[Clamav-devel] ClamAV® blog: ClamAV 0.102.1 and 0.101.5 patches have been released!

Joel Esler (jesler) jesler at cisco.com
Wed Nov 20 13:32:21 EST 2019 


https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html

ClamAV 0.102.1 and 0.101.5 patches have been released!
Today we are publishing two patch versions, 0.102.1 and 0.101.5.  Both of these can be found on ClamAV's downloads<http://www.clamav.net/downloads> page, with 0.102.1 as the main release and 0.101.5 under "Previous Stable Releases."

0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.



  *   Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
     *   CVE-2019-15961<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961>:
        *   A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
  *   Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support.
  *   Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  *   Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  *   Null-dereference fix in email parser when using the --gen-json metadata option.
  *   Fixes for Authenticode parsing and certificate signature (.crb database) bugs.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef
- Reio Remma

0.101.5
ClamAV 0.101.5 is a security patch release that addresses the following issues.



  *   Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
     *   CVE-2019-15961<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961>:
        *   A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
  *   Added the zip scanning improvements found in v0.102.0 where it scans files using zip records from a sorted catalogue which provides deduplication of file records resulting in faster extraction and scan time and reducing the likelihood of alerting on non-malicious duplicate file entries as overlapping files.
  *   Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu.
  *   Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library.
  *   Null-dereference fix in email parser when using the --gen-json metadata option.


Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef

Please join us on the ClamAV mailing lists<https://www.clamav.net/contact#ml> for further discussion!  Thanks!

More information about the clamav-devel mailing list