[clamav-users] ClamAV 0.100.1 has been released!

Joel Esler (jesler) jesler at cisco.com
Mon Jul 9 12:55:38 EDT 2018


ClamAV 0.100.1 is a hotfix release to patch a set of vulnerabilities.

• Fixes for the following CVE's:
• CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only).  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932)
• CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0360)
• CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Reported by aCaB. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0361)
• Fixes for a few additional bugs:
• Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis.
• Libmspack heap buffer over-read in CHM parser. Reported by Hanno Böck.
• PDF parser bugs reported by Alex Gaynor.
• Buffer length checks when reading integers from non-NULL terminated strings.
• Buffer length tracking when reading strings from dictionary objects.
• HTTPS support for clamsubmit.
• Fix for DNS resolution for users on IPv4-only machines where IPv6 is not available or is link-local only. Patch provided by Guilherme Benkenstein.

Thank you to the following ClamAV community members for your code submissions and bug reports!
• aCaB
• Alex Gaynor
• Guilherme Benkenstein
• Hanno Böck
• Rui Reis
• Laurent Delosieres, Secunia Research at Flexera

Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180709/2f1682e7/attachment.html>

More information about the clamav-users mailing list