Skip to content

Releases: Cisco-Talos/clamav

ClamAV 1.5.0-beta

31 Mar 18:11
@val-ms val-ms
clamav-1.5.0-beta
00886ee
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.5.0-beta Pre-release
Pre-release

ClamAV 1.5.0 includes the following improvements and changes:

Major changes

  • Added checks to determine if an OLE2-based Microsoft Office document is
    encrypted.

  • Added the ability to record URLs found in HTML if the generate-JSON-metadata
    feature is enabled.
    Also adds an option to disable this in case you want the JSON metadata
    feature but don't want to record HTML URLs.
    The ClamScan command-line option is --json-store-html-urls=no.
    The clamd.conf config option is JsonStoreHTMLUrls no.

  • Added regex support for the clamd.conf OnAccessExcludePath config option.
    This change courtesy of GitHub user b1tg.

  • Added FIPS-compliant CVD signing/verification with external .sign files.

    Freshclam will now attempt to download external signature files to accompany
    existing .cvd databases and .cdiff patch files. Sigtool now has commands
    to sign and verify using the external signatures.

    ClamAV now installs a 'certs' directory in the app config directory
    (e.g. <prefix>/etc/certs). The install path is configurable.
    The CMake option to configure the CVD certs directory is:
    -D CVD_CERTS_DIRECTORY=PATH

    New options to set an alternative CVD certs directory:

    • The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is:
      --cvdcertsdir PATH
    • The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is:
      CVD_CERTS_DIR
    • The config option for Freshclam and ClamD is:
      CVDCertsDirectory PATH

    Added two new APIs to the public clamav.h header:

    extern cl_error_t cl_cvdverify_ex(const char *file,
                                  const char *certs_directory);

extern cl_error_t cl_cvdunpack_ex(const char *file,
                                  const char *dir,
                                  bool dont_verify,
                                  const char *certs_directory);

    The original cl_cvdverify and cl_cvdunpack are deprecated.

    Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR.
    You may set this option with cl_engine_set_str and get it with
    cl_engine_get_str, to override the compiled in default CVD certs directory.

    Thank you to Mark Carey at SAP for inspiring work on this feature with an
    initial proof of concept for external-signature FIPS compliant CVD signing.

Other improvements

  • Set a limit on the max-recursion config option. Users will no longer be
    able to set max-recursion higher than 100.
    This change prevents errors on start up or possible crashes if encountering
    a file with that many layers of recursion.

  • Build system: CMake improvements to support compiling for the AIX platform.
    This change is courtesy of GitHub user KamathForAIX.

  • Improve support for extracting malformed zip archives.
    This change is courtesy of Frederick Sell.

  • Windows: Code quality improvement for the ClamScan and ClamDScan --move
    and --remove options.
    This change is courtesy of Maxim Suhanov.

  • Added file type recognition for some kinds of AI model files.

    The file type appears as a string parameter for these callback functions:

    • clcb_pre_cache
    • clcb_pre_scan
    • clcb_file_inspection

    When scanning these files, the type parameter will now show
    "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".

Bug fixes

  • Technical debt: Reduced email multipart message parser complexity.

  • Fixed possible undefined behavior in inflate64 module.
    The inflate64 module is a modified version of the zlib library, taken from
    version 1.2.3 with some customization and with some cherry-picked fixes.
    This adds one additional fix from zlib 1.2.9.
    Thank you to TITAN Team for reporting this issue.

  • Fixed a bug in ClamD that broke reporting of memory usage on Linux.
    The STATS command can be used to monitor ClamD directly or through ClamDTOP.
    The memory stats feature does not work on all platforms (e.g. Windows).

  • Windows: Fix a build issue when the same library dependency is found in
    two different locations.

  • Fix an infinite loop when scanning some email files in debug-mode.
    This fix is courtesy of Yoann Lecuyer

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  • b1tg
  • Frederick Sell
  • KamathForAIX
  • Mark Carey at SAP
  • Maxim Suhanov
  • TITAN Team
  • Yoann Lecuyer
Loading

ClamAV 1.4.2

22 Jan 17:08
@val-ms val-ms
clamav-1.4.2
98882f5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.4.2 Latest
Latest

ClamAV 1.4.2 is a patch release with the following fixes:

  • CVE-2025-20128:
    Fixed a possible buffer overflow read bug in the OLE2 file parser that could
    cause a denial-of-service (DoS) condition.

    This issue was introduced in version 1.0.0 and affects all currently
    supported versions. It will be fixed in:

    • 1.4.2
    • 1.0.8

    Thank you to OSS-Fuzz for identifying this issue.

Assets 32

ClamAV 1.0.8

22 Jan 16:58
@val-ms val-ms
clamav-1.0.8
9a2c642
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.0.8

ClamAV 1.0.8 is a patch release with the following fixes:

  • CVE-2025-20128:
    Fixed a possible buffer overflow read bug in the OLE2 file parser that could
    cause a denial-of-service (DoS) condition.

    This issue was introduced in version 1.0.0 and affects all currently
    supported versions. It will be fixed in:

    • 1.4.2
    • 1.0.8

    Thank you to OSS-Fuzz for identifying this issue.

  • ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
    This is a backport of a fix from ClamAV 1.3.0.

Loading

ClamAV 1.4.1

04 Sep 15:52
@val-ms val-ms
clamav-1.4.1
0542087
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.4.1

ClamAV 1.4.1 is a critical patch release with the following fixes:

  • CVE-2024-20506:
    Changed the logging module to disable following symlinks on Linux and Unix
    systems so as to prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505:
    Fixed a possible out-of-bounds read bug in the PDF file parser that could
    cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated
    'cgi' module that is expected to cause test failures in Python 3.13.

Loading

ClamAV 1.3.2

04 Sep 15:52
@val-ms val-ms
clamav-1.3.2
4abd96a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.3.2

ClamAV 1.3.2 is a patch release with the following fixes:

  • CVE-2024-20506:
    Changed the logging module to disable following symlinks on Linux and Unix
    systems so as to prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505:
    Fixed a possible out-of-bounds read bug in the PDF file parser that could
    cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated
    'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust.
    Also upgraded GitHub Actions imports to fix CI failures.
    Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request

Loading

ClamAV 1.0.7

04 Sep 15:51
@val-ms val-ms
clamav-1.0.7
a54a13d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.0.7

ClamAV 1.0.7 is a patch release with the following fixes:

  • CVE-2024-20506:
    Changed the logging module to disable following symlinks on Linux and Unix
    systems so as to prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505:
    Fixed a possible out-of-bounds read bug in the PDF file parser that could
    cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated
    'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust.
    Also upgraded GitHub Actions imports to fix CI failures.
    Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request

Loading

ClamAV 0.103.12

04 Sep 15:51
@val-ms val-ms
clamav-0.103.12
93d9e73
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 0.103.12

ClamAV 0.103.12 is a patch release with the following fixes:

  • CVE-2024-20506:
    Changed the logging module to disable following symlinks on Linux and Unix
    systems so as to prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505:
    Fixed a possible out-of-bounds read bug in the PDF file parser that could
    cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam
    config option to be pruned and then re-downloaded with every update.
    Also added the new 'valhalla' database name to the list of optional databases
    in preparation for future work.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

Loading

ClamAV 1.4.0

15 Aug 16:02
@val-ms val-ms
clamav-1.4.0
cad552d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
ClamAV 1.4.0

ClamAV 1.4.0 includes the following improvements and changes:

Major changes

  • Added support for extracting ALZ archives.
    The new ClamAV file type for ALZ archives is CL_TYPE_ALZ.
    Added a DCONF
    option to enable or disable ALZ archive support.

    Tip: DCONF (Dynamic CONFiguration) is a feature that allows for some
    configuration changes to be made via ClamAV .cfg "signatures".

  • Added support for extracting LHA/LZH archives.
    The new ClamAV file type for LHA/LZH archives is CL_TYPE_LHA_LZH.
    Added a DCONF
    option to enable or disable LHA/LZH archive support.

  • Added the ability to disable image fuzzy hashing, if needed. For context,
    image fuzzy hashing is a detection mechanism useful for identifying malware
    by matching images included with the malware or phishing email/document.

    New ClamScan options:

    --scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]

    New ClamD config options:

    ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no

    New libclamav scan options:

    options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;

    Added a DCONF
    option to enable or disable image fuzzy hashing support.

Other improvements

  • Added cross-compiling instructions for targeting ARM64/aarch64 processors for
    Windows
    and
    Linux.

  • Improved the Freshclam warning messages when being blocked or rate limited
    so as to include the Cloudflare Ray ID, which helps with issue triage.

  • Removed unnecessary memory allocation checks when the size to be allocated
    is fixed or comes from a trusted source.
    We also renamed internal memory allocation functions and macros, so it is
    more obvious what each function does.

  • Improved the Freshclam documentation to make it clear that the --datadir
    option must be an absolute path to a directory that already exists, is
    writable by Freshclam, and is readable by ClamScan and ClamD.

  • Added an optimization to avoid calculating the file hash if the clean file
    cache has been disabled. The file hash may still be calculated as needed to
    perform hash-based signature matching if any hash-based signatures exist that
    target a file of the same size, or if any hash-based signatures exist that
    target "any" file size.

  • Added an improvement to the SystemD service file for ClamOnAcc so that the
    service will shut down faster on some systems.

  • Added a CMake build dependency on the version map files so that the build
    will re-run if changes are made to the version map files.
    Work courtesy of Sebastian Andrzej Siewior.

  • Added an improvement to the CMake build so that the RUSTFLAGS settings
    are inherited from the environment.
    Work courtesy of liushuyu.

