File squidclamav.changes of Package squidclamav
-------------------------------------------------------------------
Mon Jul 11 12:52:09 UTC 2022 - Mathias Homann <Mathias.Homann@opensuse.org>
- update to 0.7.2
This version fixes some bugs reported by users since previous release
and especially a crash with call to deprecated gethostbyname() function.
Full list of changes:
* Update copyright year
* Fix compilation warning about strlen
* Add .gitignore file
* Merge some redundant code related to whitelist/abort and blacklist/scan. Thanks to rdpmc Oleg for the report.
* Fix call to CGI::param without scalar context. Thanks to Frank Crawford for the report.
* Replace deprecated gethostbyname() by getaddrinfo(). Thanks to Jean-noel Leclercq for the patch.
* Create http response entity if not present in icap request. Thanks to Saurabh Ram Tripathi for the patch.
* Re-work/Updated debian/*. Thanks to Louis van Belle for the patch.
-------------------------------------------------------------------
Sun May 26 16:19:06 UTC 2019 - lars@linux-schulserver.de - 7.1
- update to 7.1
Generic:
* New scan mode. By default squidclamav scan everything excepted the
exclusions defined in 'abort', 'abortcontent', 'whitelist', 'trustuser'
and 'trustclient' configuration directives. There is now a mode where
squidclamav will scan nothing excepted the inclusions defined with
directives 'scan', 'scancontent', 'blacklist', 'untrustuser' and
'untrustclient'. The scan mode is controlled by a new configuration
directive 'scan_mode'. Possible values are 'ScanAllExcept' (the default)
and 'ScanNothingExcept'.
* Add support to libarchive to be able to ban archive with some suspect
files inside that are not detected by ClamAv. This feature is disabled
by default and can be enable using 'enable_libarchive'. The ban archive
can be stored to be recovered by the user through the redirect CGI script
if directive 'recoverpath' is set.
* An archive banned by libarchive can be recovered through the redirect
CGI. See cgi-bin/clwarn.cgi and the redirect configuration directive.
recoverpath must be set to use this feature.
* Add --with-libarchive configure option to specify where to find
archive.h. It is searched in /usr/include and /usr/local/include
by default, if the header file is not in these directory you must
use this option. Example: ./configure --with-libarchive=/opt/csw.
Fixes:
+ Fix some compilation warnings.
+ Fix typos/translation error. Thanks to Yuri Voinov for the patch.
+ Allow base dir to --with-libarchive option, /opt/csw/ instead of
/opt/csw/include. Thanks to Yuri Voinov for the report.
+ Fix formatting of configure usage output. Thanks to Yuri Voinov
for the report.
+ Defined max() macro even if libarchive is not used. Thanks to Yuri
Voinov for the report.
from 7.0:
+ Pass generated name of the file saved by libarchive mode to recover
the file through a link in the redirect CGI.
+ Remove obsolete code related to debug and squidguard directives.
+ Remove obsolete squidguard configuration directive.
+ Print less messages at DebugLevel 1 to only display essential messages.
Remove support to chained program like squidguard using the squidguard
directive. Use the 'url_rewrite_program' squid.conf directive instead.
+ Add multipart configuration directive to documentation.
+ Add libarchive support (link to recover file) in all CGI scripts.
+ Update documentation and copyrights.
+ Update autoconf/automake files.
+ SquidClamav has a default "ScanAllExcepted" behavior, that mean that
everything is scanned except the exclusion set in abort, abortcontent
and whitelist directives. With new directive scan_mode it is now
possible to reverse the default behavior with mode "ScanNothingExcepted"
which will scan nothing excepted what is defined in directive scan,
scancontent and blacklist. Backward compatibility is fully preserved.
Thanks to Andres Ofner for the feature request.
+ Add new configuration directives scan_mode, scan, scancontent and
blacklist.
+ Fix some compilation warning with libarchive support and improve multipart
content-type code.
+ Add documentation about libarchive support.
+ Do not compile code for libarchive support if libarchive is not available
to preserve backward compatibility.
+ Update autoconf and automake files.
+ Add support to libarchive to be able to exclude archives following their
content. Thanks to Vieri Di Paola for the patch.
+ Send multipart content-type headers to clamav. Thanks to Paul Winkler for
the patch.
+ Fix missing prefix for c-icap-config which affects systems where c-icap is
not installed in the PATH. Thanks to Sebastian Weitzel for the patch.
- added BuildRequires for libarchive-devel, libbz2-devel, libopenssl-devel,
zlib-devel
- ran spec-cleaner
-------------------------------------------------------------------
Wed Oct 19 16:51:06 UTC 2016 - lars@linux-schulserver.de
- use libdir macro now for c_icap library (modules) path
- refresh squidclamav.conf.patch
- update to 6.16:
This release fixes a major bug with debugs macro that can have bad side
effects like printing an error after configuration reload an possibly some
other wrong behaviors.
- Change log level of configuration reloading message.
- Show line in configuration file that can not be parsed
by add_pattern().
- Enclose debugs macro to avoid misusage. Thanks to Denis Volpato
Martins for the patch.
- Fix Apache complain "AH01215: CGI::param called in list context
from package main line 14, this can lead to vulnerabilities."
Thanks to thctlo for the report.
* SquidClamav 6.15, Monday January 18 2016
This release fix a major bug of a buffer overflow in squidclamav_safebrowsing()
and change the http response code in squidclamav redirection when a virus is
found.
