[Pkg-clamav-devel] Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Fri Apr 16 08:27:07 BST 2021 

Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

This is an update from ClamAV from 0.102.4 to 0.103.2. The 103 release
was in unstable since the beginning. I skipped it for Buster back then
because the 102 based release recevied a security update and it appeared
to contain the important bits.

Now, with the 103.2 release there is no update for the 102 based
release. At least one CVE was identified as also affecting Buster. There
is also another change regarding "memory leak in PNG parser" which has
no attribution and a memory leak in clamav, which is often in an email
setup scanning incomming mail, could be exploited and brining the system
to an OOM condition and hopefully killing only the clamav daemon.
Looking further, I identified two changes 

  https://github.com/Cisco-Talos/clamav-devel/commit/ba6467a6a6f7d749f3011c38e76573c75676e37f
  https://github.com/Cisco-Talos/clamav-devel/commit/1a8b164b4f513460c8334521f0797aaf81d15699

which fix two leaks which also apply to the version currently in Buster.
I didn't look further…
The 103.2 release also received updates regarding freshclam including
improved error codes handling. Probably related to CDN, they are using.
The "safebrowsing" has been disabled in clamav. It has been announced
half a year ago [0] and they are asking [1] now to finally disable it as
the file is now no longer served. The current release disables it and
removes it from the config file (and debconf templates).

Testing wise the 103.0 release landed last October in unstable and we
managed to fix various apparmor related issue since. I'm not aware of
any issues so far. I upload recently 103.2 to unstable and uploaded an
update yesterday after noticing that the postinst script still enables
the safebrowsing option (my clunky eyes didn't see it earler). This
change is also part of the propsed Buster version. I had it deployed on
a server for two+ days now.

One last disclosure: The clamav daemon now supports reloading the
database without blocking. The advantage is that email scanning isn't
blocked while the database is reloaded. The disadvantage is that it
consumes more memory as it prepares the new database in memory and after
it is done, it switches over and releases the old one.

[0] https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
[1] https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html

Sebastian

More information about the Pkg-clamav-devel mailing list