@@ -19,7 +19,7 @@ cmake_policy(SET CMP0087 NEW) # support generator expressions in install(CODE) a

 #  For release candidate:     set(VERSION_SUFFIX "-rc")

 #  For release:               set(VERSION_SUFFIX "")

 string(TIMESTAMP TODAY "%Y%m%d")

-set(VERSION_SUFFIX "-beta")

+set(VERSION_SUFFIX "-rc")

 project( ClamAV

          VERSION "1.5.0"

@@ -11,51 +11,73 @@ ClamAV 1.5.0 includes the following improvements and changes:

 - Added checks to determine if an OLE2-based Microsoft Office document is

   encrypted.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1295)

-- Added the ability to record URLs found in HTML if the generate-JSON-metadata

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1295)

+

+- Added the ability to record URIs found in HTML if the generate-JSON-metadata

+  feature is enabled.

+  Also adds an option to disable this in case you want the JSON metadata

+  feature but do not want to record HTML URIs.

+  The ClamScan command-line option is `--json-store-html-uris=no`.

+  The `clamd.conf` config option is `JsonStoreHTMLURIs no`.

+  The libclamav general scan option is `CL_SCAN_GENERAL_STORE_HTML_URIS`

+

+  [GitHub pull request #1](https://github.com/Cisco-Talos/clamav/pull/1281)

+

+  [GitHub pull request #2](https://github.com/Cisco-Talos/clamav/pull/1482)

+

+  [GitHub pull request #3](https://github.com/Cisco-Talos/clamav/pull/1514)

+

+- Added the ability to record URIs found in PDFs if the generate-JSON-metadata

   feature is enabled.

   Also adds an option to disable this in case you want the JSON metadata

-  feature but don't want to record HTML URLs.

-  The ClamScan command-line option is `--json-store-html-urls=no`.

-  The `clamd.conf` config option is `JsonStoreHTMLUrls no`.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1281)

+  feature but do not want to record PDF URIs.

+  The ClamScan command-line option is `--json-store-pdf-uris=no`.

+  The `clamd.conf` config option is `JsonStorePDFURIs no`.

+  The libclamav general scan option is `CL_SCAN_GENERAL_STORE_PDF_URIS`

+

+  [GitHub pull request #1](https://github.com/Cisco-Talos/clamav/pull/1482)

+

+  [GitHub pull request #2](https://github.com/Cisco-Talos/clamav/pull/1514)

 - Added regex support for the `clamd.conf` `OnAccessExcludePath` config option.

   This change courtesy of GitHub user b1tg.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1314)

-- Added FIPS-compliant CVD signing/verification with external `.sign` files.

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1314)

+

+- Added CVD signing/verification with external `.sign` files.

   Freshclam will now attempt to download external signature files to accompany

   existing `.cvd` databases and `.cdiff` patch files. Sigtool now has commands

   to sign and verify using the external signatures.

   ClamAV now installs a 'certs' directory in the app config directory

-  (e.g. `<prefix>/etc/certs`). The install path is configurable.

-  The CMake option to configure the CVD certs directory is:

+  (e.g., `<prefix>/etc/certs`). The install path is configurable.

+  The CMake option to configure the CVD certs directory is

   `-D CVD_CERTS_DIRECTORY=PATH`

   New options to set an alternative CVD certs directory:

-  - The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is:

+  - The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is

     `--cvdcertsdir PATH`

-  - The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is:

+  - The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is

     `CVD_CERTS_DIR`

-  - The config option for Freshclam and ClamD is:

+  - The config option for Freshclam and ClamD is

     `CVDCertsDirectory PATH`

   Added two new APIs to the public clamav.h header:

-    ```c

-    extern cl_error_t cl_cvdverify_ex(const char *file,

-                                      const char *certs_directory,

-                                      uint32_t dboptions);

-

-    extern cl_error_t cl_cvdunpack_ex(const char *file,

-                                      const char *dir,

-                                      const char *certs_directory,

-                                      uint32_t dboptions);

-    ```

-    The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.

+  ```c

+  cl_error_t cl_cvdverify_ex(

+      const char *file,

+      const char *certs_directory,

+      uint32_t dboptions);

+

+  cl_error_t cl_cvdunpack_ex(

+      const char *file,

+      const char *dir,

+      const char *certs_directory,

+      uint32_t dboptions);

+  ```

+  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.

   Added a `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.

   You may set this option with `cl_engine_set_str` and get it with

@@ -64,76 +86,582 @@ ClamAV 1.5.0 includes the following improvements and changes:

   Thank you to Mark Carey at SAP for inspiring work on this feature with an

   initial proof of concept for external-signature FIPS compliant CVD signing.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1417)

+  [GitHub pull request #1](https://github.com/Cisco-Talos/clamav/pull/1417)

+

+  [GitHub pull request #2](https://github.com/Cisco-Talos/clamav/pull/1478)

+

+  [GitHub pull request #3](https://github.com/Cisco-Talos/clamav/pull/1489)

+

+  [GitHub pull request #4](https://github.com/Cisco-Talos/clamav/pull/1491)

+

+- Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like

+  limits disabling MD5 and SHA1 from being used for verifying digital signatures

+  or for being used to trust a file when checking for false positives (FPs).

+

+  For `freshclam.conf` and `clamd.conf` set this config option:

+  ```

+  FIPSCryptoHashLimits yes

+  ```

+

+  For `clamscan` and `sigtool` use this command-line option:

+  ```

+  --fips-limits

+  ```

+

+  For libclamav: Enable FIPS-limits for a ClamAV engine like this:

+  ```C

+  cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);

+  ```

+

+  ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will

+  automatically enable the FIPS-limits feature.

+

+  This change mitigates safety concerns over the use of MD5 and SHA1 algorithms

+  to trust files and is required to enable ClamAV to operate legitimately in

+  FIPS-mode enabled environments.

+

+  Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection

+  purposes or for informational purposes in FIPS-enabled environments and when

+  the FIPS-limits option is enabled.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5).

+  The clean-file cache algorithm is not configurable.

+

+  This change resolves safety concerns over the use of MD5 to trust files and

+  is required to enable ClamAV to operate legitimately in FIPS-mode enabled

+  environments.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- ClamD: Added an option to disable select administrative commands including

+  `SHUTDOWN`, `RELOAD`, `STATS` and `VERSION`.

+

+  The new `clamd.conf` options are:

+  ```

+  EnableShutdownCommand yes

+  EnableReloadCommand yes

+  EnableStatsCommand yes

+  EnableVersionCommand yes

+  ```

+  This change courtesy of GitHub user ChaoticByte.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1502)

+

+- libclamav: Added extended hashing functions with a "flags" parameter that

+  allows the caller to choose if they want to bypass FIPS hash algorithm limits:

+  ```c

+  cl_error_t cl_hash_data_ex(

+      const char *alg,

+      const uint8_t *data,

+      size_t data_len,

+      uint8_t **hash,

+      size_t *hash_len,

+      uint32_t flags);

+

+  cl_error_t cl_hash_init_ex(

+      const char *alg,

+      uint32_t flags,

+      cl_hash_ctx_t **ctx_out);

+

+  cl_error_t cl_update_hash_ex(

+      cl_hash_ctx_t *ctx,

+      const uint8_t *data,

+      size_t length);

+

+  cl_error_t cl_finish_hash_ex(

+      cl_hash_ctx_t *ctx,

+      uint8_t **hash,

+      size_t *hash_len,

+      uint32_t flags);

+

+  void cl_hash_destroy(void *ctx);

+

+  cl_error_t cl_hash_file_fd_ex(

+      const char *alg,

+      int fd,

+      size_t offset,

+      size_t length,

+      uint8_t **hash,

+      size_t *hash_len,

+      uint32_t flags);

+  ```

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- ClamScan: Improved the precision of the bytes-scanned and bytes-read counters.

