Skip to content

ClamAV 1.3.2

Compare
Choose a tag to compare
@micahsnyder micahsnyder released this 04 Sep 15:52
· 129 commits to main since this release
4abd96a

ClamAV 1.3.2 is a patch release with the following fixes:

  • CVE-2024-20506:
    Changed the logging module to disable following symlinks on Linux and Unix
    systems so as to prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505:
    Fixed a possible out-of-bounds read bug in the PDF file parser that could
    cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated
    'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust.
    Also upgraded GitHub Actions imports to fix CI failures.
    Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request