https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
ClamAV 0.100.1 is a hotfix release to patch a set of vulnerabilities. • Fixes for the following CVE's: • CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only). (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932) • CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0360) • CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Reported by aCaB. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0361) • Fixes for a few additional bugs: • Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis. • Libmspack heap buffer over-read in CHM parser. Reported by Hanno Böck. • PDF parser bugs reported by Alex Gaynor. • Buffer length checks when reading integers from non-NULL terminated strings. • Buffer length tracking when reading strings from dictionary objects. • HTTPS support for clamsubmit. • Fix for DNS resolution for users on IPv4-only machines where IPv6 is not available or is link-local only. Patch provided by Guilherme Benkenstein. Thank you to the following ClamAV community members for your code submissions and bug reports! • aCaB • Alex Gaynor • Guilherme Benkenstein • Hanno Böck • Rui Reis • Laurent Delosieres, Secunia Research at Flexera -- Joel Esler Sr. Manager Open Source, Design, Web, and Education Talos Group http://www.talosintelligence.com _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml