File _patchinfo of Package patchinfo.37246

<patchinfo incident="37246">
  <issue tracker="cve" id="2024-20505"/>
  <issue tracker="cve" id="2023-20197"/>
  <issue tracker="cve" id="2025-20128"/>
  <issue tracker="cve" id="2018-14679"/>
  <issue tracker="cve" id="2024-20380"/>
  <issue tracker="cve" id="2024-20506"/>
  <issue tracker="bnc" id="1232242">clamd with clamondacc generates enormous amounts of "File path check failure"</issue>
  <issue tracker="bnc" id="1202986">VUL-0: clamav: 0.103.7 is a critical patch release</issue>
  <issue tracker="bnc" id="1214342">VUL-0: CVE-2023-20197: clamav: fixed a possible denial of service vulnerability in the HFS+ file parser</issue>
  <issue tracker="bnc" id="1180296">clamav, clamonacc not installed as a service</issue>
  <issue tracker="bnc" id="1102840">trackerbug: build fails at some time</issue>
  <issue tracker="bnc" id="1211594">Clamav: clamscan crashes when directories are scanned recursively with dabase version 26908 - there is a core</issue>
  <issue tracker="bnc" id="1103032">VUL-1: CVE-2018-14679: libmspack, clamav: An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There isan off-by-one error in the CHM PMGI/PMGL chunk number validity checks, whichcould lead to denial of service (uninitialized da</issue>
  <issue tracker="bnc" id="1236307">VUL-0: CVE-2025-20128: clamav: denial of service (DoS) via crafted file processed by Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV</issue>
  <issue tracker="jsc" id="PED-4596"></issue>
  <packager>rmax</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for clamav</summary>
  <description>This update for clamav fixes the following issues:

New version 1.4.2:

  * CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow
    read bug in the OLE2 file parser that could cause a
    denial-of-service (DoS) condition.  

- Start clamonacc with --fdpass to avoid errors due to
  clamd not being able to access user files. (bsc#1232242)

- New version 1.4.1:

  * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html

- New version 1.4.0:

  * Added support for extracting ALZ archives.
  * Added support for extracting LHA/LZH archives.
  * Added the ability to disable image fuzzy hashing, if needed.
    For context, image fuzzy hashing is a detection mechanism
    useful for identifying malware by matching images included with
    the malware or phishing email/document.
  * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html

- New version 1.3.2:

  * CVE-2024-20506: Changed the logging module to disable following
    symlinks on Linux and Unix systems so as to prevent an attacker
    with existing access to the 'clamd' or 'freshclam' services from
    using a symlink to corrupt system files.
  * CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF
    file parser that could cause a denial-of-service condition.
  * Removed unused Python modules from freshclam tests including
    deprecated 'cgi' module that is expected to cause test failures in
    Python 3.13.
  * Fix unit test caused by expiring signing certificate.
  * Fixed a build issue on Windows with newer versions of Rust. Also
    upgraded GitHub Actions imports to fix CI failures.
  * Fixed an unaligned pointer dereference issue on select architectures.
  * Fixes to Jenkins CI pipeline.
  

- New Version: 1.3.1:

  * CVE-2024-20380: Fixed a possible crash in the HTML file parser
    that could cause a denial-of-service (DoS) condition.
  * Updated select Rust dependencies to the latest versions.
  * Fixed a bug causing some text to be truncated when converting
    from UTF-16.
  * Fixed assorted complaints identified by Coverity static
    analysis.
  * Fixed a bug causing CVDs downloaded by the DatabaseCustomURL
  * Added the new 'valhalla' database name to the list of optional
    databases in preparation for future work.

- New version: 1.3.0:

  * Added support for extracting and scanning attachments found in
    Microsoft OneNote section files. OneNote parsing will be
    enabled by default, but may be optionally disabled.
  * Added file type recognition for compiled Python ('.pyc') files.
  * Improved support for decrypting PDFs with empty passwords.
  * Fixed a warning when scanning some HTML files.
  * ClamOnAcc: Fixed an infinite loop when a watched directory
    does not exist.
  * ClamOnAcc: Fixed an infinite loop when a file has been deleted
    before a scan.

