From 101d1aaded1c060d596aeb9804b6979bf5861a9f Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Sun, 1 Sep 2024 14:57:53 -0400 Subject: [PATCH 1/2] News: updates prior to 1.0.7 --- NEWS.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/NEWS.md b/NEWS.md index 8e823c535d..7d3b84d40d 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,6 +7,34 @@ differ slightly from third-party binary packages. ClamAV 1.0.7 is a patch release with the following fixes: +- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506): + Changed the logging module to disable following symlinks on Linux and Unix + systems so as to prevent an attacker with existing access to the 'clamd' or + 'freshclam' services from using a symlink to corrupt system files. + + This issue affects all currently supported versions. It will be fixed in: + - 1.4.1 + - 1.3.2 + - 1.0.7 + - 0.103.12 + + Thank you to Detlef for identifying this issue. + +- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505): + Fixed a possible out-of-bounds read bug in the PDF file parser that could + cause a denial-of-service (DoS) condition. + + This issue affects all currently supported versions. It will be fixed in: + - 1.4.1 + - 1.3.2 + - 1.0.7 + - 0.103.12 + + Thank you to OSS-Fuzz for identifying this issue. + +- Removed unused Python modules from freshclam tests including deprecated + 'cgi' module that is expected to cause test failures in Python 3.13. + - Fix unit test caused by expiring signing certificate. - Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305) From 8c8c9bc92485dcf1e4f0f2b02a250e8cfa239674 Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Mon, 2 Sep 2024 11:21:42 -0400 Subject: [PATCH 2/2] Jenkins: remove defunct appcheck pipeline --- Jenkinsfile | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index b2383735d6..f389d0f984 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -48,9 +48,6 @@ properties( string(name: 'FUZZ_CORPUS_BRANCH', defaultValue: '1.0', description: 'private-fuzz-corpus branch'), - string(name: 'APPCHECK_PIPELINE', - defaultValue: 'appcheck-1.0', - description: 'test-pipelines branch for appcheck'), string(name: 'SHARED_LIB_BRANCH', defaultValue: 'master', description: 'tests-jenkins-shared-libraries branch') @@ -212,23 +209,6 @@ node('default') { } } - tasks["appcheck"] = { - stage("AppCheck") { - final appcheckResult = build(job: "test-pipelines/${params.APPCHECK_PIPELINE}", - propagate: true, - wait: true, - parameters: [ - [$class: 'StringParameterValue', name: 'CLAMAV_JOB_NAME', value: "${JOB_NAME}"], - [$class: 'StringParameterValue', name: 'CLAMAV_JOB_NUMBER', value: "${BUILD_NUMBER}"], - [$class: 'StringParameterValue', name: 'BUILD_JOB_NAME', value: "test-pipelines/${params.BUILD_PIPELINE}"], - [$class: 'StringParameterValue', name: 'BUILD_JOB_NUMBER', value: "${buildResult.number}"], - [$class: 'StringParameterValue', name: 'VERSION', value: "${params.VERSION}"] - ] - ) - echo "test-pipelines/${params.APPCHECK_PIPELINE} #${appcheckResult.number} succeeded." - } - } - parallel tasks } }