Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-14 Thread Joel Esler (jesler) via clamav-users 
I understand the request.  The new key is signed with the old key already.

> On Apr 14, 2021, at 9:42 AM, Andrew C Aitchison  
> wrote:
> 
> 
> Joel,
> 
> You can add a direct link to the PGP key now as this is completely independant
> of the released packages.
> 
> Better yet would be to
> 1) Sign the new key with the old one (which doesn't actually expire until 
> Monday)
> 2) Get other (public domain) software people to sign your key.
> This assumes that you can get the key to them and the signature back
> in a way that satisfies both of you that they really came from the person
> they claim to be ...
> 
> 3) Put the key (presumably with the signatures above)
> on some of the public keyservers, eg
>  https://pgp.mit.edu/
>  https://keyserver.ubuntu.com/
> 
> If a software package is signed With an unsigned key and the key and
> the package are put on the same webserver there is no advantage to users
> over just giving an MD5 or SHA checksum - we have no way of measuring
> the trust in the key.
> By getting other know parties (including the old key's owner)
> to sign the new key, we have some idea that the new key can be trusted
> and was not put up by a malicous webmaster - possibly of a spoof website.
> 
> Thanks,
> 
> On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
> 
>> We’ll look into that for a future update.
>> 
>> Sent from my iPhone
>> 
>>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users 
>>>  wrote:
>>> 
>>> Citeren "Joel Esler (jesler) via clamav-users" 
>>> :
>>> 
 It’s available on the webpage.
>>> 
>>> I already wrote that I know it is available from the website. I need to 
>>> update the stored keyring in openSUSE Factory, which needs a backlink to 
>>> the origin. Rather than downloading https://www.clamav.net/downloads and 
>>> trimming the HTML code, a straight download link for the keyfile would make 
>>> it easier to verify it.
>>> 
>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
>>  wrote:
> 
> Citeren "Joel Esler (jesler) via clamav-users" 
> :
> 
> It seems the package is now signed with a different PGP key. Is there a 
> location from where I can directly download the public key, rather than 
> copying it from the webpage?
> 
> Best regards, Arjen
> 
> -- 
> Andrew C. Aitchison   Kendal, UK
>   and...@aitchison.me.uk


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-14 Thread Andrew C Aitchison via clamav-users 



Joel,

You can add a direct link to the PGP key now as this is completely independant
of the released packages.

Better yet would be to
1) Sign the new key with the old one (which doesn't actually expire until 
Monday)
2) Get other (public domain) software people to sign your key.
This assumes that you can get the key to them and the signature back
in a way that satisfies both of you that they really came from the person
they claim to be ...

3) Put the key (presumably with the signatures above)
on some of the public keyservers, eg
  https://pgp.mit.edu/
  https://keyserver.ubuntu.com/

If a software package is signed With an unsigned key and the key and
the package are put on the same webserver there is no advantage to users
over just giving an MD5 or SHA checksum - we have no way of measuring
the trust in the key.
By getting other know parties (including the old key's owner)
to sign the new key, we have some idea that the new key can be trusted
and was not put up by a malicous webmaster - possibly of a spoof website.

Thanks,

On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:


We’ll look into that for a future update.

Sent from my iPhone


On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users 
 wrote:

Citeren "Joel Esler (jesler) via clamav-users" 
:


It’s available on the webpage.


I already wrote that I know it is available from the website. I need to update 
the stored keyring in openSUSE Factory, which needs a backlink to the origin. 
Rather than downloading https://www.clamav.net/downloads and trimming the HTML 
code, a straight download link for the keyfile would make it easier to verify 
it.


On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
 wrote:


Citeren "Joel Esler (jesler) via clamav-users" :

It seems the package is now signed with a different PGP key. Is there a 
location from where I can directly download the public key, rather than copying 
it from the webpage?

Best regards, Arjen


--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-10 Thread Joel Esler (jesler) via clamav-users 
Thanks for pointing that out. We’ve corrected it with mitre, but obviously, we 
can’t correct the news.md for now. 

— 
Sent from my  iPad

> On Apr 10, 2021, at 08:14, Sergey  wrote:
> 
> On Wednesday 07 April 2021, Joel Esler (jesler) via clamav-users wrote:
> 
>> CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 
>> 0.103.0 and 0.103.1 only.
>> 
>> CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 
>> and prior.
> 
> I seems you got the CVE description mixed between: 1405 about PDF (and in 
> NEWS.md).
> 
> -- 
> Regards,
> Sergey
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-10 Thread Sergey 
On Wednesday 07 April 2021, Joel Esler (jesler) via clamav-users wrote:

> CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 
> 0.103.0 and 0.103.1 only.
> 
> CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 
> and prior.
 
