Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL
clamav-users at lists
Jan 12, 2022, 12:12 PM
Post #1 of 6 (742 views)
Permalink
Find this announcement online at: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html


ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net Downloads page<https://www.clamav.net/downloads>.


We would also like to take this opportunity to remind users that versions 0.102 and 0.101 have reached their end-of-life period. These versions exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked from downloading signature database updates.


For additional details about ClamAV's end-of-life policy, please see our online documentation<https://docs.clamav.net/faq/faq-eol.html>.


0.103.5

ClamAV 0.103.5 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like this:

cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't affect ClamD or ClamScan which also can disable the limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan --max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes to 1,024 bytes to allow for longer config option strings.

* SigTool: Fix insufficient buffer size for --list-sigs that caused a failure when listing a database containing one or more very long signatures. This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres

0.104.2

ClamAV 0.104.2 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like this:

cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't impact ClamD or ClamScan which also can disable the limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan --max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes to 1,024 bytes to allow for longer config option strings.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Re: ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL [ In reply to ]
clamav-users at lists
Jan 13, 2022, 9:13 AM
Post #2 of 6 (742 views)
Permalink
Hi,

We are using Docker Image for 1.104 version at Roberthalf Is that image
updated too with this patch?
Thanks,

Jaspal Sandhu


On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Find this announcement online at:
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net
> Downloads page <https://www.clamav.net/downloads>.
>
>
> We would also like to take this opportunity to remind users that versions
> 0.102 and 0.101 have reached their end-of-life period. *These versions
> exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked
> from downloading signature database updates.*
>
>
> For additional details about ClamAV's end-of-life policy, please see our
> online documentation <https://docs.clamav.net/faq/faq-eol.html>.
>
>
> 0.103.5
>
> ClamAV 0.103.5 is a critical patch release with the following fixes:
>
> -
>
> CVE-2022-20698
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
> for invalid pointer read that may cause a crash. This issue affects
> 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
> CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
> option) is enabled.
>
> Cisco would like to thank Laurent Delosieres of ManoMano for reporting
> this vulnerability.
> -
>
> Fixed ability to disable the file size limit with libclamav C API,
> like this:
>
> cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
> This issue didn't affect ClamD or ClamScan which also can disable the
> limit by setting it to zero using MaxFileSize 0 in clamd.conf for
> ClamD, or clamscan --max-filesize=0 for ClamScan.
>
> Note: Internally, the max file size is still set to 2 GiB. Disabling
> the limit for a scan will fall back on the internal 2 GiB limitation.
> -
>
> Increased the maximum line length for ClamAV config files from 512
> bytes to 1,024 bytes to allow for longer config option strings.
> -
>
> SigTool: Fix insufficient buffer size for --list-sigs that caused a
> failure when listing a database containing one or more very long
> signatures. This fix was backported from 0.104.
>
> Special thanks to the following for code contributions and bug reports:
>
> - Laurent Delosieres
>
> 0.104.2
>
> ClamAV 0.104.2 is a critical patch release with the following fixes:
>
> -
>
> CVE-2022-20698
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
> for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4
> and prior when ClamAV is compiled with libjson-c and the
> CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
> option) is enabled.
>
> Cisco would like to thank Laurent Delosieres of ManoMano for reporting
> this vulnerability.
> -
>
> Fixed ability to disable the file size limit with libclamav C API,
> like this:
>
> cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
> This issue didn't impact ClamD or ClamScan which also can disable the
> limit by setting it to zero using MaxFileSize 0 in clamd.conf for
> ClamD, or clamscan --max-filesize=0 for ClamScan.
>
> Note: Internally, the max file size is still set to 2 GiB. Disabling
> the limit for a scan will fall back on the internal 2 GiB limitation.
> -
>
> Increased the maximum line length for ClamAV config files from 512
> bytes to 1,024 bytes to allow for longer config option strings.
>
> Special thanks to the following for code contributions and bug reports:
>
> - Laurent Delosieres
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL [ In reply to ]
clamav-users at lists
Jan 13, 2022, 9:48 AM
Post #3 of 6 (742 views)
Permalink
Hi there,

On Thu, 13 Jan 2022, Jaspal Singh Sandhu via clamav-users wrote:

> We are using Docker Image for 1.104 version at Roberthalf Is that image
> updated too with this patch?

I'm not familiar with the image you mention, do you have a pointer to
it for me?

I'd have thought you'd get better information from the providers of
the image, it must be difficult for the Sourcefire people to keep up
to speed with the many copies and derivatives of ClamAV.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL [ In reply to ]
clamav-users at lists
Jan 13, 2022, 10:30 AM
Post #4 of 6 (742 views)
Permalink
Hi Jaspal,

There was an issue with the release steps and the Docker image was missed yesterday.
It has been fixed and the 0.104.2 image is now up on Docker Hub.

0.104.2: https://registry.hub.docker.com/layers/clamav/clamav/0.104.2/images/sha256-7177e1771bd696f9ff5acb97221107ab7d8961b1ab3b370cd1e24bf66cf02fe1?context=explore

0.104.2_base: https://registry.hub.docker.com/layers/clamav/clamav/0.104.2_base/images/sha256-8aea3e0f684f50402bd10456045eb3a3ad2772ecda99739100da9345b068e25c?context=explore

The 0.104 / 0.104_base and latest / latest_base tags also point to the same 0.104.2 and 0.104.2_base images.

Thanks for pointing out the issue! Please reach out again if there is anything else.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: Jaspal Singh Sandhu <jsandhu2204@gmail.com>
Sent: Thursday, January 13, 2022 9:13 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: ClamAV Announcements ML <clamav-announce@lists.clamav.net>; ClamAV Development <clamav-devel@lists.clamav.net>; Micah Snyder (micasnyd) <micasnyd@cisco.com>
Subject: Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL

Hi,

We are using Docker Image for 1.104 version at Roberthalf Is that image updated too with this patch?
Thanks,

Jaspal Sandhu


On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Find this announcement online at: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html


ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net Downloads page<https://www.clamav.net/downloads>.


We would also like to take this opportunity to remind users that versions 0.102 and 0.101 have reached their end-of-life period. These versions exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked from downloading signature database updates.


For additional details about ClamAV's end-of-life policy, please see our online documentation<https://docs.clamav.net/faq/faq-eol.html>.


0.103.5

ClamAV 0.103.5 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like this:

cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't affect ClamD or ClamScan which also can disable the limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan --max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes to 1,024 bytes to allow for longer config option strings.

* SigTool: Fix insufficient buffer size for --list-sigs that caused a failure when listing a database containing one or more very long signatures. This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres

0.104.2

ClamAV 0.104.2 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like this:

cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

This issue didn't impact ClamD or ClamScan which also can disable the limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan --max-filesize=0 for ClamScan.

Note: Internally, the max file size is still set to 2 GiB. Disabling the limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes to 1,024 bytes to allow for longer config option strings.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL [ In reply to ]
clamav-users at lists
Jan 13, 2022, 11:01 AM
Post #5 of 6 (742 views)
Permalink
Awesome

On Thu, Jan 13, 2022 at 10:31 AM Micah Snyder (micasnyd) <micasnyd@cisco.com>
wrote:

> Hi Jaspal,
>
> There was an issue with the release steps and the Docker image was missed
> yesterday.
> It has been fixed and the 0.104.2 image is now up on Docker Hub.
>
> 0.104.2:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2/images/sha256-7177e1771bd696f9ff5acb97221107ab7d8961b1ab3b370cd1e24bf66cf02fe1?context=explore
>
> 0.104.2_base:
> https://registry.hub.docker.com/layers/clamav/clamav/0.104.2_base/images/sha256-8aea3e0f684f50402bd10456045eb3a3ad2772ecda99739100da9345b068e25c?context=explore
>
> The 0.104 / 0.104_base and latest / latest_base tags also point to the
> same 0.104.2 and 0.104.2_base images.
>
> Thanks for pointing out the issue! Please reach out again if there is
> anything else.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* Jaspal Singh Sandhu <jsandhu2204@gmail.com>
> *Sent:* Thursday, January 13, 2022 9:13 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* ClamAV Announcements ML <clamav-announce@lists.clamav.net>; ClamAV
> Development <clamav-devel@lists.clamav.net>; Micah Snyder (micasnyd) <
> micasnyd@cisco.com>
> *Subject:* Re: [clamav-users] ClamAV 0.103.5 and 0.104.2 security patch
> release; 0.102 past EOL
>
> Hi,
>
> We are using Docker Image for 1.104 version at Roberthalf Is that image
> updated too with this patch?
> Thanks,
>
> Jaspal Sandhu
>
>
> On Wed, Jan 12, 2022 at 12:13 PM Micah Snyder (micasnyd) via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Find this announcement online at:
> https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net
> Downloads page <https://www.clamav.net/downloads>.
>
>
> We would also like to take this opportunity to remind users that versions
> 0.102 and 0.101 have reached their end-of-life period. *These versions
> exceeded our EOL dates on Jan. 3, 2022 and will soon be actively blocked
> from downloading signature database updates.*
>
>
> For additional details about ClamAV's end-of-life policy, please see our
> online documentation <https://docs.clamav.net/faq/faq-eol.html>.
>
>
> 0.103.5
>
> ClamAV 0.103.5 is a critical patch release with the following fixes:
>
> -
>
> CVE-2022-20698
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
> for invalid pointer read that may cause a crash. This issue affects
> 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
> CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
> option) is enabled.
>
> Cisco would like to thank Laurent Delosieres of ManoMano for reporting
> this vulnerability.
> -
>
> Fixed ability to disable the file size limit with libclamav C API,
> like this:
>
> cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
> This issue didn't affect ClamD or ClamScan which also can disable the
> limit by setting it to zero using MaxFileSize 0 in clamd.conf for
> ClamD, or clamscan --max-filesize=0 for ClamScan.
>
> Note: Internally, the max file size is still set to 2 GiB. Disabling
> the limit for a scan will fall back on the internal 2 GiB limitation.
> -
>
> Increased the maximum line length for ClamAV config files from 512
> bytes to 1,024 bytes to allow for longer config option strings.
> -
>
> SigTool: Fix insufficient buffer size for --list-sigs that caused a
> failure when listing a database containing one or more very long
> signatures. This fix was backported from 0.104.
>
> Special thanks to the following for code contributions and bug reports:
>
> - Laurent Delosieres
>
> 0.104.2
>
> ClamAV 0.104.2 is a critical patch release with the following fixes:
>
> -
>
> CVE-2022-20698
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>: Fix
> for invalid pointer read that may cause a crash. Affects 0.104.1, 0.103.4
> and prior when ClamAV is compiled with libjson-c and the
> CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
> option) is enabled.
>
> Cisco would like to thank Laurent Delosieres of ManoMano for reporting
> this vulnerability.
> -
>
> Fixed ability to disable the file size limit with libclamav C API,
> like this:
>
> cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
>
> This issue didn't impact ClamD or ClamScan which also can disable the
> limit by setting it to zero using MaxFileSize 0 in clamd.conf for
> ClamD, or clamscan --max-filesize=0 for ClamScan.
>
> Note: Internally, the max file size is still set to 2 GiB. Disabling
> the limit for a scan will fall back on the internal 2 GiB limitation.
> -
>
> Increased the maximum line length for ClamAV config files from 512
> bytes to 1,024 bytes to allow for longer config option strings.
>
> Special thanks to the following for code contributions and bug reports:
>
> - Laurent Delosieres
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> --
Thanks,

Jaspal Sandhu
Re: ClamAV 0.103.5 and 0.104.2 security patch release; 0.102 past EOL [ In reply to ]
clamav-users at lists
Jan 16, 2022, 7:35 PM
Post #6 of 6 (741 views)
Permalink
On Wed, 12 Jan 2022 20:12:42 +0000
"Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Find this announcement online at: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
>
>
> ClamAV versions 0.103.5 and 0.104.2 are now available for download on the clamav.net Downloads page<https://www.clamav.net/downloads>.
>

=========================================

Since 0.103.x is supposed to be a Long Term Support Release, 0.103.5 shouldn't be hidden under "Previous Stable Releases" along with myriad versions that are End Of Life (and beyond).

It was surprisingly hard find. I went to the Downloads page (above) and went back and forth among the alternatives, finally deciding that "Previous Stable Releases" was the only remaining hope.

There should be a separate category for Long Term Support source files, preferably right after "The latest stable release is: ...".

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal