[clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Jaspal Singh Sandhu jsandhu2204 at gmail.com
Thu Jan 13 19:01:24 UTC 2022 

Awesome

On Thu, Jan 13, 2022 at 10:31 AM Micah Snyder (micasnyd) <micasnyd at cisco.com>
wrote:

> Hi Jaspal,
>
> There was an issue with the release steps and the Docker image was missed
> yesterday.
> It has been fixed and the 0.104.2 image is now up on Docker Hub.
>
> 0.104.2:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2/images/sha256-7177e1771bd696f9ff5acb97221107ab7d8961b1ab3b370cd1e24bf66cf02fe1?context=explore
>
> 0.104.2_base:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2_base/images/sha256-8aea3e0f684f50402bd10456045eb3a3ad2772ecda99739100da9345b068e25c?context=explore
>
> The 0.104 / 0.104_base and latest / latest_base tags also point to the
> same 0.104.2 and 0.104.2_base images.
>
> Thanks for pointing out the issue!  Please reach out again if there is
> anything else.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* Jaspal Singh Sandhu <jsandhu2204 at gmail.com>
> *Sent:* Thursday, January 13, 2022 9:13 AM
> *To:* ClamAV users ML <clamav-users at lists.clamav.net>
> *Cc:* ClamAV Announcements ML <clamav-announce at lists.clamav.net>; ClamAV
> Development <clamav-devel at lists.clamav.net>; Micah Snyder (micasnyd) <
> micasnyd at cisco.com>
> *Subject:* Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch
> release; 0.102 past EOL
>
> Hi,
>
> We are using Docker Image for 1.104 version at Roberthalf  Is that image
> updated too with this patch?
> Thanks,
>
> Jaspal  Sandhu
>
>
> On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
> Find this announcement online at:
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net
> Downloads page <https://www.clamav.net/downloads>.
>
>
> We would also like to take this opportunity to remind users that versions
> 0.102 and 0.101 have reached their end-of-life period. *These versions
> exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked
> from downloading signature database updates.*
>
>
> For additional details about ClamAV's end-of-life policy, please see our
> online documentation <https://docs.clamav.net/faq/faq-eol.html>.
>
>
> 0.103.5
>
> ClamAV 0.103.5 is a critical patch release with the following fixes:
>
>    -
>
>    CVE-2022-20698
>    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
>    for invalid pointer read that may cause a crash. This issue affects
>    0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
>    CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>    option) is enabled.
>
>    Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>    this vulnerability.
>    -
>
>    Fixed ability to disable the file size limit with libclamav C API,
>    like this:
>
>      cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>    This issue didn't affect ClamD or ClamScan which also can disable the
>    limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>    ClamD, or clamscan --max-filesize=0 for ClamScan.
>
>    Note: Internally, the max file size is still set to 2 GiB. Disabling
>    the limit for a scan will fall back on the internal 2 GiB limitation.
>    -
>
>    Increased the maximum line length for ClamAV config files from 512
>    bytes to 1,024 bytes to allow for longer config option strings.
>    -
>
>    SigTool: Fix insufficient buffer size for --list-sigs that caused a
>    failure when listing a database containing one or more very long
>    signatures. This fix was backported from 0.104.
>
> Special thanks to the following for code contributions and bug reports:
>
>    - Laurent Delosieres
>
> 0.104.2
>
> ClamAV 0.104.2 is a critical patch release with the following fixes:
>
>    -
>
>    CVE-2022-20698
>    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
>    for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4
>    and prior when ClamAV is compiled with libjson-c and the
>    CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>    option) is enabled.
>
>    Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>    this vulnerability.
>    -
>
>    Fixed ability to disable the file size limit with libclamav C API,
>    like this:
>
>      cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>    This issue didn't impact ClamD or ClamScan which also can disable the
>    limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>    ClamD, or clamscan --max-filesize=0 for ClamScan.
>
>    Note: Internally, the max file size is still set to 2 GiB. Disabling
>    the limit for a scan will fall back on the internal 2 GiB limitation.
>    -
>
>    Increased the maximum line length for ClamAV config files from 512
>    bytes to 1,024 bytes to allow for longer config option strings.
>
> Special thanks to the following for code contributions and bug reports:
>
>    - Laurent Delosieres
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> --
Thanks,

Jaspal  Sandhu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220113/327a514a/attachment.htm>

More information about the clamav-users mailing list