Hi, > > The zip bomb vulnerability mitigated in 0.101.3 has been assigned the > > CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip- > > bomb mitigation was immediately identified. To remediate the zip-bomb > > scan time issue, a scan time limit has been introduced in 0.101.4. This > > limit now resolves ClamAV's vulnerability to CVE-2019-12625. > > > > The default scan time limit is 2 minutes (120000 milliseconds). > > > > To customize the time limit: > > - use the clamscan --max-scantime option > > - use the clamd MaxScanTime config option > > > > Libclamav users may customize the time limit using the cl_engine_set_num > > function. For example: > > > > C > > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, > > time_limit_milliseconds) > > > > Thanks to David Fifield for reviewing the zip-bomb mitigation in > > 0.101.3 and reporting the issue. > > https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
backport the update to jessie after that.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
_______________________________________________ Pkg-clamav-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
