Skip to content

Commit

Permalink
Merge pull request #15 from cisco-sbg/CLAM-2638-1.3.2-news
Browse files Browse the repository at this point in the history
News: updates prior to 1.3.2
  • Loading branch information
micahsnyder authored Sep 3, 2024
2 parents 8ec96b7 + 27f345b commit 4abd96a
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,34 @@ differ slightly from third-party binary packages.

ClamAV 1.3.2 is a patch release with the following fixes:

- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.

This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12

Thank you to Detlef for identifying this issue.

- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.

This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12

Thank you to OSS-Fuzz for identifying this issue.

- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.

- Fix unit test caused by expiring signing certificate.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)

Expand Down

0 comments on commit 4abd96a

Please sign in to comment.