Wednesday, April 7, 2021

ClamAV 0.103.2 security patch release

ClamAV 0.103.2 is out now. Users can head over to clamav.net/downloads to download the release materials.

This is a security patch release with the following fixes:

  • CVE-2021-1386: Fix for UnRAR DLL load privilege escalation. Affects 0.103.1 and prior on Windows only.
  • CVE-2021-1252: Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.
  • CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.
  • CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
  • Fix possible memory leak in PNG parser.
  • Fix ClamOnAcc scan on file-creation race condition so files are scanned after their contents are written.
  • FreshClam: Deprecate the SafeBrowsing config option. The SafeBrowsing option will no longer do anything. For more details, see our blog post from last year about the future of the ClamAV Safe Browsing database
    Tip: If creating and hosting your own safebrowing.gdb database, you can use the DatabaseCustomURL option in freshclam.conf to download it.
  • FreshClam: Improved HTTP 304, 403 and 429 handling.
  • FreshClam: Added the mirrors.dat file back to the database directory.
    This new mirrors.dat file will store:
    • A randomly generated UUID for the FreshClam User-Agent.
    • A retry-after timestamp that so FreshClam won't try to update after having received an HTTP 429 response until the Retry-After timeout has expired.
  • FreshClam will now exit with a failure in daemon mode if an HTTP 403 (Forbidden) was received because the outcome won't change if it tries again later. The FreshClam user will have to take appropriate action to get unblocked.
  • Fix the FreshClam mirror-sync issue where a downloaded database is "older than the version advertised."
If a new CVD download gets a version that is older than advertised, FreshClam will keep the older version and retry the update so that the incremental update process (CDIFF patch process) will update to the latest version.

Are you still attempting to download safebrowsing.cvd?

 It has come to our attention that a few of you (about 515,000 of you, to be more accurate), are still attempting to download the safebrowsing.cvd file from the official ClamAV mirrors.  This tells us that these attempted downloads are an installation of FreshClam (a non-updated FreshClam.conf or other script) that have not been updated to remove the safebrowsing database. 

We discontinued the distribution of the SafeBrowsing database in November of 2019, as indicated in our blog post back in June, however these installations of ClamAV that have no updated and continue to download the safebrowsing.cvd account for nearly 10TB of traffic a month, just for that file.

As a result, we have put in a block to make any attempts to download the safebrowsing.cvd result in a 403 error.

Please take a look at your FreshClam.conf file, in our upcoming version of ClamAV (0.103.2 and beyond), we have removed all of the code that attempts to download the safebrowsing db from our servers, (so you should update) however, for those of you can't update right away, please find this line:

SafeBrowsing yes

In your Freshclam.conf file, and commenting it out like this:

#SafeBrowsing yes

Thank you for your support of ClamAV!