95.1.