Wednesday, April 17, 2024

ClamAV 1.3.1, 1.2.3, 1.0.6 patch versions published

Today, we are publishing the 1.3.1, 1.2.3, and 1.0.6 security patch versions.

The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and through Docker Hub.

The images on Docker Hub may not be immediately available on release day.

Continue reading to learn what changed in each version.

1.3.1

ClamAV 1.3.1 is a critical patch release with the following fixes:

  • CVE-2024-20380: Fixed a possible crash in the HTML file parser that could cause a denial-of-service (DoS) condition.

    This issue affects version 1.3.0 only and does not affect prior versions.

    Thank you to Błażej Pawłowski for identifying this issue.

  • Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

  • Fixed a bug causing some text to be truncated when converting from UTF-16.

  • Fixed assorted complaints identified by Coverity static analysis.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

  • Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

  • Added symbols to the libclamav.map file to enable additional build configurations.

    Patch courtesy of Neil Wilson.


1.2.3

ClamAV 1.2.3 is a critical patch release with the following fixes:

  • Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

  • Fixed a bug causing some text to be truncated when converting from UTF-16.

  • Fixed assorted complaints identified by Coverity static analysis.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

  • Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

  • Silenced a warning "Unexpected early end-of-file" that occured when scanning some PNG files.


1.0.6

ClamAV 1.0.6 is a critical patch release with the following fixes:

  • Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

  • Fixed a bug causing some text to be truncated when converting from UTF-16.

  • Fixed assorted complaints identified by Coverity static analysis.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

  • Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

  • Silenced a warning "Unexpected early end-of-file" that occured when scanning some PNG files.