Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
This is an update from ClamAV from 0.102.4 to 0.103.2. The 103 release was in unstable since the beginning. I skipped it for Buster back then because the 102 based release recevied a security update and it appeared to contain the important bits. Now, with the 103.2 release there is no update for the 102 based release. At least one CVE was identified as also affecting Buster. There is also another change regarding "memory leak in PNG parser" which has no attribution and a memory leak in clamav, which is often in an email setup scanning incomming mail, could be exploited and brining the system to an OOM condition and hopefully killing only the clamav daemon. Looking further, I identified two changes https://github.com/Cisco-Talos/clamav-devel/commit/ba6467a6a6f7d749f3011c38e76573c75676e37f https://github.com/Cisco-Talos/clamav-devel/commit/1a8b164b4f513460c8334521f0797aaf81d15699 which fix two leaks which also apply to the version currently in Buster. I didn't look further… The 103.2 release also received updates regarding freshclam including improved error codes handling. Probably related to CDN, they are using. The "safebrowsing" has been disabled in clamav. It has been announced half a year ago [0] and they are asking [1] now to finally disable it as the file is now no longer served. The current release disables it and removes it from the config file (and debconf templates). Testing wise the 103.0 release landed last October in unstable and we managed to fix various apparmor related issue since. I'm not aware of any issues so far. I upload recently 103.2 to unstable and uploaded an update yesterday after noticing that the postinst script still enables the safebrowsing option (my clunky eyes didn't see it earler). This change is also part of the propsed Buster version. I had it deployed on a server for two+ days now. One last disclosure: The clamav daemon now supports reloading the database without blocking. The advantage is that email scanning isn't blocked while the database is reloaded. The disadvantage is that it consumes more memory as it prepares the new database in memory and after it is done, it switches over and releases the old one. [0] https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html [1] https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html Sebastian