I seems you got the CVE description mixed between: 1405 about PDF (and in 
NEWS.md).

-- 
Regards,
Sergey

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-07 Thread Joel Esler (jesler) via clamav-users 
We’ll look into that for a future update.  

Sent from my  iPhone

> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users 
>  wrote:
> 
> Citeren "Joel Esler (jesler) via clamav-users" 
> :
> 
>> It’s available on the webpage.
> 
> I already wrote that I know it is available from the website. I need to 
> update the stored keyring in openSUSE Factory, which needs a backlink to the 
> origin. Rather than downloading https://www.clamav.net/downloads and trimming 
> the HTML code, a straight download link for the keyfile would make it easier 
> to verify it.
> 
 On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
  wrote:
>>> 
>>> Citeren "Joel Esler (jesler) via clamav-users" 
>>> :
>>> 
>>> It seems the package is now signed with a different PGP key. Is there a 
>>> location from where I can directly download the public key, rather than 
>>> copying it from the webpage?
>>> 
>>> Best regards, Arjen
>>> 
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-07 Thread Arjen de Korte via clamav-users 
Citeren "Joel Esler (jesler) via clamav-users"  
:



It’s available on the webpage.


I already wrote that I know it is available from the website. I need  
to update the stored keyring in openSUSE Factory, which needs a  
backlink to the origin. Rather than downloading  
https://www.clamav.net/downloads and trimming the HTML code, a  
straight download link for the keyfile would make it easier to verify  
it.


On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users  
 wrote:


Citeren "Joel Esler (jesler) via clamav-users"  
:


It seems the package is now signed with a different PGP key. Is  
there a location from where I can directly download the public key,  
rather than copying it from the webpage?


Best regards, Arjen


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-07 Thread Joel Esler (jesler) via clamav-users 
It’s available on the webpage.

> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
>  wrote:
> 
> Citeren "Joel Esler (jesler) via clamav-users" 
> :
> 
> It seems the package is now signed with a different PGP key. Is there a 
> location from where I can directly download the public key, rather than 
> copying it from the webpage?
> 
> Best regards, Arjen
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-07 Thread Arjen de Korte via clamav-users 
Citeren "Joel Esler (jesler) via clamav-users"  
:


It seems the package is now signed with a different PGP key. Is there  
a location from where I can directly download the public key, rather  
than copying it from the webpage?


Best regards, Arjen


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-07 Thread Joel Esler (jesler) via clamav-users 

> 
> https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html 
> 
> 
> ClamAV 0.103.2 security patch release
> 
> Wednesday, April 7, 2021
> 
>  <>ClamAV 0.103.2 is out now. Users can head over to clamav.net/downloads 
>  to download the release materials.
> 
> ClamAV 0.103.2 is a security patch release with the following fixes:
> 
> CVE-2021-1386 : 
> Fix for UnRAR DLL load privilege escalation. Affects 0.103.1 and prior on 
> Windows only.
> 
> CVE-2021-1252 : 
> Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.
> 
> CVE-2021-1404 : 
> Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 
> 0.103.1 only.
> 
> CVE-2021-1405 : 
> Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
> 
> Fix possible memory leak in PNG parser.
> 
> Fix ClamOnAcc scan on file-creation race condition so files are scanned after 
> their contents are written.
> 
> FreshClam: Deprecate the SafeBrowsing config option. The SafeBrowsing option 
> will no longer do anything.
> 
> For more details, see our blog post from last year about the future of the 
> ClamAV Safe Browsing database 
> .
> 
> Tip: If creating and hosting your own safebrowing.gdb database, you can use 
> the DatabaseCustomURL option in freshclam.conf to download it.
> 
> FreshClam: Improved HTTP 304, 403, & 429 handling.
> 
> FreshClam: Added back the mirrors.dat file to the database directory.
> 
> This new mirrors.dat file will store:
> A randomly generated UUID for the FreshClam User-Agent.
> A retry-after timestamp that so FreshClam won't try to update after having 
> received an HTTP 429 response until the Retry-After timeout has expired.
> 
> FreshClam will now exit with a failure in daemon mode if an HTTP 403 
> (Forbidden) was received, because retrying later won't help any. The 
> FreshClam user will have to take actions to get unblocked.
> 
> Fix the FreshClam mirror-sync issue where a downloaded database is "older 
> than the version advertised."
> 
> If a new CVD download gets a version that is older than advertised, FreshClam 
> will keep the older version and retry the update so that the incremental 
> update process (CDIFF patch process) will update to the latest version.
> Labels: 0.103.2 , clamav 
> , release 
> 


signature.asc
Description: Message signed with OpenPGP

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml