Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Scott Kitterman]

On January 28, 2018 2:35:59 AM UTC, Dennis Peterson  wrote:
>On 1/26/18 2:39 PM, Scott Kitterman wrote:
>> Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As
>far as I can tell, the beta had all the fixes.
>>
>> Assuming that is correct, I think better advice for beta users would
>be to do nothing now and update to 0.100 beta when it is available.
>>
>> Scott K
>> ___
>
>Many businesses correctly disallow production use of beta software.
>Because it 
>is policy and not necessarily logical even beta software that is
>byte-identical 
>with the golden release is discouraged and the reason is a version
>query could 
>report beta and set off a flag. That is not a fun thing to experience
>in large 
>data centers.

Yes, but I was discussing users already on the beta.  Hardly relevant to this 
thread of the conversation.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Dennis Peterson]

On 1/26/18 2:39 PM, Scott Kitterman wrote:

Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As far as I 
can tell, the beta had all the fixes.

Assuming that is correct, I think better advice for beta users would be to do 
nothing now and update to 0.100 beta when it is available.

Scott K
___


Many businesses correctly disallow production use of beta software. Because it 
is policy and not necessarily logical even beta software that is byte-identical 
with the golden release is discouraged and the reason is a version query could 
report beta and set off a flag. That is not a fun thing to experience in large 
data centers.


dp
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Micah Snyder (micasnyd)]

Scott K,

I 100% agree.  ClamAV hasn’t been following dev, testing, or security-release 
best practices in a number of ways and as you just pointed out - it shows.

The team and I are making a real effort to get things like this up to snuff.  
Fixing this exact process is my top priority right now.

For the past couple of weeks, we’ve been talking about the best way to modify 
how we work with our public and private Git repositories, and for the past few 
months we’ve been working on strategies to improve our testing and release 
processes as a whole.  For those who work with the ClamAV code, I’m going to 
post an announcement in a couple days to the clamav-devel mailing list 
describing our new Git work-flow.

I appreciate feedback on issues such as this, and welcome any help 
brainstorming other ways in which we can improve the project.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 5:34 PM, Scott Kitterman 
> wrote:

Historically, fixes for such issues would have not been part of a pre-release.  
They would have been added to the public VCS on release day.

You may not have been able to announce the CVEs for some reason, but I don't 
think silently disclosing the fixes was the best thing to have done.

Scott K

On January 26, 2018 9:55:49 PM UTC, "Joel Esler (jesler)" 
> wrote:
There are outside issues that prevented us from announcing the CVEs at
that time.  It's not because we were trying to hide something.


--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Jan 26, 2018, at 2:39 PM, Andreas Schulze
>
 wrote:

Am 26.01.2018 um 16:06 schrieb Tobi:
As far as I understand the release notes of 99.3 its a security fix
which has nothing to do with former 99.3 beta.
The former beta now is 0.100
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta
first to apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in
0.99.3beta2

now, as the links to 
bugzilla.clamav.net
are public, we see, the issues where known to the developers since
October/November 2017!
They published these changes silent as part of "beta2". They discusses
about CVE at this time!
This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Micah Snyder (micasnyd)]

Yes.   If you’re using the old 0.99.3 beta, there is no need for you to switch 
to 0.99.3 release patch so long as you’re still comfortable with running a 
beta.  The beta was in a state where we weren’t comfortable releasing it yet.  
There are a few outstanding issues with the feature release that will be 
resolved soon, and then we’ll call it stable.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 5:39 PM, Scott Kitterman 
> wrote:



On January 26, 2018 2:54:57 PM UTC, "Joel Esler (jesler)" 
> wrote:


On Jan 26, 2018, at 9:49 AM, Reindl Harald
>
 wrote:

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV
0.99.3, you will need to completely uninstall it and do a fresh install
with the production version of 0.99.3 as there are significant code
differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we
found this to be the best solution.  We were stuck between a rock in
and a hard place.  Trust me, this is not the user experience I want for
our users either.

Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As far as I 
can tell, the beta had all the fixes.

Assuming that is correct, I think better advice for beta users would be to do 
nothing now and update to 0.100 beta when it is available.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Scott Kitterman]

On January 26, 2018 2:54:57 PM UTC, "Joel Esler (jesler)"  
wrote:
>
>
>On Jan 26, 2018, at 9:49 AM, Reindl Harald
>> wrote:
>
>Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
>As previously mentioned, if you downloaded the beta version of ClamAV
>0.99.3, you will need to completely uninstall it and do a fresh install
>with the production version of 0.99.3 as there are significant code
>differences
>
>when i read something like this in 2018 my brain ends with a bluescreen
>
>This is something we debated for a couple weeks here internally and we
>found this to be the best solution.  We were stuck between a rock in
>and a hard place.  Trust me, this is not the user experience I want for
>our users either.

Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As far as I 
can tell, the beta had all the fixes.

Assuming that is correct, I think better advice for beta users would be to do 
nothing now and update to 0.100 beta when it is available.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Scott Kitterman]

Historically, fixes for such issues would have not been part of a pre-release.  
They would have been added to the public VCS on release day.

You may not have been able to announce the CVEs for some reason, but I don't 
think silently disclosing the fixes was the best thing to have done.

Scott K

On January 26, 2018 9:55:49 PM UTC, "Joel Esler (jesler)"  
wrote:
>There are outside issues that prevented us from announcing the CVEs at
>that time.  It's not because we were trying to hide something.
>
>
>--
>Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
>On Jan 26, 2018, at 2:39 PM, Andreas Schulze
>> wrote:
>
>Am 26.01.2018 um 16:06 schrieb Tobi:
>As far as I understand the release notes of 99.3 its a security fix
>which has nothing to do with former 99.3 beta.
>The former beta now is 0.100
>(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
>So at least for me it makes sense that you have to remove the beta
>first to apply fixed 99.3 version
>I compared 0.99.2 and 0.99.3 and found most of the diffs be present in
>0.99.3beta2
>
>now, as the links to bugzilla.clamav.net
>are public, we see, the issues where known to the developers since
>October/November 2017!
>They published these changes silent as part of "beta2". They discusses
>about CVE at this time!
>This is *not* amazing.
>
>Andreas
>
>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

There are outside issues that prevented us from announcing the CVEs at that 
time.  It's not because we were trying to hide something.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 2:39 PM, Andreas Schulze 
> wrote:

Am 26.01.2018 um 16:06 schrieb Tobi:
As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2

now, as the links to bugzilla.clamav.net are 
public, we see, the issues where known to the developers since October/November 
2017!
They published these changes silent as part of "beta2". They discusses about 
CVE at this time!
This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Andreas Schulze]

Am 26.01.2018 um 16:06 schrieb Tobi:

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2


now, as the links to bugzilla.clamav.net are public, we see, the issues 
where known to the developers since October/November 2017!
They published these changes silent as part of "beta2". They discusses 
about CVE at this time!

This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Matus UHLAR - fantomas]

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences


On 26.01.18 15:49, Reindl Harald wrote:

when i read something like this in 2018 my brain ends with a bluescreen


It's because you have forgot to uninstall first...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm. 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Micah Snyder (micasnyd)]

Tobi,

Yup this is correct.  We are planning to get an 0.100.0 beta out next week to 
replace the old 0.99.3-beta2.

Going forwards, the last number in our version string will be reserved for 
urgent fixes so we don’t find ourselves in this position again. The 2nd number 
will be used when there are improvements and new features.

Again, sorry for the confusion in this update.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 10:06 AM, Tobi 
> wrote:

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version

Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald 
>:

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Tobi]

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta. 
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version

Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald :
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

On Jan 26, 2018, at 9:49 AM, Reindl Harald 
> wrote:

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found 
this to be the best solution.  We were stuck between a rock in and a hard 
place.  Trust me, this is not the user experience I want for our users either.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Reindl Harald]

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences


when i read something like this in 2018 my brain ends with a bluescreen

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

ClamAV 0.99.3 has been released!
Join us as we welcome ClamAV 0.99.3 to the family!

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences.

Also, please ensure that you read our blog post on ClamAV Version Number 
Adjustments
 to ensure that you are staying current with our future plans for releases.

This release is a security release and is recommended for all ClamAV users.  
Please see details below:

CVE-2017-12374
1. ClamAV UAF (use-after-free) Vulnerabilities

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to a lack of input validation checking mechanisms 
during certain mail parsing operations. If successfully exploited, the ClamAV 
software could allow a variable pointing to the mail body which could cause a 
used after being free (use-after-free) instance which may lead to a disruption 
of services on an affected device to include a denial of service condition.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://bugzilla.clamav.net/show_bug.cgi?id=11939

CVE-2017-12375
2. ClamAV Buffer Overflow Vulnerability

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to a lack of input validation checking mechanisms 
during certain mail parsing functions. An unauthenticated, remote attacker 
could exploit this vulnerability by sending a crafted email to the affected 
device. This action could cause a buffer overflow condition when ClamAV scans 
the malicious email, allowing the attacker to potentially cause a DoS condition 
on an affected device.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
https://bugzilla.clamav.net/show_bug.cgi?id=11940

CVE-2017-12376
3. ClamAV Buffer Overflow in handle_pdfname Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms when 
handling Portable Document Format (.pdf) files sent to an affected device. An 
unauthenticated, remote attacker could exploit this vulnerability by sending a 
crafted .pdf file to an affected device. This action could cause a buffer 
overflow when ClamAV scans the malicious file, allowing the attacker to cause a 
DoS condition or potentially execute arbitrary code.

https://bugzilla.clamav.net/show_bug.cgi?id=11942
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12377
4. ClamAV Mew Packet Heap Overflow Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms in 
mew packet files sent to an affected device. A successful exploit could cause a 
heap overflow condition when ClamAV scans the malicious file, allowing the 
attacker to cause a DoS condition or potentially execute arbitrary code on the 
affected device.

https://bugzilla.clamav.net/show_bug.cgi?id=11943
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L

CVE-2017-12378
5. ClamAV Buffer Over Read Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to improper input validation checking mechanisms of 
.tar (Tape Archive) files sent to an affected device. A successful exploit 
could cause a buffer over-read condition when ClamAV scans the malicious .tar 
file, potentially allowing the attacker to cause a DoS condition on the 
affected device.

https://bugzilla.clamav.net/show_bug.cgi?id=11946
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L

CVE-2017-12379
6. ClamAV Buffer Overflow in messageAddArgument Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms in 
the message parsing function on an affected system. An unauthenticated, remote 
attacker