> > https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html > <https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html> > > ClamAV 0.101.3 security patch release and 0.102.0-beta have been published > > We are pleased to introduce the ClamAV 0.101.3 security patch release and a > beta for the upcoming 0.102 feature release. > > Both of these can be found on ClamAV's downloads site > <http://www.clamav.net/downloads>, with 0.101.3 in the "latest stable > release" section and 0.102.0-beta in the beta section. > > 0.101.3 > > ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive > zip bombs. > > A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as > a result of excessively long scan times. The issue is resolved by detecting > the overlapping local file headers which characterize the non-recursive zip > bomb described by David Fifield. > > Thank you to Hanno Böck for reporting the issue as it relates to ClamAV, here > <https://bugzilla.clamav.net/show_bug.cgi?id=12356>. > > Also included in 0.101.3: > Update of bundled the libmspack library from 0.8alpha to 0.10alpha, to > address a buffer overflow vulnerability in libmspack < 0.9.1α. > > > 0.102-beta > > ClamAV 0.102.0 includes an assortment improvements and a couple of > significant changes. > Major changes > > The On-Access Scanning feature has been migrated out of clamd and into a > brand new utility named clamonacc. This utility is similar to clamdscan and > clamav-milter in that it acts as a client to clamd. This separation from > clamd means that clamd no longer needs to run with root privileges while > scanning potentially malicious files. Instead, clamd may drop privileges to > run under an account that does not have super-user. In addition to improving > the security posture of running clamd with On-Access enabled, this update > fixed a few outstanding defects: > On-Access scanning for created and moved files (Extra-Scanning) is fixed. > VirusEvent for On-Access scans is fixed. > With clamonacc, it is now possible to copy, move, or remove a file if the > scan triggered an alert, just like with clamdscan. For details on how to use > the new clamonacc On-Access scanner, please refer to the user manual on > ClamAV.net <http://www.clamav.net/documents/>, and keep an eye out for a new > blog post on the topic > The freshclam database update utility has undergone a significant update. > This includes: > Added support for HTTPS. > Support for database mirrors hosted on ports other than 80. > Removal of the mirror management feature (mirrors.dat). > An all new libfreshclam library API. > > Notable changes > > Added support for extracting ESTsoft .egg archives. This feature is new code > developed from scratch using ESTsoft's Egg-archive specification and without > referencing the UnEgg library provided by ESTsoft. This was necessary because > the UnEgg library's license includes restrictions limiting the commercial use > of the UnEgg library. > The documentation has moved! > Users should navigate to ClamAV.net <http://www.clamav.net/documents/> to > view the documentation online. > The documentation will continue to be provided in HTML format with each > release for offline viewing in the docs/html directory. > The new home for the documentation markdown is in our ClamAV FAQ Github > repository. <https://github.com/Cisco-Talos/clamav-faq> > Other improvements > > Improved Windows executable Authenticode handling, enabling both whitelisting > and blacklisting of files based on code-signing certificates. Additional > improvements to Windows executable (PE file) parsing. Work courtesy of Andrew > Williams. > Added support for creating bytecode signatures for Mach-O and ELF executable > unpacking. Work courtesy of Jonas Zaddach. > Re-formatted the entire ClamAV code-base using clang-format in conjunction > with our new ClamAV code style specification. See the clamav.net blog post > <https://blog.clamav.net/2019/02/clamav-adopts-clang-format.html> for details. > Integrated ClamAV with Google's OSS-Fuzz <https://github.com/google/oss-fuzz> > automated fuzzing service with the help of Alex Gaynor. This work has already > proven beneficial, enabling us to identify and fix subtle bugs in both legacy > code and newly developed code. > The clamsubmit tool is now available on Windows. > The clamscan metadata feature (--gen-json) is now available on Windows. > Significantly reduced number of warnings generated when compiling ClamAV with > "-Wall" and "-Wextra" compiler flags and made many subtle improvements to the > consistency of variable types throughout the code. > Updated the majority of third-party dependencies for ClamAV on Windows. The > source code for each has been removed from the clamav-devel repository. This > means that these dependencies have to be compiled independently of ClamAV. > The added build process complexity is offset by significantly reducing the > difficulty of releasing ClamAV with newer versions of those dependencies. > During the 0.102 development period, we've also improved our Continuous > Integration (CI) processes. Most recently, we added a CI pipeline definition > to the ClamAV Git repository. This chains together our build and quality > assurance test suites and enables automatic testing of all proposed changes > to ClamAV, with customizable parameters to suit the testing needs of any > given code change. > > Bug fixes > > Fix to prevent a possible crash when loading LDB type signature databases and > PCRE is not available. Patch courtesy of Tomasz Kojm. > Fixes to the PDF parser that will improve PDF malware detection efficacy. > Patch courtesy of Clement Lecigne. > Fix for regular expression phishing signatures (PDB R-type signatures). > Various other bug fixes. > > New Requirements > > Libcurl has become a hard-dependency. Libcurl enables HTTPS support for > freshclam and clamsubmit as well as communication between clamonacc and clamd. > Libcurl version >= 7.45 is required when building ClamAV from source with the > new On-Access Scanning application (clamonacc). Users on Linux operating > systems that package older versions of libcurl (e.g. all versions of CentOS > and Debian versions <= 8) have a number of options: > Wait for your package maintainer to provide a newer version of libcurl. > Install a newer version of libcurl from source. > Disable installation of clamonacc and On-Access Scanning capabilities with > the ./configure flag --disable-clamonacc. > > Non-Linux users will need to take no actions as they are unaffected by this > new requirement. > > Acknowledgements > > The ClamAV team thanks the following individuals for their code submissions: > Alex Gaynor > Andrew Williams > Carlo Landmeter > Chips > Clement Lecigne > Paul Arthur > Jonas Zaddach > Ørjan Malde > Rick Wang > Rosen Penev > Thomas Jarosch > Tomasz Kojm > > Finally, we'd like to thank Joe McGrath for building our quality assurance > test suite and for working diligently to ensure knowledge transfer up until > his last day on the team. Working with you was a pleasure, Joe, and we wish > you the best of luck in your next adventure!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Bugzilla: http://bugzilla.clamav.net Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
