Hi all,
I have just checked the change logs for the latest versions of zlib and libxml2 that I am building and they include fixes to the vulnerabilities flagged up in the clamav-0.105.1 announcement.
The vulnerability for zlib was already fixed in CU171 with the two patch files that Peter added. This patch set has now been integrated into the latest zlib.
The vulnerabilities for libxml2 have fixes for both CVE's in the latest version of libxml2 that was released on October 14th. Both of the CVE's are listed in the CVE website as reserved but with no details but clearly the info has been circulated to the zlib and libxml2 developers and fixes were made a while ago.
Not sure how to find out if CVE's have been raised on packages that IPFire is using so we can use any fixes developed as soon as possible. I knew about the issues with zlib and libxml2 because I saw the announcement of the clamav-0.105.1 release.
Anyway good news, the patches I will submit soon will contain the fixes to the CVE's mentioned in the clamav announcement.
Regards,
Adolf.