[clamav-users] OpenSSL Security Advisory [05 Jun 2014]
Shawn Webb
swebb at sourcefire.com
Sat Jun 7 18:25:47 UTC 2014
On Sat, Jun 7, 2014 at 3:05 AM, Al Varnell <alvarnell at mac.com> wrote:
> Based on the subject document <
> https://www.openssl.org/news/secadv_20140605.txt> what, if any
> vulnerabilities are applicable to the ClamAV® scan engine?
>
Hey Al,
Since we use OpenSSL purely for generating hashes, the recent
vulnerabilities regarding OpenSSL do not apply to ClamAV. We also, by
default, dynamically link to OpenSSL. This allows end users and system
administrators to decide their own upgrading schedule. If an end user or
system administrator decided to force ClamAV to statically link in OpenSSL,
ClamAV will need to be recompiled to pull in the updated OpenSSL (just like
any other statically-linked program).
TL;DR: ClamAV is not affected by the recent OpenSSL vulnerability
disclosures.
Thanks,
Shawn
More information about the clamav-users
mailing list