- New version: 1.2.0:

  * Added support for extracting Universal Disk Format (UDF)
    partitions.
  * Added an option to customize the size of ClamAV's clean file
    cache.
  * Raised the MaxScanSize limit so the total amount of data
    scanned when scanning a file or archive may exceed 4 gigabytes.
  * Added ability for Freshclam to use a client certificate PEM
    file and a private key PEM file for authentication to a private
    mirror.
  * Fix an issue extracting files from ISO9660 partitions where the
    files are listed in the plain ISO tree and there also exists an
    empty Joliet tree.
  * PID and socket are now located under /run/clamav/clamd.pid and
    /run/clamav/clamd.sock .
  * bsc#1211594: Fixed an issue where ClamAV does not abort the
    signature load process after partially loading an invalid
    signature.

- New version 1.1.0:

  * https://blog.clamav.net/2023/05/clamav-110-released.html
  * Added the ability to extract images embedded in HTML CSS
    &lt;style&gt; blocks.
  * Updated to Sigtool so that the '--vba' option will extract VBA
    code from Microsoft Office documents the same way that
    libclamav extracts VBA.
  * Added a new option --fail-if-cvd-older-than=days to clamscan
    and clamd, and FailIfCvdOlderThan to clamd.conf
  * Added a new function 'cl_cvdgetage()' to the libclamav API.
  * Added a new function 'cl_engine_set_clcb_vba()' to the
    libclamav API.
- bsc#1180296: Integrate clamonacc as a service.
- New version 1.0.1 LTS (including changes in 0.104 and 0.105):
  * As of ClamAV 0.104, CMake is required to build ClamAV.
  * As of ClamAV 0.105, Rust is now required to compile ClamAV.
  * Increased the default limits for file and scan size:
    * MaxScanSize: 100M to 400M
    * MaxFileSize: 25M to 100M
    * StreamMaxLength: 25M to 100M
    * PCREMaxFileSize: 25M to 100M
    * MaxEmbeddedPE: 10M to 40M
    * MaxHTMLNormalize: 10M to 40M
    * MaxScriptNormalize: 5M to 20M
    * MaxHTMLNoTags: 2M to 8M
  * Added image fuzzy hash subsignatures for logical signatures.
  * Support for decrypting read-only OLE2-based XLS files that are
    encrypted with the default password.
  * Overhauled the implementation of the all-match feature.
  * Added a new callback to the public API for inspecting file
    content during a scan at each layer of archive extraction.
  * Added a new function to the public API for unpacking CVD
    signature archives.
  * The option to build with an external TomsFastMath library has
    been removed. ClamAV requires non-default build options for
    TomsFastMath to support bigger floating point numbers.
  * For a full list of changes see the release announcements:
    * https://blog.clamav.net/2022/11/clamav-100-lts-released.html
    * https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
    * https://blog.clamav.net/2021/09/clamav-01040-released.html
- Build clamd with systemd support.

* CVE-2023-20197: Fixed a possible denial of service vulnerability in
  the HFS+ file parser. (bsc#1214342)
* CVE-2018-14679: Fixed that an issue was discovered in mspack/chmd.c
  in libmspack before 0.7alpha. There isan off-by-one error in the CHM
  PMGI/PMGL chunk number validity checks, which could lead to denial of
  service (uninitialized da (bsc#1103032)
  
- Package huge .html documentation in a separate subpackage.

- Update to 0.103.7 (bsc#1202986)

  - Zip parser: tolerate 2-byte overlap in file entries
  - Fix bug with logical signature Intermediates feature
  - Update to UnRAR v6.1.7
  - Patch UnRAR: allow skipping files in solid archives
  - Patch UnRAR: limit dict winsize to 1GB

- Use a split-provides for clamav-milter instead of recommending it.
- Package clamav-milter in a subpackage
- Remove virus signatures upon uninstall
- Check for database existence before starting clamd
- Restart clamd when it exits
- Don't daemonize freshclam, but use a systemd timer instead to
  trigger updates
</description>
</patchinfo>
openSUSE Build Service is sponsored by