Overview

File _patchinfo of Package patchinfo.41852

<patchinfo incident="41852">
  <issue tracker="bnc" id="1240363">VUL-0: clamav: clamd protocol has insufficient authentication, can lead to DOS</issue>
  <issue tracker="bnc" id="1249404">clamav: reproducible builds issue in libclamav_rust.a</issue>
  <issue tracker="jsc" id="PED-14151"></issue>
  <packager>rmax</packager>
  <rating>moderate</rating>
  <category>recommended</category>
  <summary>Recommended update for clamav</summary>
  <description>This update for clamav fixes the following issues:

New version: 1.5.1:

  * Fixed a significant performance issue when scanning some PE
    files.
  * Fixed an issue recording file entries from a ZIP archive
    central directory which resulted in
    "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the
    ClamScan --alert-exceeds-max command line option or ClamD
    AlertExceedsMax config file option.
  * Improved performance when scanning TNEF email attachments.
  * Fixed an issue with recording metadata for OOXML office
    documents.
  * Fixed an issue with signature matches for VBA in OLE2 office
    documents.
  * Loosened overly restrictive rules for embedded file
    identification and increased the limit for finding PE files
    embedded in other PE files.
  * Fixed an issue with extracting some RAR archives embedded in
    other files.
  * Fixed an issue with calculating fuzzy hashes affecting some
    images by updating the version for several Rust library
    dependencies.

New version 1.5.0:

  * Added checks to determine if an OLE2-based Microsoft Office
    document is encrypted.
  * Added the ability to record URIs found in HTML if the
    generate-JSON-metadata feature is enabled.
  * Added the ability to record URIs found in PDFs if the
    generate-JSON-metadata feature is enabled.
  * Added regex support for the clamd.conf OnAccessExcludePath
    config option.
  * Added CVD signing/verification with external .sign files.
  * Freshclam, ClamD, ClamScan, and Sigtool: Added an option to
    enable FIPS-like limits disabling MD5 and SHA1 from being used
    for verifying digital signatures or for being used to trust a
    file when checking for false positives
  * ClamD: Added an option to disable select administrative
    commands including SHUTDOWN, RELOAD, STATS and VERSION.
  * libclamav: Added extended hashing functions with a "flags"
    parameter that allows the caller to choose if they want to
    bypass FIPS hash algorithm limits.
  * See the release announcement for the full list of changes:
    https://blog.clamav.net/2025/10/clamav-150-released.html

- Remove service symlinks: rcclamd, rcfreshclam, rcclamav-milter,
  and clamonacc.

- clamd: Add an option to toggle SHUTDOWN, RELOAD, STATS and VERSION. (bsc#1240363,)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places