Monday, June 15, 2020

ClamAV has provided a signature database using Google's Safebrowsing API to provide advanced protection against emails with links to suspicious websites.

As of Nov. 11, 2019, we have stopped updating the Safebrowsing signature database because Google announced changes to their Safebrowsing API terms of service.

Google now requires commercial users to use the Google Web Risk API, a for-profit feature, instead of the Safebrowsing API. Though ClamAV itself is free and open-source, we cannot continue to provide Google Safebrowsing data to the general public.

Today, we're pleased to open-source a new tool for users to generate their own safebrowsing signature databases using their personal Safebrowsing API credentials for use in accordance with the policies of the Safebrowsing API user agreement.

Please check out the clamav-safebrowsing repository on Github to get started.

Tuesday, May 12, 2020

Today, we're publishing ClamAV, version 0.102.3. Navigate to ClamAV's downloads page to download the release materials.

ClamAV 0.102.3

ClamAV 0.102.3 is a bug patch release to address the following issues.
  • CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
  • CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.
  • Fixed "Attempt to allocate 0 bytes" error when parsing some PDF documents.
  • Fixed a couple of minor memory leaks.
  • Updated libclamunrar to UnRAR 5.9.2.
Please join us on the ClamAV mailing lists, on in #clamav, or on Discord for further discussion. Thanks!

Monday, February 17, 2020

Attn: ClamAV users, we will be upgrading our version of bugzilla on Wednesday, February 19th, at 8:00 EST.

 The impact should be minimal, and should take no longer than a couple hours.

We will notify you when it is back up. Thank you for your patience.

Wednesday, February 5, 2020

Today, we're publishing 0.102.2. Navigate to ClamAV's downloads page to download the release materials.


ClamAV 0.102.2 is a security patch release to address the following issues.
  • CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
  • Significantly improved the scan speed of PDF files on Windows.
  • Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
  • Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file.
  • Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections.
  • Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals.
  • Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit.
  • Fix for freshclam's OnOutdatedExecute config option.
  • Fixes a memory leak in the error condition handling for the email parser.
  • Improved bound checking and error handling in ARJ archive parser.
  • Improved error handling in PDF parser.
  • Fix for memory leak in byte-compare signature handler.
  • Updates to the unit test suite to support libcheck 0.13.
  • Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following people for code contributions and bug reports:

  •     Antoine Deschênes
  •     Eric Lindblad
  •     Gianluigi Tiesi
  •     Tuomo Soini

Please join us on the ClamAV mailing lists for further discussion. Thanks!