- Don't daemonize freshclam, but use a systemd timer instead to
trigger updates
+ timer.freshclam
% service.freshclam
% clamav-conf.patch
- Remove obsolete patch (replaced by SOURCE_DATE_EPOCH)
- clamav-disable-timestamps.patch
- Cleanup spec
* use pkgconfig() to resolve BuildRequires where upstream uses it
* rework creating vscan user (new system-user in Tumbleweed)
* remove obsolete configure option --disable-zlib-vcheck
OBS-URL: https://build.opensuse.org/request/show/871162
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=218
- Update to 0.103.1
* Added a new scan option to alert on broken media (graphics) file
formats. This feature mitigates the risk of malformed media files
intended to exploit vulnerabilities in other software. At present
media validation exists for JPEG, TIFF, PNG, and GIF files. To
enable this feature, set AlertBrokenMedia yes in clamd.conf, or
use the --alert-broken-media option when using clamscan. These
options are disabled by default in this patch release, but may be
enabled in a subsequent release. Application developers may enable
this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for
the heuristic scan option bit field.
* Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing
behavior. BMP and JPEG 2000 files will continue to detect as
CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG
2000 format checking capabilities.
* Fixed PNG parser logic bugs that caused an excess of parsing
errors and fixed a stack exhaustion issue affecting some systems
when scanning PNG files. PNG file type detection was disabled via
signature database update for ClamAV version 0.103.0 to mitigate
the effects from these bugs.
* Fixed an issue where PNG and GIF files no longer work with
Target:5 graphics signatures if detected as CL_TYPE_PNG/GIF rather
than as CL_TYPE_GRAPHICS. Target types now support up to 10
possible file types to make way for additional graphics types in
future releases.
* Fixed clamonacc's --fdpass option.
- Interprocess file descriptor passing for clamonacc was broken
since version 0.102.0 due to a bug introduced by the switch to
curl for communicating with clamd. On Linux, passing file
descriptors from one process to another is handled by the
kernel, so we reverted clamonacc to use standard system calls
for socket communication when fd passing is enabled.
* Fixed a clamonacc stack corruption issue on some systems when
using an older version of libcurl.
* Allow clamscan and clamdscan scans to proceed even if the
realpath lookup failed. This alleviates an issue on Windows
scanning files hosted on file- systems that do not support the
GetMappedFileNameW() API such as on ImDisk RAM-disks.
* Fixed freshclam --on-update-execute=EXIT_1 temporary directory
cleanup issue.
* clamd's log output and VirusEvent now provide the scan target's
file path instead of a file descriptor. The clamd socket API for
submitting a scan by FD-passing doesn't include a file path, this
feature works by looking up the file path by file descriptor.
This feature works on Mac and Linux but is not yet implemented
for other UNIX operating systems. FD-passing is not available for
Windows.
* Fixed an issue where freshclam database validation didn't work
correctly when run in daemon mode on Linux/Unix.
OBS-URL: https://build.opensuse.org/request/show/869944
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=216
- Update to 0.103.0
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Dropped clamav-str-h.patch (no longer needed)
* Fix clamav-milter.service (requires clamd.service to run)
OBS-URL: https://build.opensuse.org/request/show/834369
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=209
- Update to 0.102.3
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper bounds checking of an unsigned variable results
in an out-of-bounds read which causes a crash.
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash.
* Fix "Attempt to allocate 0 bytes" error when parsing some PDF
documents.
* Fix a couple of minor memory leaks.
* Updated libclamunrar to UnRAR 5.9.2.
OBS-URL: https://build.opensuse.org/request/show/803374
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=205
- update to 0.102.1
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
* Build system fixes to build clamav-milter, to correctly link
with libxml2 when detected, and to correctly detect fanotify
for on-access scanning feature support.
* Signature load time is significantly reduced by changing to a
more efficient algorithm for loading signature patterns and
allocating the AC trie. Patch courtesy of Alberto Wu.
* Introduced a new configure option to statically link libjson-c
with libclamav. Static linking with libjson is highly
recommended to prevent crashes in applications that use
libclamav alongside another JSON parsing library.
* Null-dereference fix in email parser when using the
--gen-json metadata option.
* Fixes for Authenticode parsing and certificate signature
(.crb database) bugs.
- dropped clamav-fix_building_milter.patch (upstreamed)
- update to 0.102.0
* The On-Access Scanning feature has been migrated out of clamd
and into a brand new utility named clamonacc. This utility is
similar to clamdscan and clamav-milter in that it acts as a
client to clamd. This separation from clamd means that clamd no
longer needs to run with root privileges while scanning potentially
malicious files. Instead, clamd may drop privileges to run under an
account that does not have super-user. In addition to improving the
security posture of running clamd with On-Access enabled, this
update fixed a few outstanding defects:
- On-Access scanning for created and moved files (Extra-Scanning)
is fixed.
- VirusEvent for On-Access scans is fixed.
- With clamonacc, it is now possible to copy, move, or remove a
file if the scan triggered an alert, just like with clamdscan.
* The freshclam database update utility has undergone a significant
update. This includes:
- Added support for HTTPS.
- Support for database mirrors hosted on ports other than 80.
- Removal of the mirror management feature (mirrors.dat).
- An all new libfreshclam library API.
- created new subpackage libfreshclam2
- dropped clamav-max_patch.patch (upstreamed)
- added clamav-fix_building_milter.patch to fix build of milter
OBS-URL: https://build.opensuse.org/request/show/750749
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=193
* FIXME: Add upstream changes here before submitting to Factory.
* Obsoletes clamav-fix_newer_zlib.patch
- Update key ring and add signature file.
- Remove the logic around building the embedded llvm as the
system-wide llvm is now auto-detected and used.
- Move pc files from the main to the devel package.
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=161
* remove copy of wxWidgets (halves the size of the tarball).
* Decompression and scanning of files in "Xz" compression
format.
* Extraction, decompression, and scanning of files within Apple
Disk Image (DMG) format.
* Extraction, decompression, and scanning of files within
Extensible Archive (XAR) format. XAR format is commonly used
for software packaging, such as PKG and RPM, as well as
general archival.
* Improvements and fixes to extraction and scanning of ole
formats.
* Option to force all scanned data to disk.
* Various improvements to ClamAV configuration, support of third
party libraries, and unit tests.
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=87
- update to 0.95.5 [bnc#767574]
- addresses possible evasion cases in some archive formats
- CVE-2012-1457: allows to bypass malware detection via a TAR archive
entry with a length field that exceeds the total TAR file size
- CVE-2012-1458: allows to bypass malware detection via a crafted
reset interval in the LZXC header of a CHM file
- CVE-2012-1459: allows to bypass malware detection via a TAR archive
entry with a length field corresponding to that entire entry, plus
part of the header of the next entry
- also addresses stability issues in portions of the bytecode engine
- update clamav-conf.patch for moved lines
- add a definitions snapshot as {main,daily}.cvd no longer in tarball
- fix file-contains-date-and-time rpmlint warning
OBS-URL: https://build.opensuse.org/request/show/125380
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=62
