Read this online at https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
Today, we are publishing the 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions. The release files for the patch versions are available for download on the ClamAV downloads page<https://www.clamav.net/downloads>, on the GitHub Release page<https://github.com/Cisco-Talos/clamav/releases>, and (with exception to 0.103.12) through Docker Hub<https://hub.docker.com/r/clamav/clamav/>. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version. 1.4.1 ClamAV 1.4.1 is a critical patch release with the following fixes: * CVE-2024-20506<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506>: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: Thank you to Detlef for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * CVE-2024-20505<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505>: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. This issue affects all currently supported versions. It will be fixed in: Thank you to OSS-Fuzz for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13. 1.3.2 ClamAV 1.3.2 is a patch release with the following fixes: * CVE-2024-20506<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506>: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: Thank you to Detlef for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * CVE-2024-20505<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505>: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition. This issue affects all currently supported versions. It will be fixed in: Thank you to OSS-Fuzz for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13. * Fix unit test caused by expiring signing certificate. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1305> * Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1307> * Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1293> * Fixes to Jenkins CI pipeline. For details, see GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1330> 1.0.7 ClamAV 1.0.7 is a patch release with the following fixes: * CVE-2024-20506<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506>: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: Thank you to Detlef for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * CVE-2024-20505<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505>: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. This issue affects all currently supported versions. It will be fixed in: Thank you to OSS-Fuzz for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13. * Fix unit test caused by expiring signing certificate. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1305> * Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1307> * Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1293> * Fixes to Jenkins CI pipeline. For details, see GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1331> 0.103.12 ClamAV 0.103.12 is a patch release with the following fixes: * CVE-2024-20506<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506>: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: Thank you to Detlef for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * CVE-2024-20505<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505>: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition. This issue affects all currently supported versions. It will be fixed in: Thank you to OSS-Fuzz for identifying this issue. * 1.4.1 * 1.3.2 * 1.0.7 * 0.103.12 * ClamOnAcc: Fixed an infinite loop when a watched directory does not exist. * GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1198> * Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update. Also added the new 'valhalla' database name to the list of optional databases in preparation for future work. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1233> * Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior. * Backport of GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1293> Micah Snyder (they/them) ClamAV Development Talos Cisco Systems, Inc. _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
