Friday, November 22, 2019

This serves as notice that we are planning on publishing a new main.cvd and a cdiff Monday, November 25, 2019.

In the past we notified our mirror maintainers to let them know it was going to be a hit on their bandwidth, but now that we have a CDN, the effect should be minimal.  However, we still wanted to give our end users a heads up just in case any questions come up around why ClamAV is taking a bit longer to reload that particular update.

After that update restarts and reloads should happen much faster, and the daily downloads will again shrink.

Wednesday, November 20, 2019

Today we are publishing two patch versions, 0.102.1 and 0.101.5.  Both of these can be found on ClamAV's downloads page, with 0.102.1 as the main release and 0.101.5 under "Previous Stable Releases."

0.102.1

ClamAV 0.102.1 is a security patch release to address the following issues.


  • Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
    • CVE-2019-15961:
      • A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. Reported by Joran Dirk Greef, Ronomon, Cape Town
  • Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support.
  • Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  • Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  • Null-dereference fix in email parser when using the --gen-json metadata option.
  • Fixes for Authenticode parsing and certificate signature (.crb database) bugs.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef
- Reio Remma

0.101.5

ClamAV 0.101.5 is a security patch release that addresses the following issues.


  • Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
    • CVE-2019-15961:
      • A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
  • Added the zip scanning improvements found in v0.102.0 where it scans files using zip records from a sorted catalogue which provides deduplication of file records resulting in faster extraction and scan time and reducing the likelihood of alerting on non-malicious duplicate file entries as overlapping files.
  • Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  • Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  • Null-dereference fix in email parser when using the --gen-json metadata option.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef

Please join us on the ClamAV mailing lists for further discussion!  Thanks!