+  The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB",

+  or "B" as appropriate. Previously, it always reported "MB".

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- ClamScan: Add hash & file-type in/out CLI options:

+  - `--hash-hint`: The file hash so that libclamav does not need to calculate

+    it. The type of hash must match the `--hash-alg`.

+  - `--log-hash`: Print the file hash after each file scanned. The type of hash

+    printed will match the `--hash-alg`.

+  - `--hash-alg`: The hashing algorithm used for either `--hash-hint` or

+    `--log-hash`. Supported algorithms are "md5", "sha1", "sha2-256".

+    If not specified, the default is "sha2-256".

+  - `--file-type-hint`: The file type hint so that libclamav can optimize

+    scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names

+    such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with

+    the specified type.

+    See also: https://docs.clamav.net/appendix/FileTypes.html#file-types

+  - `--log-file-type`: Print the file type after each file scanned.

+

+  We will not be adding this for ClamDScan, as we do not have a mechanism in the

+  ClamD socket API to receive scan options or a way for ClamD to include scan

+  metadata in the response.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- libclamav: Added new scan functions that provide additional functionality:

+  ```c

+  cl_error_t cl_scanfile_ex(

+      const char *filename,

+      cl_verdict_t *verdict_out,

+      const char **last_alert_out,

+      uint64_t *scanned_out,

+      const struct cl_engine *engine,

+      struct cl_scan_options *scanoptions,

+      void *context,

+      const char *hash_hint,

+      char **hash_out,

+      const char *hash_alg,

+      const char *file_type_hint,

+      char **file_type_out);

+

+  cl_error_t cl_scandesc_ex(

+      int desc,

+      const char *filename,

+      cl_verdict_t *verdict_out,

+      const char **last_alert_out,

+      uint64_t *scanned_out,

+      const struct cl_engine *engine,

+      struct cl_scan_options *scanoptions,

+      void *context,

+      const char *hash_hint,

+      char **hash_out,

+      const char *hash_alg,

+      const char *file_type_hint,

+      char **file_type_out);

+

+  cl_error_t cl_scanmap_ex(

+      cl_fmap_t *map,

+      const char *filename,

+      cl_verdict_t *verdict_out,

+      const char **last_alert_out,

+      uint64_t *scanned_out,

+      const struct cl_engine *engine,

+      struct cl_scan_options *scanoptions,

+      void *context,

+      const char *hash_hint,

+      char **hash_out,

+      const char *hash_alg,

+      const char *file_type_hint,

+      char **file_type_out);

+  ```

+

+  The older `cl_scan*()` functions are now deprecated and may be removed in a

+  future release. See `clamav.h` for more details.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- libclamav: Added a new engine option to toggle temp directory recursion.

+

+  Temp directory recursion is the idea that each object scanned in ClamAV's

+  recursive extract/scan process will get a new temp subdirectory, mimicking

+  the nesting structure of the file.

+

+  Temp directory recursion was introduced in ClamAV 0.103 and is enabled

+  whenever `--leave-temps` / `LeaveTemporaryFiles` is enabled.

+

+  In ClamAV 1.5, an application linking to libclamav can separately enable temp

+  directory recursion if they wish.

+  For ClamScan and ClamD, it will remain tied to `--leave-temps` /

+  `LeaveTemporaryFiles` options.

+

+  The new temp directory recursion option can be enabled with:

+  ```c

+  cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);

+  ```

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- libclamav: Added a class of scan callback functions that can be added with the

+  following API function:

+  ```c

+  void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);

+  ```

+

+  The scan callback location may be configured using the following five values:

+  - `CL_SCAN_CALLBACK_PRE_HASH`: Occurs just after basic file-type detection and

+    before any hashes have been calculated either for the cache or the gen-json

+    metadata.

+  - `CL_SCAN_CALLBACK_PRE_SCAN`: Occurs before parser modules run and before

+    pattern matching.

+  - `CL_SCAN_CALLBACK_POST_SCAN`: Occurs after pattern matching and after

+    running parser modules. A.k.a. the scan is complete for this layer.

+  - `CL_SCAN_CALLBACK_ALERT`: Occurs each time an alert (detection) would be

+    triggered during a scan.

+  - `CL_SCAN_CALLBACK_FILE_TYPE`: Occurs each time the file type determination

+    is refined. This may happen more than once per layer.

+

+  Each callback may alter scan behavior using the following return codes:

+

+  - `CL_BREAK`: Scan aborted by callback. The rest of the scan is skipped.

+    This does not mark the file as clean or infected, it just skips the rest of

+    the scan.

+

+  - `CL_SUCCESS` / `CL_CLEAN`: File scan will continue.

+

+    For `CL_SCAN_CALLBACK_ALERT`: This means you want to ignore this specific

+    alert and keep scanning.

+

+    This is different than `CL_VERIFIED` because it does not affect prior or

+    future alerts. Return `CL_VERIFIED` instead if you want to remove prior

+    alerts for this layer and skip the rest of the scan for this layer.

+

+  - `CL_VIRUS`: This means you do not trust the file. A new alert will be added.

+

+    For `CL_SCAN_CALLBACK_ALERT`: This means you agree with the alert and no

+    extra alert is needed.

+

+  - `CL_VERIFIED`: Layer explicitly trusted by the callback and previous alerts

+    removed for THIS layer. You might want to do this if you trust the hash or

+    verified a digital signature. The rest of the scan will be skipped for THIS

+    layer. For contained files, this does NOT mean that the parent or adjacent

+    layers are trusted.

+

+  Each callback is given a pointer to the current scan layer from which they can

+  get previous layers, can get the layer's fmap, and then various attributes of

+  the layer and of the fmap. To make this possible, there are new APIs to

+  query scan-layer details and fmap details:

+  ```c

+    cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);

+    cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);

+    cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);

+    cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);

+    cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);

+    cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);

+    cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);

+    cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);

+    cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);

+    cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);

+    cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);

+    cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);

+    cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);

+    cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);

+    cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);

+    cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);

+    cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);

+    cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);

+  ```

+

+  This deprecates, but does not immediately remove, the existing scan callbacks:

+  ```c

+    void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);

+    void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);

+    void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);

+    void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);

+    void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);

+    void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);

+  ```

+

+  There is an interactive test program to demonstrate the new callbacks.

+  See: `examples/ex_scan_callbacks.c`

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- Signature names that start with "Weak." will no longer alert.

+  Instead, they will be tracked internally and can be found in scan metadata

+  JSON. This is a step towards enabling alerting signatures to depend on prior

+  Weak indicator matches in the current layer or in child layers.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- For the "Generate Metadata JSON" feature:

+

+  - The "Viruses" array of alert names has been replaced by two new arrays that

+    include additional details beyond just signature name:

+    - "Indicators" records three types of indicators:

+      - **Strong** indicators are for traditional alerting signature matches and

+        will halt the scan, except in all-match mode.

+      - **Potentially Unwanted** indicators will only cause an alert at the end of

+        the scan unless a Strong indicator is found. They are treated the same

+        as Strong indicators in all-match mode.

+      - **Weak** indicators do not alert and will be leveraged in a future version

+        as a condition for logical signature matches.

+    - "Alerts" records only alerting indicators. Events that trust a file, such

+      as false positive signatures, will remove affected indicators, and mark

+      them as "Ignored" in the "Indicators" array.

+

+  - Add new option to calculate and record additional hash types when the

+    "generate metadata JSON" feature is enabled:

+    - libclamav option: `CL_SCAN_GENERAL_STORE_EXTRA_HASHES`

+    - ClamScan option: `--json-store-extra-hashes` (default off)

+    - `clamd.conf` option: `JsonStoreExtraHashes` (default 'no')

+

+  - The file hash is now stored as "sha2-256" instead of "FileMD5". If you

+    enable the "extra hashes" option, then it will also record "md5" and "sha1".

+

+  - Each object scanned now has a unique "Object ID".

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- Sigtool: Renamed the sigtool option `--sha256` to `--sha2-256`.

+  The original option is still functional but is deprecated.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

 ### Other improvements

 - Set a limit on the max-recursion config option. Users will no longer be

   able to set max-recursion higher than 100.

-  This change prevents errors on start up or possible crashes if encountering

+  This change prevents errors on start up or crashes if encountering

   a file with that many layers of recursion.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1264)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1264)

 - Build system: CMake improvements to support compiling for the AIX platform.

   This change is courtesy of GitHub user KamathForAIX.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1387)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1387)

 - Improve support for extracting malformed zip archives.

   This change is courtesy of Frederick Sell.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1460)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1460)

 - Windows: Code quality improvement for the ClamScan and ClamDScan `--move`

   and `--remove` options.

   This change is courtesy of Maxim Suhanov.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1470)

-- Added file type recognition for some kinds of AI model files.

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1470)

-  The file type appears as a string parameter for these callback functions:

-  - `clcb_pre_cache`

-  - `clcb_pre_scan`

-  - `clcb_file_inspection`

+- Added file type recognition for an initial set of AI model file types.

+

+  The file type is accessible to applications using libclamav via the scan

+  callback functions and as an optional output parameter to the scan functions:

+  `cl_scanfile_ex()`, `cl_scanmap_ex()`, and `cl_scandesc_ex()`.

+

+  When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of

+  "CL_TYPE_BINARY_DATA".

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1476)

+

+- Added support for inline comments in ClamAV configuration files.

+  This change is courtesy of GitHub user userwiths.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1308)

+

+- Disabled the MyDoom hardcoded/heuristic detection because of false positives.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1495)

+

+- Sigtool: Added support for creating `.cdiff` and `.script` patch files for

+  CVDs that have underscores in the CVD name.

+  Also improved support for relative paths with the `--diff` command.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1541)

+

+- Windows: Improved support for file names with UTF-8 characters not found in

+  the ANSI or OEM code pages when printing scan results or showing activity in

+  the ClamDTOP monitoring utility.

+  Fixed a bug with opening files with such names with the Sigtool utility.

+

+  [GitHub pull request #1](https://github.com/Cisco-Talos/clamav/pull/1461)

+

+  [GitHub pull request #2](https://github.com/Cisco-Talos/clamav/pull/1537)

+

+- Improved the code quality of the ZIP module. Added inline documentation.

+

+  [GitHub pull request #1](https://github.com/Cisco-Talos/clamav/pull/1548)

+

+  [GitHub pull request #2](https://github.com/Cisco-Talos/clamav/pull/1552)

+

+- Always run scan callbacks for embedded files. Embedded files are found within

+  other files through signature matches instead of by parsing. They will now

+  be processed the same way and then they can trigger application callbacks

+  (e.g., "pre-scan", "post-scan", etc.).

-  When scanning these files, the `type` parameter will now show

-  "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1476)

+  This change will impact scans with both the "leave-temps" feature and the

+  "force-to-disk" feature enabled, resulting in additional temporary files.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- Added DevContainer templates to the ClamAV Git repository in order to make it

+  easier to set up AlmaLinux or Debian development environments.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1462)

 ### Bug fixes

-- Technical debt: Reduced email multipart message parser complexity.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1347)

+- Reduced email multipart message parser complexity.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1347)

 - Fixed possible undefined behavior in inflate64 module.

   The inflate64 module is a modified version of the zlib library, taken from

   version 1.2.3 with some customization and with some cherry-picked fixes.

   This adds one additional fix from zlib 1.2.9.

