ClamAV 1.0.7 is a patch release with the following fixes:
-
CVE-2024-20506:
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
-
CVE-2024-20505:
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
-
Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13. -
Fix unit test caused by expiring signing certificate.
- Backport of GitHub pull request
-
Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.- Backport of GitHub pull request
-
Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.- Backport of GitHub pull request
-
Fixes to Jenkins CI pipeline.
For details, see GitHub pull request