From fbc7531ccc7f9455feed35dd9fd7a957217c95d6 Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Sun, 1 Sep 2024 13:59:16 -0400 Subject: [PATCH 1/2] News: updates prior to 0.103.12 --- NEWS.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/NEWS.md b/NEWS.md index 9c8801a4fe..d621adcdf6 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,6 +7,44 @@ Note: This file refers to the source tarball. Things described here may differ ClamAV 0.103.12 is a patch release with the following fixes: +- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506): + Changed the logging module to disable following symlinks on Linux and Unix + systems so as to prevent an attacker with existing access to the 'clamd' or + 'freshclam' services from using a symlink to corrupt system files. + + This issue affects all currently supported versions. It will be fixed in: + - 1.4.1 + - 1.3.2 + - 1.0.7 + - 0.103.12 + + Thank you to Detlef for identifying this issue. + +- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505): + Fixed a possible out-of-bounds read bug in the PDF file parser that could + cause a denial-of-service (DoS) condition. + + This issue affects all currently supported versions. It will be fixed in: + - 1.4.1 + - 1.3.2 + - 1.0.7 + - 0.103.12 + + Thank you to OSS-Fuzz for identifying this issue. + +- ClamOnAcc: Fixed an infinite loop when a watched directory does not exist. + - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1198) + +- Fixed a bug causing CVDs downloaded by the `DatabaseCustomURL` Freshclam + config option to be pruned and then re-downloaded with every update. + Also added the new 'valhalla' database name to the list of optional databases + in preparation for future work. + - Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1233) + +- Fixed an unaligned pointer dereference issue on select architectures. + Fix courtesy of Sebastian Andrzej Siewior. + - Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293) + ## 0.103.11 ClamAV 0.103.11 is a patch release with the following fixes: From d1eb5ad7badd67aba355c28206c15d60619b674a Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Mon, 2 Sep 2024 11:22:25 -0400 Subject: [PATCH 2/2] Jenkins: remove defunct appcheck pipeline --- Jenkinsfile | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 26d4ce6b10..be49bd74e4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -42,9 +42,6 @@ properties( string(name: 'FUZZ_CORPUS_BRANCH', defaultValue: '0.103', description: 'private-fuzz-corpus branch'), - string(name: 'APPCHECK_PIPELINE', - defaultValue: 'appcheck-0.103', - description: 'test-pipelines branch for appcheck'), string(name: 'SHARED_LIB_BRANCH', defaultValue: '0.103', description: 'tests-jenkins-shared-libraries branch') @@ -199,23 +196,6 @@ node('docker') { } } - tasks["appcheck"] = { - stage("AppCheck") { - final appcheckResult = build(job: "test-pipelines/${params.APPCHECK_PIPELINE}", - propagate: true, - wait: true, - parameters: [ - [$class: 'StringParameterValue', name: 'CLAMAV_JOB_NAME', value: "${JOB_NAME}"], - [$class: 'StringParameterValue', name: 'CLAMAV_JOB_NUMBER', value: "${BUILD_NUMBER}"], - [$class: 'StringParameterValue', name: 'BUILD_JOB_NAME', value: "test-pipelines/${params.BUILD_PIPELINE}"], - [$class: 'StringParameterValue', name: 'BUILD_JOB_NUMBER', value: "${buildResult.number}"], - [$class: 'StringParameterValue', name: 'VERSION', value: "${params.VERSION}"] - ] - ) - echo "test-pipelines/${params.APPCHECK_PIPELINE} #${appcheckResult.number} succeeded." - } - } - parallel tasks } }