Wednesday, January 22, 2025

Today, we are publishing the 1.4.2 and 1.0.8 security patch versions. The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and through Docker Hub. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version.


1.4.2

ClamAV 1.4.2 is a patch release with the following fixes: 
  • CVE-2025-20128: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition.

    This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8

    Thank you to OSS-Fuzz for identifying this issue.

1.0.8

ClamAV 1.0.8 is a patch release with the following fixes:
  • CVE-2025-20128: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition.

    This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8

    Thank you to OSS-Fuzz for identifying this issue.

  • ClamOnAcc: Fixed an infinite loop when a watched directory does not exist. This is a backport of a fix from ClamAV 1.3.0.

Wednesday, January 8, 2025

We are excited to announce that ClamAV 1.4 is now designated as our latest Long-Term Stable (LTS) release. 

Previously, we planned to announce 1.5 as the next LTS version at the end of 2024. However, unforeseen challenges have delayed the 1.5 release, leading us to choose version 1.4 for long-term support. We apologize for any inconvenience that our delay in the announcement may have caused. The version support dates for ClamAV 1.4 are amended as follows: 

Key Dates: 

  • Initial 1.4 Release Date: August 15, 2024 
  • Patch Versions Continue Until: August 15, 2027 
  • DB Downloads Allowed Until: August 15, 2028 

For specific details, please read the ClamAV EOL Policy

Looking ahead, the beta version of ClamAV 1.5 will soon be available for community review. This version will focus on resolving FIPS mode compatibility issues for newer distributions, such as Red Hat Enterprise Linux 9. Stay tuned for further updates. 

Thank you for your continued support.