Mailing List Archive

The bug reporter is at < https://bugzilla.clamav.net/>, but vulnerability reports may not be publically accessible for security reasons.

The developer list may contain some of what you are looking for, but there are no forums that I’m Aware of.

Sent from my iPad

-Al-

On Aug 6, 2019, at 02:08, Henrik Hoeg Thomsen1 via clamav-users <clamav-users@lists.clamav.net> wrote:
> Does CLAMAV have a forum where Vulnerabillity findings in the firmware engine can be tracked for Compliance. ? And where fixes and recomendations can be found.

I'm also confused by what you mean by "firmware engine" and "compliance"? ClamAV doesn't reside in firmware, so are you referring to firmware vulnerabilities that impact ClamAV performance? If there are any, I have not heard about them. Is there a particular platform that you are referring to?

And with regard to compliance, is there some anti-malware standard that I'm unaware of that needs to be complied with?

Sent from my iPad

-Al-

On Aug 6, 2019, at 02:08, Henrik Hoeg Thomsen1 via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> Does CLAMAV have a forum where Vulnerabillity findings in the firmware engine can be tracked for Compliance. ? And where fixes and recomendations can be found.

OP is probably looking for
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=clamav

... and something equivalent of xen-announce (the 'security advisories'
part) from https://xenproject.org/help/mailing-list/ (which doesn't exist
for clamav?)

--
Fajar

On Tue, Aug 6, 2019 at 4:42 PM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> I'm also confused by what you mean by "firmware engine" and "compliance"?
> ClamAV doesn't reside in firmware, so are you referring to firmware
> vulnerabilities that impact ClamAV performance? If there are any, I have
> not heard about them. Is there a particular platform that you are referring
> to?
>
> And with regard to compliance, is there some anti-malware standard that
> I'm unaware of that needs to be complied with?
>
> Sent from my iPad
>
> -Al-
>
> On Aug 6, 2019, at 02:08, Henrik Hoeg Thomsen1 via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Does CLAMAV have a forum where Vulnerabillity findings in the firmware
> engine can be tracked for Compliance. ? And where fixes and recomendations
> can be found.
>
>
>

>

Regarding the zip bomb vulnerability/fix, we don’t have a CVE assigned – yet. Will have one soon.

Regards,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of "Fajar A. Nugraha via clamav-users" <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Tuesday, August 6, 2019 at 5:48 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: "Fajar A. Nugraha" <list@fajar.net>
Subject: Re: [clamav-users] Vulnerability Reporting?

OP is probably looking for http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=clamav

... and something equivalent of xen-announce (the 'security advisories' part) from https://xenproject.org/help/mailing-list/ (which doesn't exist for clamav?)

--
Fajar

On Tue, Aug 6, 2019 at 4:42 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
I'm also confused by what you mean by "firmware engine" and "compliance"? ClamAV doesn't reside in firmware, so are you referring to firmware vulnerabilities that impact ClamAV performance? If there are any, I have not heard about them. Is there a particular platform that you are referring to?

And with regard to compliance, is there some anti-malware standard that I'm unaware of that needs to be complied with?

Sent from my iPad

-Al-

On Aug 6, 2019, at 02:08, Henrik Hoeg Thomsen1 via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Does CLAMAV have a forum where Vulnerabillity findings in the firmware engine can be tracked for Compliance. ? And where fixes and recomendations can be found.

Running on SUSE sles 12 sp2 servers.


rpm -qa | grep clamav
clamav-0.100.3-33.21.1.x86_64

This is what i call the engine. The actual version af clamav proccess
active on my server.

I just want to know how to figure out if this build has known
vulnerabillities.

Like "can it be forced to crash by inserting infection patterns" or "can
it be forced to loop in a scan cycle, so scan newer completes".

And

If there is known issues. How to fix or mittigate.

---------------------------------------------------------------------------------------------------------------
Henrik H?g Thomsen
Senior IT Specialist - IBM - IPG
IBM Danmark ApS
Pr?vensvej 1
2605 Br?ndby
CVR nr.: 65305216
tlf +45 51638561 mail hht@dk.ibm.com




From: Al Varnell via clamav-users <clamav-users@lists.clamav.net>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Al Varnell <alvarnell@mac.com>
Date: 2019/08/06 11:43
Subject: [EXTERNAL] Re: [clamav-users] Vulnerability Reporting?
Sent by: "clamav-users" <clamav-users-bounces@lists.clamav.net>



I'm also confused by what you mean by "firmware engine" and "compliance"?
ClamAV doesn't reside in firmware, so are you referring to firmware
vulnerabilities that impact ClamAV performance? If there are any, I have
not heard about them. Is there a particular platform that you are
referring to?

And with regard to compliance, is there some anti-malware standard that
I'm unaware of that needs to be complied with?

Sent from my iPad

-Al-

On Aug 6, 2019, at 02:08, Henrik Hoeg Thomsen1 via clamav-users <
clamav-users@lists.clamav.net> wrote:
Does CLAMAV have a forum where Vulnerabillity findings in the firmware
engine can be tracked for Compliance. ? And where fixes and recomendations
can be found.[attachment "smime.p7s" deleted by Henrik Hoeg
Thomsen1/Denmark/IBM]
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM Danmark ApS
Pr?vensvej 1
2605 Br?ndby, Danmark
CVR nr.: 65305216

Well, that can take a little figuring out since the package is
maintained by SUSE. A package can receive "backports" to fix
vulnerabilities (and new features) so they don't have to update to a
new version and re-certify everything still works and won't break
other packages.

SUSE does publish info with their updates:
https://www.suse.com/support/update/announcement/2019/suse-su-20190897-1/

*Usually* package maintainers are pretty quick to publish updates for
security vulnerabilities.

> Running on SUSE sles 12 sp2 servers.
>
> rpm -qa | grep clamav
> clamav-0.100.3-33.21.1.x86_64
>
> This is what i call the engine. The actual version af clamav proccess
> active on my server.
>
> I just want to know how to figure out if this build has known
> vulnerabillities.
>
> Like "can it be forced to crash by inserting infection patterns" or "can
> it be forced to loop in a scan cycle, so scan newer completes".
>
> And If there is known issues. How to fix or mittigate.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Tue, Aug 6, 2019 at 5:23 PM Henrik Hoeg Thomsen1 via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Running on SUSE sles 12 sp2 servers.
>
>
> rpm -qa | grep clamav
> clamav-0.100.3-33.21.1.x86_64
>
> This is what i call the engine. The actual version af clamav proccess
> active on my server.
>
> I just want to know how to figure out if this build has known
> vulnerabillities.
>
>
Short version: ask suse or whoever build your package.

The CVE page should list most recent issue first, and the linked bugzilla
will show which version has the fix.

However distros (e.g. suse, redhat) often backport security fixes, so it's
possible that your particular build already has it. The distro should have
somekind of changelog for that package. For example,
https://www.suse.com/support/update/announcement/2019/suse-su-20190897-1/

--
Fajar