[clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.102.0 Release Candidate is now available
Franky Van Liedekerke
liedekef at telenet.be
Mon Sep 30 11:45:56 UTC 2019
Hi Micah,
While I applaud the re-use of existing components, requiring this
(minimum) version of libcurl will be a problem for redhat/centOS 7
users: everybody is still on RHEL7 (RHEL8 is "just" released and still
lacks support from many vendors).
In RHEL/Centos, clamav is only packaged in EPEL, and EPEL packages
will never include packages that the base OS also provides (in this
case libcurl + libssh2 as a dependancy). This would mean that 0.102
will never be available in RHEL7 (that is here until 2024).
So, maybe a solution could be to include libcurl in the clam distro
itself and build/use a static lib version of that (and not a shared
.so) in case the OS-version of libcurl is not sufficient? If not, EPEL
will never create an rpm for clamav 0.102, and that would leave a lot
of existing users "in the cold" and force them into using an "old"
version.
Franky
PS: I need to rebuild my clamav test-version, so I'll check the
lib-dependancy later on.
Op Vrijdag, 27-09-2019 om 19:16 schreef Micah Snyder (micasnyd) via
clamav-users:
Hi Franky,
Unlike clamdscan, which has the network socket code written by hand,
clamonacc depends on libcurl for all of its network code to
communicate with clamd.
The specific feature that we used which bumps the libcurl version
requirement to 7.45.0 is "CURLINFO_ACTIVESOCKET". See
https://curl.haxx.se/libcurl/c/CURLINFO_ACTIVESOCKET.html for details.
Your clamonacc binary should show a link to libcurl and libcurl's
dependencies. Mine does. Here is the ldd output from one of my
test VMs:
micasnyd at oreos:~/clamav-devel/build/install$ ldd bin/clamonacc
linux-vdso.so.1 (0x00007ffc7bb61000)
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f112967a000)
libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4
(0x00007f11293fb000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f11291dc000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1128deb000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1128be7000)
libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14
(0x00007f11289c2000)
libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0
(0x00007f11287a5000)
librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1
(0x00007f1128589000)
libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5
(0x00007f112837b000)
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1
(0x00007f11280ee000)
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007f1127ea3000)
libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
(0x00007f1127c51000)
liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
(0x00007f1127a43000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1127826000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1129d93000)
libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f11274a8000)
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007f1127143000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4
(0x00007f1126f0f000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6
(0x00007f1126cd9000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10
(0x00007f1126a58000)
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
(0x00007f1126782000)
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007f1126550000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007f112634c000)
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007f1126141000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007f1125f26000)
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f1125d0b000)
libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3
(0x00007f1125aca000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f112579b000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6
(0x00007f1125588000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007f1125384000)
libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0
(0x00007f112517b000)
libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26
(0x00007f1124eee000)
libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8
(0x00007f1124c4c000)
libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4
(0x00007f1124a16000)
libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18
(0x00007f1124800000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6
(0x00007f11245f8000)
libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0
(0x00007f11243cf000)
libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1
(0x00007f11241c0000)
libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5
(0x00007f1123f76000)
libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(0x00007f1123c6d000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f1123a35000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1123697000)
-Micah
On 9/27/19, 8:01 AM, "clamav-devel on behalf of Franky Van
Liedekerke" wrote:
I'm replying to this because of the blog entry concerning the
new
version:
CURL (VERSION >= 7.45) REQUIRED FOR INSTALLATION:
This is only relevant if you are installing from source, but
it is
worth noting.
It seems a new curl is needed, even on fully patched rhel7
servers.
While this is not unsolvable, I'm trying to understand why.
Reason for
asking:
- I'm compiling clamd 0.102-rc from source. It refuses to
compile
clamonacc if libcurl is not new enough
- the blog says it is only needed for compilation, but if I
look at
the ldd-output of the binaries after compiling, the clamonacc
binary
has no link to libcurl, but freshclam does
So: why would clamonacc during compilation need libcurl? And
why would
freshclam need such a new curl version (in rhel7 the version
is libcurl-7.29.0-51.el7_6.3.x86_64) to just download some
files?
I can't justify newer clamav version to need to install
non-rhel
libcurl and libssh2 (dependancy) versions on a server just
like that
to my manager ...
With friendly regards,
Franky
Op Maandag, 16-09-2019 om 18:13 schreef Joel Esler (jesler):
https://blog.clamav.net/2019/09/clamav-01020-release-candidate-is-now.html
ClamAV 0.102.0 Release Candidate is now available
Today we are publishing the release candidate for ClamAV
0.102.0
(clamav-0.102.0-rc).
There have been some bug fixes and minor improvements since
the
0.102.0 beta. We do not expect any additional changes
should be
necessarily before publishing the 0.102.0 stable release.
Please take this opportunity to validate that the 0.102.0
release
candidate works for your application and that there are no
major
issues blocking your upgrade to 0.102.0.
Release materials for 0.102.0-rc can be found on the ClamAV's
downloads site.
Release Notes
ClamAV 0.102.0 includes an assortment improvements and a
couple of
significant changes.
Major changes
* The On-Access Scanning feature has been migrated out
of
clamd and into a brand new utility named clamonacc. This
utility is
similar to clamdscan and clamav-milter in that it acts as a
client to
clamd. This separation from clamd means that clamd no longer
needs to
run with root privileges while scanning potentially malicious
files.
Instead, clamd may drop privileges to run under an account
that does
not have super-user. In addition to improving the security
posture of
running clamd with On-Access enabled, this update fixed a few
outstanding defects:
* On-Access scanning for created and moved files
(Extra-Scanning) is fixed.
* VirusEvent for On-Access scans is fixed.
* With clamonacc, it is now possible to copy,
move, or
remove a file if the scan triggered an alert, just like with
clamdscan. For details on how to use the new clamonacc
On-Access
scanner, please refer to the user manual on ClamAV.net, and
keep an
eye out for a new blog post on the topic.
* The freshclam database update utility has undergone
a
significant update. This includes:
* Added support for HTTPS.
* Support for database mirrors hosted on ports
other than
80.
* Removal of the mirror management feature
(mirrors.dat).
* An all new libfreshclam library API.
Notable changes
* Added support for extracting ESTsoft .egg archives.
This
feature is new code developed from scratch using ESTsoft's
Egg-archive
specification and without referencing the UnEgg library
provided by
ESTsoft. This was necessary because the UnEgg library's
license
includes restrictions limiting the commercial use of the UnEgg
library.
* The documentation has moved!
* Users should navigate to ClamAV.net to view the
documentation online.
* The documentation will continue to be provided
in HTML
format with each release for offline viewing in the docs/html
directory.
* The new home for the documentation markdown is
in our
ClamAV FAQ Github repository.
* To remediate future denial of service conditions
caused by
excessive scan times, we introduced a scan time limit. The
default
value is 2 minutes (120000 milliseconds).
To customize the time limit:
* use the clamscan --max-scantime option
* use the clamd MaxScanTime config option
* Libclamav users may customize the time limit using
the
cl_engine_set_num function. For example:
cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME,
time_limit_milliseconds)
Other improvements
* Improved Windows executable Authenticode handling,
enabling
both whitelisting and blacklisting of files based on
code-signing
certificates. Additional improvements to Windows executable
(PE file)
parsing. Work courtesy of Andrew Williams.
* Added support for creating bytecode signatures for
Mach-O
and ELF executable unpacking. Work courtesy of Jonas Zaddach.
* Re-formatted the entire ClamAV code-base using
clang-format
in conjunction with our new ClamAV code style specification.
See the
clamav.net blog post for details.
* Integrated ClamAV with Google's OSS-Fuzz automated
fuzzing
service with the help of Alex Gaynor. This work has already
proven
beneficial, enabling us to identify and fix subtle bugs in
both legacy
code and newly developed code.
* The clamsubmit tool is now available on Windows.
* The clamscan metadata feature (--gen-json) is now
available
on Windows.
* Significantly reduced number of warnings generated
when
compiling ClamAV with "-Wall" and "-Wextra" compiler flags and
made
many subtle improvements to the consistency of variable types
throughout the code.
* Updated the majority of third-party dependencies for
ClamAV
on Windows. The source code for each has been removed from the
clamav-devel repository. This means that these dependencies
have to be
compiled independently of ClamAV. The added build process
complexity
is offset by significantly reducing the difficulty of
releasing ClamAV
with newer versions of those dependencies.
* During the 0.102 development period, we've also
improved our
Continuous Integration (CI) processes. Most recently, we added
a CI
pipeline definition to the ClamAV Git repository. This chains
together
our build and quality assurance test suites and enables
automatic
testing of all proposed changes to ClamAV, with customizable
parameters to suit the testing needs of any given code change.
* Added a new clamav-version.h generated header to
provide
version number macros in text and numerical format for ClamAV,
libclamav, and libfreshclam.
* Improved cross-platform buildability of libxml2.
Work
courtesy of Eneas U de Queiroz with supporting ideas pulled
from the
work of Jim Klimov.
Bug fixes
* Fix to prevent a possible crash when loading LDB
type
signature databases and PCRE is not available. Patch courtesy
of
Tomasz Kojm.
* Fixes to the PDF parser that will improve PDF
malware
detection efficacy. Patch courtesy of Clement Lecigne.
* Fix for regular expression phishing signatures (PDB
R-type
signatures).
* Various other bug fixes.
New Requirements
* Libcurl has become a hard-dependency. Libcurl
enables HTTPS
support for freshclam and clamsubmit as well as communication
between
clamonacc and clamd.
* Libcurl version >= 7.45 is required when building
ClamAV
from source with the new On-Access Scanning application
(clamonacc).
Users on Linux operating systems that package older versions
of
libcurl (e.g. all versions of CentOS and Debian versions
_______________________________________________
clamav-devel mailing list
clamav-devel at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Bugzilla:
http://bugzilla.clamav.net
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190930/b38fd46b/attachment.htm>
More information about the clamav-users
mailing list