> > https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html > <https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html> > > ClamAV 0.101.4 security patch release has been published > > Today we have published the ClamAV 0.101.4 security patch release. > > 0.101.4 > > > ClamAV 0.101.4 is a security patch release that addresses the following > issues. > An out of bounds write was possible within ClamAV's NSIS bzip2 library when > attempting decompression in cases where the number of selectors exceeded the > max limit set by the library (CVE-2019-12900). The issue has been resolved by > respecting that limit. > > Thanks to Martin Simmons for reporting the issue here > <https://bugzilla.clamav.net/show_bug.cgi?id=12371>. > The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE > identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb > mitigation was immediately identified. To remediate the zip-bomb scan time > issue, a scan time limit has been introduced in 0.101.4. This limit now > resolves ClamAV's vulnerability to CVE-2019-12625. > > The default scan time limit is 2 minutes (120000 milliseconds). > > To customize the time limit: > - use the clamscan --max-scantime option > - use the clamd MaxScanTime config option > > Libclamav users may customize the time limit using the cl_engine_set_num > function. For example: > > C > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds) > > Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and > reporting the issue. > As usual, ClamAV may be downloaded from https://www.clamav.net/downloads > <https://www.clamav.net/downloads>, and discussion should take place on the > ClamAV-Users list <https://www.clamav.net/contact#ml>. Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
