Clamav critical CVE

Hello folks,

I came across the security notice from clamav blog today. I’m new here so not sure how or where this should be posted. As far as I can tell, it hasn’t found its way through to the centos repos yet but I’m not particularly skilled at checking these things.

Apparently one of the security issues that was patched is a critical 9.8/10. ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

Today, we are releasing the following critical patch versions for ClamAV:

  • 0.103.8
  • 0.105.2
  • 1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched.

The release files are available for download on, on the Github Release page, and through Docker Hub.

How quickly can this be updated?

Ask Redhat. If they will upgrade/backport a different version to CentOS7, patch will come as any other update coming from the maintainer.

1 Like

The updated package has already been built, it’s being tested and it will be released soon.
Development details: 2170570 – Please build ClamAV 0.103.8 for EL7
Packages to test: clamav-0.103.8-1.el7 | Build Info | koji
I suggest waiting for the packages to land in epel-testing if you want to install them later today.


AFAIK package status can be followed via this link.
for EPEL7 (if i don’t totally miss it, should be the one for CentOS7).


Thanks @pike and @filippo_carletti for the updates.

Keep breathing… and waiting.

And released. With a bug. Deer.

Where’s my beer, @nuke?

Thanks for the updates @pike .

No idea where you are, so perhaps we can share a virtual beer.

A lager. Will work for me.
Thanks :slightly_smiling_face:

clamav.x86_64 0:0.103.8-3.el7
clamav-filesystem.noarch 0:0.103.8-3.el7
clamav-lib.x86_64 0:0.103.8-3.el7
clamav-update.x86_64 0:0.103.8-3.el7
clamd.x86_64 0:0.103.8-3.el7