Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package clamav for openSUSE:Factory checked in at 2026-07-03 16:04:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/clamav (Old) and /work/SRC/openSUSE:Factory/.clamav.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "clamav" Fri Jul 3 16:04:20 2026 rev:141 rq:1363548 version:1.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/clamav/clamav.changes 2026-03-20 21:27:23.392425287 +0100 +++ /work/SRC/openSUSE:Factory/.clamav.new.1982/clamav.changes 2026-07-03 16:06:46.193122860 +0200 @@ -1,0 +2,41 @@ +Wed Jul 1 16:18:42 UTC 2026 - Arjen de Korte <[email protected]> + +- update to 1.5.3 + ClamAV 1.5.3 is a patch release with the following fixes: + * bsc#1270091, CVE-2026-20217: + Fixed a bug in the PESpin unpacker cleanup path that could free pointers + into the scanned file buffer and crash the scanner. + * bsc#1270107, CVE-2026-20213: + Fixed an integer overflow in PE rebuild size calculations that could be + reached through a malformed Aspack-packed PE file and lead to a heap buffer + overflow write. + * bsc#1270089, CVE-2026-20216: + Fixed an InstallShield archive extraction limit bypass that could write far + more temporary data than intended and exhaust temporary storage. + * bsc#1270085, CVE-2026-20214: + Fixed an FSG unpacker loop underflow that could write past the section array + while scanning a malformed PE file. + * bsc#1270092, CVE-2026-20243: + Fixed ALZ parser size handling bugs that could cause malformed ALZ archives + to panic, abort the scanner, or skip expected scan-limit handling. + * bsc#1270088, CVE-2026-20215: + Fixed a 7z parser substream count overflow that could under-allocate parser + metadata arrays and write past them while reading a malformed archive. + * bsc#1270106, CVE-2026-20244: + Fixed 32-bit DMG parser size checks that could let a short mish stripe table + pass validation and crash 32-bit scanner builds. + * Hardened clamscan, clamdscan, and clamonacc quarantine actions against + time-of-check/time-of-use races that could redirect copied, moved, or removed + files under unsafe quarantine directory configurations. + * Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and + RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to + resolve CVE-2026-41676, bsc#1270138. + * Raised the minimum required CMake version to 3.17 to fix Linux builds with + libcurl v8.21.0 when linking static library dependencies. + * Metadata preclass scans now run before the final scan verdict. + * ClamOnAcc: Fixed errors when recursively excluded paths are children of an + included path. + * ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide + in the same bucket. + +------------------------------------------------------------------- Old: ---- clamav-1.5.2.tar.gz clamav-1.5.2.tar.gz.sig New: ---- clamav-1.5.3.tar.gz clamav-1.5.3.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.krHdGt/_old 2026-07-03 16:06:54.953428209 +0200 +++ /var/tmp/diff_new_pack.krHdGt/_new 2026-07-03 16:06:54.953428209 +0200 @@ -44,7 +44,7 @@ %define jsonc json-c-json-c-%vjsonc-20240915 Name: clamav -Version: 1.5.2 +Version: 1.5.3 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only ++++++ clamav-1.5.2.tar.gz -> clamav-1.5.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/clamav/clamav-1.5.2.tar.gz /work/SRC/openSUSE:Factory/.clamav.new.1982/clamav-1.5.3.tar.gz differ: char 5, line 1