Bug fixes

  • Silenced confusing warning message when scanning some HTML files.

  • Fixed minor compiler warnings.

  • Since the build system changed from Autotools to CMake, ClamAV no longer
    supports building with configurations where bzip2, libxml2, libz, libjson-c,
    or libpcre2 are not available. Libpcre is no longer supported in favor of
    libpcre2. In this release, we removed all the dead code associated with those
    unsupported build configurations.

  • Fixed assorted typos. Patch courtesy of RainRat.

  • Added missing documentation for the ClamScan --force-to-disk option.

  • Fixed an issue where ClamAV unit tests would prefer an older
    libclamunrar_iface library from the install path, if present, rather than
    the recently compiled library in the build path.

  • Fixed a build issue on Windows with newer versions of Rust.
    Also upgraded GitHub Actions imports to fix CI failures.
    Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

  • Fixed a bug that prevented loading plaintext (non-CVD) signature files
    when using the --fail-if-cvd-older-than=DAYS / FailIfCvdOlderThan option.
    Fix courtesy of Bark.

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  • Bark
  • liushuyu
  • Sebastian Andrzej Siewior
  • RainRat
Loading

ClamAV 1.4.0-rc

07 May 17:44
@val-ms val-ms
clamav-1.4.0-rc
18f2916
Compare
Choose a tag to compare
ClamAV 1.4.0-rc Pre-release
Pre-release

ClamAV 1.4.0 Release Candidate includes the following improvements and changes:

Major changes

  • Added support for extracting ALZ archives.
    The new ClamAV file type for ALZ archives is CL_TYPE_ALZ.
    Added a DCONF option to enable or disable ALZ archive support.

    Tip: DCONF (Dynamic CONFiguration) is a feature that allows for some configuration changes to be made via ClamAV .cfg "signatures".

  • Added support for extracting LHA/LZH archives.
    The new ClamAV file type for ALZ archives is CL_TYPE_LHA_LZH.
    Added a DCONF option to enable or disable LHA/LZH archive support.

  • Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document.

    New ClamScan options:

    --scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]

    New ClamD config options:

    ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no

    New libclamav scan options:

    options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;

    Added a DCONF option to enable or disable image fuzzy hashing support.

Other improvements

  • Added cross-compiling instructions for targeting ARM64/aarch64 processors for Windows and Linux.

  • Improved the Freshclam warning messages when being blocked or rate limited so as to include the Cloudflare Ray ID, which helps with issue triage.

  • Removed unnecessary memory allocation checks when the size to be allocated is fixed or comes from a trusted source.
    We also renamed internal memory allocation functions and macros, so it is more obvious what each function does.

  • Improved the Freshclam documentation to make it clear that the --datadir option must be an absolute path to a directory that already exists, is writable by Freshclam, and is readable by ClamScan and ClamD.

  • Added an optimization to avoid calculating the file hash if the clean file cache has been disabled. The file hash may still be calculated as needed to perform hash-based signature matching if any hash-based signatures exist that target a file of the same size, or if any hash-based signatures exist that target "any" file size.

  • Added an improvement to the SystemD service file for ClamOnAcc so that the service will shut down faster on some systems.

Bug fixes

  • Silenced confusing warning message when scanning some HTML files.

  • Fixed minor compiler warnings.

  • Since the build system changed from Autotools to CMake, ClamAV no longer supports building with configurations where bzip2, libxml2, libz, libjson-c, or libpcre2 are not available. Libpcre is no longer supported in favor of libpcre2. In this release, we removed all the dead code associated with those unsupported build configurations.

  • Fixed assorted typos. Patch courtesy of RainRat.

  • Added missing documentation for the ClamScan --force-to-disk option.

  • Fixed an issue where ClamAV unit tests would prefer an older libclamunrar_iface library from the install path, if present, rather than
    the recently compiled library in the build path.

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  • RainRat
Loading

ClamAV 1.3.1

17 Apr 17:25
@val-ms val-ms
clamav-1.3.1
ae81c21
Compare
Choose a tag to compare
ClamAV 1.3.1

ClamAV 1.3.1 is a critical patch release with the following fixes:

  • CVE-2024-20380:
    Fixed a possible crash in the HTML file parser that could cause a
    denial-of-service (DoS) condition.

    This issue affects version 1.3.0 only and does not affect prior versions.

    Thank you to Błażej Pawłowski for identifying this issue.

  • Updated select Rust dependencies to the latest versions.
    This resolved Cargo audit complaints and included PNG parser bug fixes.

  • Fixed a bug causing some text to be truncated when converting from UTF-16.

  • Fixed assorted complaints identified by Coverity static analysis.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam
    config option to be pruned and then re-downloaded with every update.

  • Added the new 'valhalla' database name to the list of optional databases in
    preparation for future work.

  • Added symbols to the libclamav.map file to enable additional build
    configurations.

    Patch courtesy of Neil Wilson.

Loading