-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                   AMaViS Security Announcement

Date:                   2004-10-25
affected version(s):    amavis, amavisd, amavisd-new, amavis-ng 
Vulnerability:		Bypass of malicious code due to manipulated
			ZIP files	        		
Priority:               urgent
Solution:               update to Archive::Zip v1.14 
References:		http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities 
Author:                 Rainer Link <rainer@openantivirus.org>
Advisory ID:            ASA-2004-6
Contact:                security@amavis.org
WWW:			http://www.amavis.org/security/

- -----------------------------------------------------------------------------

1. Problem description
iDefense reported a possible bypass of malicious code by creating
special crafted ZIP files. 

2. Impact
Bypass of malicious code

3. Solution
We strongly encourage you to update to Archive::Zip v1.14, which
fixes this issue. 

4. Acknowledgement
I'd like to thank iDefense for the report, Ned Konz for fixing 
this issue in Archive::Zip v1.14, and Mark Martinec for the 
co-ordination inside the AMaViS team. 

5. References
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities
http://rt.cpan.org/NoAuth/Bug.html?id=8077
http://search.cpan.org/search%3fmodule=Archive::Zip

6. Revision History
2004-10-25: Initial release
2004-10-26: fixed version number

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBfrHlmxoFTBO0QHkRAiv+AJ9SRDGZ8SJuhzdMbH0+0R8YrXhPnwCeNy/Q
lzmxD1jhsnxKGjVgz7QejpI=
=L+2Y
-----END PGP SIGNATURE-----