- Fix buffer overflow in squidclamav_safebrowsing(). Thanks to Stuart
Henderson for the patch.
- Change http response code 301 (move permanently) to 307 (temporary
redirect) in squidclamav redirection when a virus is found. Thanks to
Alexander Koch for the report.
- Fix null url, client ip and username in safebrowsing report. Thanks to
Claus Regelmann for the patch.
* SquidClamav 6.14, Sunday October 17 2015
This release fix a compilation issue with c-icap 0.4.x and exclude the HTTP
method OPTIONS from being virus scanned.
- Excluded OPTIONS http method from being scanned. Thanks to Yuri Voinov
for the report.
- Fix some ru_RU translation errors. Thanks to romale for the report.
* SquidClamav 6.13, Monday June 01 2015
This release fix some minor issues and allow to use a file with a list of
regular expression to be whitelisted.
- Fix some memory management issues. Thanks to mbechler for the patch.
- Allow whitelist directive to receive a file as value import the whitelist
from another file. This file must only contain a list of regex (one per
line) to be whitelisted. Thanks to karlmendes for the feature request.
- Fix generated 403 response which was not correct. Thanks to Manoj
Ramakrishnan for the report and Christos Tsantilas for the fix.
* SquidClamav 6.12, Sunday December 28 2014
This release fixes the default path to configuration file to be the same as
c-icap configuration directory. Some issues revealed by Coverity Scanner have
been fixed as well as some code cleanup.
- Add more information about redirect directive to documentation and
configuration file.
- Update documentation to be more explicit about the --with-c-icap
configure option. Thanks to Yuri Voinov for the suggestion.
- Add configuration for squid 3.4.x to documentation. Thanks to Yuri
Voinov for the patch.
- Set debug level to 2 for message "Can not begin to scan url: No
preview data". Thanks to Marco Gaiarin for the suggestion.
- Fix default path to squidclamav.conf. It is now always installed and
searched in c-icap configuration directory. /etc/squidclamav.conf is
no more used as default. Thanks to Oliver Seeburger for the report.
- The message about undefined squidguard directive has been changed.
- Change cast on content_length printing.
- Fix some issues returned by Coverity scanner.
-------------------------------------------------------------------
Mon Sep 29 11:12:31 UTC 2014 - lars@linux-schulserver.de
- create a symlink /etc/squidclamav.conf pointing to the config in
/etc/c-icap/squidclamav.conf as the code seems to have the path
still hardcoded in some places
-------------------------------------------------------------------
Wed Mar 12 15:35:13 UTC 2014 - lars@linux-schulserver.de
- update to 6.11:
+ This release adds support to icap template allowing to display a templated
response on block instead of redirecting to an external URL. Add new lines into
HTTP and ICAP response header to set X-Infection-Found and X-Virus-ID when a
virus is found. With the possiblity to scan data sent without preview this
allow some commercial product like MoveIt DMZ to work with c-icap and
squidclamav service. Lot of code clean up and bug fixes.
+ Replace clamd STREAM by zINSTREAM protocol as clamav have removed
the obsolete STREAM protocol in release 0.97.4. Thanks to Vasan and
Raja Lakshmi for the report.
- use /var/run/clamav/clamd-socket as clamav socket per default
- place the squidclamav.conf in the /etc/c-icap directory where
it makes more sense
- add MALWARE_FOUND template for c_icap
-------------------------------------------------------------------
Wed Dec 25 15:04:52 UTC 2013 - lars@linux-schulserver.de
- place libraries in %{_prefix}/lib/c_icap/ as all the other
c-icap modules
- use README.SUSE
-------------------------------------------------------------------
Thu Nov 1 20:03:52 UTC 2012 - lars@linux-schulserver.de
- update to 6.10:
+ Replaced clamd STREAM by zINSTREAM protocol as clamav have
removed the obsolete STREAM protocol in release 0.97.4.
-------------------------------------------------------------------
Wed Sep 12 10:01:31 UTC 2012 - lars@linux-schulserver.de
- update to 6.9:
+ Add 'safebrowsing' configuration directive to enable/disable
Safe Browsing detection
+ Fix support to Clamav Google Safe Browsing that need a second
query to clamd because the url need to be embeded in an email
like content. Thanks to frOgz for the report
+ All redirect CGI scripts have been rewritten with some CSS and
to better handle virus vs malware.
+ Compatibility fix with new c-icap 0.2.1 release that prevent
squidclamav service to be initialized.
+ Add a workaround for a squidGuard bug that unescape the URL and
send it back unescaped. This result in garbage staying into pipe
of the system command call and could crash squidclamav on next
read or return false information. This is specially true with URL
containing the %0D or %0A character.
+ Update documentation about the recommanded way to call squidGuard
through the use of url_rewrite_program in squid.conf. You may not
use the squidguard configuration directive into squidclamav.conf
+ Rewrite entirely the squidclamav behavior with the maxsize directive.
The previous fix was only a workaround.
+ Fix a bug on 'trustclient' check part that was never executed if
dnslookup was disabled. Thanks to Tinu for the report.
- removed upstreamed squidclamav-fix_html.patch
-------------------------------------------------------------------
Fri Apr 6 07:00:12 UTC 2012 - lars@linux-schulserver.de
- added hint for disabling RPM scanning in config
- added suse.de and opensuse.org domains as whitelisted
-------------------------------------------------------------------
Mon Apr 2 08:50:10 UTC 2012 - lars@linux-schulserver.de
- initial version 6.5
