subject:"\[clamav\-users\] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL"

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-16 Thread Paul Kosinski via clamav-users

On Wed, 12 Jan 2022 20:12:42 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> Find this announcement online at: 
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
> 
> 
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the 
> clamav.net Downloads page.
>

=

Since 0.103.x is supposed to be a Long Term Support Release, 0.103.5 shouldn't 
be hidden under "Previous Stable Releases" along with myriad versions that are 
End Of Life (and beyond).

It was surprisingly hard find. I went to the Downloads page (above) and went 
back and forth among the alternatives, finally deciding that "Previous Stable 
Releases" was the only remaining hope.

There should be a separate category for Long Term Support source files, 
preferably right after "The latest stable release is: ...".

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-13 Thread Jaspal Singh Sandhu via clamav-users

Awesome

On Thu, Jan 13, 2022 at 10:31 AM Micah Snyder (micasnyd) 
wrote:

> Hi Jaspal,
>
> There was an issue with the release steps and the Docker image was missed
> yesterday.
> It has been fixed and the 0.104.2 image is now up on Docker Hub.
>
> 0.104.2:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2/images/sha256-7177e1771bd696f9ff5acb97221107ab7d8961b1ab3b370cd1e24bf66cf02fe1?context=explore
>
> 0.104.2_base:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2_base/images/sha256-8aea3e0f684f50402bd10456045eb3a3ad2772ecda99739100da9345b068e25c?context=explore
>
> The 0.104 / 0.104_base and latest / latest_base tags also point to the
> same 0.104.2 and 0.104.2_base images.
>
> Thanks for pointing out the issue!  Please reach out again if there is
> anything else.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> --
> *From:* Jaspal Singh Sandhu 
> *Sent:* Thursday, January 13, 2022 9:13 AM
> *To:* ClamAV users ML 
> *Cc:* ClamAV Announcements ML ; ClamAV
> Development ; Micah Snyder (micasnyd) <
> micas...@cisco.com>
> *Subject:* Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch
> release; 0.102 past EOL
>
> Hi,
>
> We are using Docker Image for 1.104 version at Roberthalf  Is that image
> updated too with this patch?
> Thanks,
>
> Jaspal  Sandhu
>
>
> On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Find this announcement online at:
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the 
> clamav.net
> Downloads page <https://www.clamav.net/downloads>.
>
>
> We would also like to take this opportunity to remind users that versions
> 0.102 and 0.101 have reached their end-of-life period. *These versions
> exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked
> from downloading signature database updates.*
>
>
> For additional details about ClamAV's end-of-life policy, please see our
> online documentation <https://docs.clamav.net/faq/faq-eol.html>.
>
>
> 0.103.5
>
> ClamAV 0.103.5 is a critical patch release with the following fixes:
>
>-
>
>CVE-2022-20698
><https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
>for invalid pointer read that may cause a crash. This issue affects
>0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
>CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>option) is enabled.
>
>Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>this vulnerability.
>-
>
>Fixed ability to disable the file size limit with libclamav C API,
>like this:
>
>  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>This issue didn't affect ClamD or ClamScan which also can disable the
>limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>ClamD, or clamscan --max-filesize=0 for ClamScan.
>
>Note: Internally, the max file size is still set to 2 GiB. Disabling
>the limit for a scan will fall back on the internal 2 GiB limitation.
>-
>
>Increased the maximum line length for ClamAV config files from 512
>bytes to 1,024 bytes to allow for longer config option strings.
>-
>
>SigTool: Fix insufficient buffer size for --list-sigs that caused a
>failure when listing a database containing one or more very long
>signatures. This fix was backported from 0.104.
>
> Special thanks to the following for code contributions and bug reports:
>
>- Laurent Delosieres
>
> 0.104.2
>
> ClamAV 0.104.2 is a critical patch release with the following fixes:
>
>-
>
>CVE-2022-20698
><https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
>for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4
>and prior when ClamAV is compiled with libjson-c and the
>CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>option) is enabled.
>
>Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>this vulnerability.
>-
>
>Fixed ability to disable the file size limit with libclamav C API,
>like this:
>
>  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>This issue didn't impact ClamD or ClamScan which also can disable the
>limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>ClamD, o

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-13 Thread Micah Snyder (micasnyd) via clamav-users

Hi Jaspal,

There was an issue with the release steps and the Docker image was missed 
yesterday.
It has been fixed and the 0.104.2 image is now up on Docker Hub.

0.104.2: 
https://registry.hub.docker.com/layers/clamav/clamav/0.104.2/images/sha256-7177e1771bd696f9ff5acb97221107ab7d8961b1ab3b370cd1e24bf66cf02fe1?context=explore

0.104.2_base: 
https://registry.hub.docker.com/layers/clamav/clamav/0.104.2_base/images/sha256-8aea3e0f684f50402bd10456045eb3a3ad2772ecda99739100da9345b068e25c?context=explore

The 0.104 / 0.104_base and latest / latest_base tags also point to the same 
0.104.2 and 0.104.2_base images.

Thanks for pointing out the issue!  Please reach out again if there is anything 
else.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: Jaspal Singh Sandhu 
Sent: Thursday, January 13, 2022 9:13 AM
To: ClamAV users ML 
Cc: ClamAV Announcements ML ; ClamAV 
Development ; Micah Snyder (micasnyd) 

Subject: Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 
0.102 past EOL

Hi,

We are using Docker Image for 1.104 version at Roberthalf  Is that image 
updated too with this patch?
Thanks,

Jaspal  Sandhu


On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
Find this announcement online at: 
https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html


ClamAV versions 0.103.5 and 0.104.2 are now available for download on the 
clamav.net Downloads page<https://www.clamav.net/downloads>.


We would also like to take this opportunity to remind users that versions 0.102 
and 0.101 have reached their end-of-life period. These versions exceeded our 
EOL dates on Jan. 3, 2022 and will soon be actively blocked from downloading 
signature database updates.


For additional details about ClamAV's end-of-life policy, please see our online 
documentation<https://docs.clamav.net/faq/faq-eol.html>.


0.103.5

ClamAV 0.103.5 is a critical patch release with the following fixes:

  *   
CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: 
Fix for invalid pointer read that may cause a crash. This issue affects 
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the 
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) 
is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this 
vulnerability.

  *   Fixed ability to disable the file size limit with libclamav C API, like 
this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't affect ClamD or ClamScan which also can disable the limit by 
setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan 
--max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit 
for a scan will fall back on the internal 2 GiB limitation.

  *   Increased the maximum line length for ClamAV config files from 512 bytes 
to 1,024 bytes to allow for longer config option strings.

  *   SigTool: Fix insufficient buffer size for --list-sigs that caused a 
failure when listing a database containing one or more very long signatures. 
This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

  *   Laurent Delosieres

0.104.2

ClamAV 0.104.2 is a critical patch release with the following fixes:

  *   
CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: 
Fix for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4 
and prior when ClamAV is compiled with libjson-c and the 
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) 
is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this 
vulnerability.

  *   Fixed ability to disable the file size limit with libclamav C API, like 
this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't impact ClamD or ClamScan which also can disable the limit by 
setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan 
--max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit 
for a scan will fall back on the internal 2 GiB limitation.

  *   Increased the maximum line length for ClamAV config files from 512 bytes 
to 1,024 bytes to allow for longer config option strings.

Special thanks to the following for code contributions and bug reports:

  *   Laurent Delosieres


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

___

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

h

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-13 Thread G.W. Haywood via clamav-users


Hi there,

On Thu, 13 Jan 2022, Jaspal Singh Sandhu via clamav-users wrote:


We are using Docker Image for 1.104 version at Roberthalf  Is that image
updated too with this patch?


I'm not familiar with the image you mention, do you have a pointer to
it for me?

I'd have thought you'd get better information from the providers of
the image, it must be difficult for the Sourcefire people to keep up
to speed with the many copies and derivatives of ClamAV.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-13 Thread Jaspal Singh Sandhu via clamav-users

Hi,

We are using Docker Image for 1.104 version at Roberthalf  Is that image
updated too with this patch?
Thanks,

Jaspal  Sandhu


On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Find this announcement online at:
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the 
> clamav.net
> Downloads page .
>
>
> We would also like to take this opportunity to remind users that versions
> 0.102 and 0.101 have reached their end-of-life period. *These versions
> exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked
> from downloading signature database updates.*
>
>
> For additional details about ClamAV's end-of-life policy, please see our
> online documentation .
>
>
> 0.103.5
>
> ClamAV 0.103.5 is a critical patch release with the following fixes:
>
>-
>
>CVE-2022-20698
>: Fix
>for invalid pointer read that may cause a crash. This issue affects
>0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
>CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>option) is enabled.
>
>Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>this vulnerability.
>-
>
>Fixed ability to disable the file size limit with libclamav C API,
>like this:
>
>  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>This issue didn't affect ClamD or ClamScan which also can disable the
>limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>ClamD, or clamscan --max-filesize=0 for ClamScan.
>
>Note: Internally, the max file size is still set to 2 GiB. Disabling
>the limit for a scan will fall back on the internal 2 GiB limitation.
>-
>
>Increased the maximum line length for ClamAV config files from 512
>bytes to 1,024 bytes to allow for longer config option strings.
>-
>
>SigTool: Fix insufficient buffer size for --list-sigs that caused a
>failure when listing a database containing one or more very long
>signatures. This fix was backported from 0.104.
>
> Special thanks to the following for code contributions and bug reports:
>
>- Laurent Delosieres
>
> 0.104.2
>
> ClamAV 0.104.2 is a critical patch release with the following fixes:
>
>-
>
>CVE-2022-20698
>: Fix
>for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4
>and prior when ClamAV is compiled with libjson-c and the
>CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
>option) is enabled.
>
>Cisco would like to thank Laurent Delosieres of ManoMano for reporting
>this vulnerability.
>-
>
>Fixed ability to disable the file size limit with libclamav C API,
>like this:
>
>  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
>This issue didn't impact ClamD or ClamScan which also can disable the
>limit by setting it to zero using MaxFileSize 0 in clamd.conf for
>ClamD, or clamscan --max-filesize=0 for ClamScan.
>
>Note: Internally, the max file size is still set to 2 GiB. Disabling
>the limit for a scan will fall back on the internal 2 GiB limitation.
>-
>
>Increased the maximum line length for ClamAV config files from 512
>bytes to 1,024 bytes to allow for longer config option strings.
>
> Special thanks to the following for code contributions and bug reports:
>
>- Laurent Delosieres
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

2022-01-12 Thread Micah Snyder (micasnyd) via clamav-users

Find this announcement online at: 
https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html


ClamAV versions 0.103.5 and 0.104.2 are now available for download on the 
clamav.net Downloads page.


We would also like to take this opportunity to remind users that versions 0.102 
and 0.101 have reached their end-of-life period. These versions exceeded our 
EOL dates on Jan. 3, 2022 and will soon be actively blocked from downloading 
signature database updates.


For additional details about ClamAV's end-of-life policy, please see our online 
documentation.


0.103.5

ClamAV 0.103.5 is a critical patch release with the following fixes:

  *   
CVE-2022-20698: 
Fix for invalid pointer read that may cause a crash. This issue affects 
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the 
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) 
is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this 
vulnerability.

  *   Fixed ability to disable the file size limit with libclamav C API, like 
this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't affect ClamD or ClamScan which also can disable the limit by 
setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan 
--max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit 
for a scan will fall back on the internal 2 GiB limitation.

  *   Increased the maximum line length for ClamAV config files from 512 bytes 
to 1,024 bytes to allow for longer config option strings.

  *   SigTool: Fix insufficient buffer size for --list-sigs that caused a 
failure when listing a database containing one or more very long signatures. 
This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

  *   Laurent Delosieres

0.104.2

ClamAV 0.104.2 is a critical patch release with the following fixes:

  *   
CVE-2022-20698: 
Fix for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4 
and prior when ClamAV is compiled with libjson-c and the 
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) 
is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this 
vulnerability.

  *   Fixed ability to disable the file size limit with libclamav C API, like 
this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't impact ClamD or ClamScan which also can disable the limit by 
setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan 
--max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit 
for a scan will fall back on the internal 2 GiB limitation.

  *   Increased the maximum line length for ClamAV config files from 512 bytes 
to 1,024 bytes to allow for longer config option strings.

Special thanks to the following for code contributions and bug reports:

  *   Laurent Delosieres


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

[clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

6 matches

Site Navigation

Mail list logo

Footer information