Chris, Al,
I think the CVE description is slightly misleading. 0.100.3 was created at the same time as 0.101.2 and addressed each of those:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html However, these issues affect all versions prior to 0.101.4, as we did not create a patch for 0.100 this time:
* CVE-2019-12625: zip-bomb scan time issue.
* CVE-2019-12900: bz2 buffer overwrite in NSIS parser's copy of libbz2 decompression code.
And this issue affects all versions prior to 0.101.3:
* CVE-2019-1010305: libmspack buffer overflow in CHM file parser in bundled version of libmspack (if using).
This is still reason enough to update.
As a side note, CVE-2019-12625 is still private though it was supposed to be published yesterday. Will get it opened up as soon as possible.
-Micah
?On 8/22/19, 8:54 PM, "clamav-users on behalf of Chris Pollock via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:
On Thu, 2019-08-22 at 17:46 -0700, Al Varnell via clamav-users wrote:
> Yes, I'm sorry, I was thinking of 0.101.3 when I said that.
>
> -Al-
>
No problem, so, I can reference these to hopefully get an update built
for 18.04. I'll file a bug report tomorrow some time.
Thanks Al.
> On Thu, Aug 22, 2019 at 17:37 PM, Chris Pollock via clamav-users
> wrote:
> > On Thu, 2019-08-22 at 16:58 -0700, Al Varnell via clamav-users
> > wrote:
> > > I'm don't see anything specifying 0.100.3 yet: <
> > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=clamav>;.
> > >
> > > -Al-
> > > ClamXAV user
> >
> > Thanks Al, maybe I'm reading the listing wrong but these
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1798
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787
> >
> > refer to Clam AntiVirus (ClamAV) Software versions 0.101.1 and
> > prior.
> > Wouldn't 0.100.3 fit into those parameters?
> >
> > > On Aug 22, 2019, at 14:12, Chris Pollock via clamav-users <
> > > clamav-users@lists.clamav.net> wrote:
> > > > The most current version is ClamAV 0.100.3 for Ubuntu 18.04.3
> > > > LTS.
> > > > Is
> > > > there a list of CVE's that I can reference in a bug report to
> > > > try
> > > > and
> > > > get ClamAV updated to the latest version?
> > > >
> > > > Thank you
> > > > Chris
> > > >
> > > > --
> > > > Chris
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:52:06 up 9 days, 11:09, 1 user, load average: 1.74, 1.27, 0.98
Description: Ubuntu 18.04.3 LTS, kernel 5.0.0-25-generic
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml