Fedora 31: FEDORA-2019-1543eae191 moderate: clamav DoS Threat

Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this

software is the integration with mail servers (attachment scanning). The

package provides a flexible and scalable multi-threaded daemon, a command

line scanner, and a tool for automatic updating via Internet. The programs

are based on a shared library distributed with the Clam AntiVirus package,

which you can use with your own software. The virus database is based on

the virus database from OpenAntiVirus, but contains additional signatures

(including signatures for popular polymorphic viruses, too) and is KEPT UP

TO DATE.

- Drop clamd@scan.service file (bz#1725810) ClamAV 0.101.5 is a security patch

release that addresses the following issues. - CVE-2019-15961:

A Denial-of-Service (DoS) vulnerability may occur when scanning a specially

crafted email file as a result of excessively long scan times. The issue is

resolved by implementing several maximums in parsing MIME messages and by

optimizing use of memory allocation. - Added the zip scanning improvements

found in v0.102.0 where it scans files using zip records from a sorted catalogue

which provides deduplication of file records resulting in faster extraction and

scan time and reducing the likelihood of alerting on non-malicious duplicate

file entries as overlapping files. - Signature load time is significantly

reduced by changing to a more efficient algorithm for loading signature patterns

and allocating the AC trie. Patch courtesy of Alberto Wu. - Introduced a new

configure option to statically link libjson-c with libclamav. Static linking

with libjson is highly recommended to prevent crashes in applications that use

libclamav alongside another JSON parsing library. - Null-dereference fix in

email parser when using the --gen-json metadata option. ---- Add

TimeoutStartSec=420 to clamd@.service to match upstream

* Sat Nov 23 2019 Orion Poplawski - 0.101.5-1

- Update to 0.101.5 (CVE-2019-15961) (bz#1775550)

* Mon Nov 18 2019 Orion Poplawski - 0.101.4-3

- Drop clamd@scan.service file (bz#1725810)

- Change /var/run to /run

* Mon Nov 18 2019 Orion Poplawski - 0.101.4-2

- Add TimeoutStartSec=420 to clamd@.service to match upstream (bz#1764835)

[ 1 ] Bug #1631525 - clamav: clamscan --gen-json does not output JSON

https://bugzilla.redhat.com/show_bug.cgi?id=1631525

[ 2 ] Bug #1775550 - Request to build clamav 0.101.5 for EPEL 7

https://bugzilla.redhat.com/show_bug.cgi?id=1775550

[ 3 ] Bug #1725810 - /usr/lib/systemd/system/clamd@scan.service:1: .include directives are deprecated

https://bugzilla.redhat.com/show_bug.cgi?id=1725810

[ 4 ] Bug #1764835 - clamd at 100% CPU and SystemD keeps restarting clamd

https://bugzilla.redhat.com/show_bug.cgi?id=1764835

su -c 'dnf upgrade --advisory FEDORA-2019-1543eae191' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/