Read this announcement online at https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html
Today we are publishing updated packages for ClamAV 0.103.7, 0.104.4, and 0.105.1. Why we updated the installer packages The ClamAV RPM, DEB, PKG, MSI and ZIP installer packages come with all library dependencies bundled. The updated installer packages resolve the following CVE's: * CVE-2022-37434<https://nvd.nist.gov/vuln/detail/CVE-2022-37434> - A critical severity vulnerability in the zlib library. * CVE-2022-40303<https://nvd.nist.gov/vuln/detail/CVE-2022-40303> - A high severity vulnerability in the libxml2 library. Note: As of writing, the details of this CVE are not published. However, you can find additional details on other sites<https://www.suse.com/pt-br/security/cve/CVE-2022-40303.html>. * CVE-2022-40304<https://nvd.nist.gov/vuln/detail/CVE-2022-40304> - A high severity vulnerability in the libxml2 library. Note: As of writing, the details of this CVE are not published. However, you can find additional details on other sites<https://www.suse.com/pt-br/security/cve/CVE-2022-40304.html>. Why we updated the 0.105.1 source package Starting with ClamAV 0.105.1, some of the ClamAV project is written in Rust and depends on Rust libraries. To make it possible for our users to build ClamAV offline, we bundle in the Rust dependencies. There are no CVEs present for the Rust libraries bundled in the original 0.105.1 package. However, there are several critical bugs in the JPEG and TIFF image processing libraries in the original 0.105.1 source package. The known issues were resolved in image-tiff version 0.7.4<https://github.com/image-rs/image-tiff/releases/tag/v0.7.4> and jpeg-decoder version 0.3.0<https://github.com/image-rs/jpeg-decoder/releases/tag/v0.3.0>. The clamav-0.105.1-2.tar.gz source package includes the updated libraries. Linux/Unix package maintainers are encouraged to publish new revisions of their own packages for ClamAV 0.105.1 to get these fixes. Anyone who built ClamAV from the original clamav-0.105.1.tar.gz source package is encouraged to reinstall from the newer source package. Where to find the updated packages The new packages have a "-2" suffix to indicate the package revision. For example, clamav-0.105.1-2.macos.universal.pkg is the updated package replacing clamav-0.105.1.macos.universal.pkg. As always, you can get the updated packages from the ClamAV.net Downloads page<https://www.clamav.net/downloads>. The original packages have been hidden on the web page and replaced by the updated packages. If you need the originals, the URLs to download them still work. What about the Docker images The official ClamAV docker image has been updated to patch the zlib and libxml2 vulnerabilities. The following tags have been updated to point to the new images: * clamav/clamav:latest * clamav/clamav:latest_base * clamav/clamav:stable * clamav/clamav:stable_base * clamav/clamav:0.105 * clamav/clamav:0.105_base * clamav/clamav:0.105.1 * clamav/clamav:0.105.1_base Be sure to use docker pull to get the latest version of the image. For example: docker pull clamav/clamav:0.105_base Posted by Micah Snyder<https://www.blogger.com/profile/07798916006145826441> at 3:15 PM<https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html>[https://img1.blogblog.com/img/icon18_email.gif]<https://www.blogger.com/email-post.g?blogID=2366689974368239573&postID=7268664696081459857> Micah Snyder ClamAV Development Talos Cisco Systems, Inc. _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
