On Wed, 4 Mar 2026, Valerie Snyder (valsnyde) via clamav-announce wrote:
Read this online at
https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html
Today, we are publishing the 1.5.2 and 1.4.4 security patch versions.
... ...
1.5.2
ClamAV 1.5.2 is a patch release with the following fixes:
*
CVE-2026-20031<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-200
31>:
Fixed an error handling bug in the HTML file parser that may
crash the program and cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.1.0.
The fix is included in 1.5.2 and 1.4.4.
... ...
https://access.redhat.com/security/cve/cve-2026-20031
CVE-2026-20031 does not affect Red Hat software
EPEL has ClamAV 1.4.3, but EPEL is not part of Red Hat ...
https://ubuntu.com/security/CVE-2026-20031 says
No maintained releases are affected by this CVE.
The latest Ubuntu release - questing/205-10 has ClamAV 1.4.3.
I know that Cisco release their own .rpm and .deb packages
but these are not integrated into the OS in the same way as the
packages from EPEL, Debian and Ubuntu, so many of us are still using the
non-Cisco packages.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor
y/cisco-sa-clamav-css-Fn4QSZ
includes this subtle paragraph:
Cisco Secure Endpoint Connector, which is distributed from Cisco
Secure Endpoint Private Cloud, is affected by this vulnerability.
Cisco Secure Endpoint Private Cloud is not affected.
so I wonder whether the UTF-8 splitter and HTML parser are or are
not part of the non-Cisco packages.
Can anyone help me figure out where users of the non-Cisco packages
might stand ?
Thanks,
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
