Clamav critical CVE

Nuke · February 16, 2023, 6:15pm

Hello folks,

I came across the security notice from clamav blog today. I’m new here so not sure how or where this should be posted. As far as I can tell, it hasn’t found its way through to the centos repos yet but I’m not particularly skilled at checking these things.

Apparently one of the security issues that was patched is a critical 9.8/10. ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

Today, we are releasing the following critical patch versions for ClamAV:

0.103.8

0.105.2

1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched.

The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.

How quickly can this be updated?

pike · February 16, 2023, 6:53pm

Ask Redhat. If they will upgrade/backport a different version to CentOS7, patch will come as any other update coming from the maintainer.

filippo_carletti · February 17, 2023, 5:02pm

The updated package has already been built, it’s being tested and it will be released soon.
Development details: 2170570 – Please build ClamAV 0.103.8 for EL7
Packages to test: clamav-0.103.8-1.el7 | Build Info | koji
I suggest waiting for the packages to land in epel-testing if you want to install them later today.

pike · February 17, 2023, 6:41pm

AFAIK package status can be followed via this link.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ef27d9fd2b
for EPEL7 (if i don’t totally miss it, should be the one for CentOS7).

Nuke · February 17, 2023, 9:17pm

Thanks @pike and @filippo_carletti for the updates.

pike · February 18, 2023, 10:18am

Keep breathing… and waiting.

pike · February 23, 2023, 8:23am

And released. With a bug. Deer.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-466d8ae059

Where’s my beer, @nuke?

Nuke · February 23, 2023, 3:06pm

Thanks for the updates @pike .

No idea where you are, so perhaps we can share a virtual beer.
17AI

pike · February 23, 2023, 6:03pm

A lager. Will work for me.
Thanks

LayLow · February 25, 2023, 10:26am

Updated:
clamav.x86_64 0:0.103.8-3.el7
clamav-filesystem.noarch 0:0.103.8-3.el7
clamav-lib.x86_64 0:0.103.8-3.el7
clamav-update.x86_64 0:0.103.8-3.el7
clamd.x86_64 0:0.103.8-3.el7