   Thank you to TITAN Team for reporting this issue.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1469)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1469)

 - Fixed a bug in ClamD that broke reporting of memory usage on Linux.

   The STATS command can be used to monitor ClamD directly or through ClamDTOP.

-  The memory stats feature does not work on all platforms (e.g. Windows).

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1465)

+  The memory stats feature does not work on all platforms (e.g., Windows).

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1465)

-- Windows: Fix a build issue when the same library dependency is found in

+- Windows: Fixed a build issue when the same library dependency is found in

   two different locations.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1453)

-- Fix an infinite loop when scanning some email files in debug-mode.

-  This fix is courtesy of Yoann Lecuyer

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1445)

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1453)

+

+- Fixed an infinite loop when scanning some email files in debug-mode.

+  This fix is courtesy of Yoann Lecuyer.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1445)

+

+- Fixed a stack buffer overflow bug in the phishing signature load process.

+  This fix is courtesy of GitHub user Shivam7-1.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1486)

+

+- Fixed a race condition in the Freshclam feature tests.

+  This fix is courtesy of GitHub user rma-x.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1513)

+

+- Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests.

+  This fix is courtesy of GitHub user Sophie0x2E.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1542)

+

+- Fix double-extraction of OOXML-based office documents.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

+

+- ClamBC: Fixed crashes on startup.

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1532)

 ### Acknowledgments

 Special thanks to the following people for code contributions and bug reports:

 - b1tg

+- ChaoticByte

 - Frederick Sell

 - KamathForAIX

 - Mark Carey at SAP

 - Maxim Suhanov

+- rma-x

+- Shivam7-1

+- Sophie0x2E

 - TITAN Team

+- userwiths

 - Yoann Lecuyer

+## 1.4.3

+

+ClamAV 1.4.3 is a patch release with the following fixes:

+

+- [CVE-2025-20260](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260):

+  Fixed a possible buffer overflow write bug in the PDF file parser that could

+  cause a denial-of-service (DoS) condition or enable remote code execution.

+

+  This issue only affects configurations where both:

+  1. The max file-size scan limit is set greater than or equal to 1024MB.

+  2. The max scan-size scan limit is set greater than or equal to 1025MB.

+

+  The code flaw was present prior to version 1.0.0, but a change in version

+  1.0.0 that enables larger allocations based on untrusted data made it

+  possible to trigger this bug.

+

+  This issue affects all currently supported versions. It will be fixed in:

+  - 1.4.3

+  - 1.0.9

+

+  Thank you to Greg Walkup at Sandia National Labs for identifying this issue.

+

+- [CVE-2025-20234](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20234):

+  Fixed a possible buffer overflow read bug in the UDF file parser that may

+  write to a temp file and thus disclose information, or it may crash and

+  cause a denial-of-service (DoS) condition.

+

+  This issue was introduced in version 1.2.0. It will be fixed in 1.4.3.

+

+  Thank you to volticks (@movx64 on Twitter/X), working with Trend Micro Zero

+  Day Initiative, for identifying this issue.

+

+- Fixed a possible use-after-free bug in the Xz decompression module in the

+  bundled lzma-sdk library.

+

+  This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy

+  of the lzma-sdk with some performance changes specific to libclamav, plus

+  select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk.

+

+  This issue affects all ClamAV versions at least as far back as 0.99.4.

+  It will be fixed in:

+  - 1.4.3

+  - 1.0.9

+

+  Thank you to OSS-Fuzz for identifying this issue.

+

+- Windows: Fixed a build install issue when a DLL dependency such as libcrypto

+  has the exact same name as one provided by the Windows operating system.

+

+## 1.4.2

+

+ClamAV 1.4.2 is a patch release with the following fixes:

+

+- [CVE-2025-20128](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128):

+  Fixed a possible buffer overflow read bug in the OLE2 file parser that could

+  cause a denial-of-service (DoS) condition.

+

+  This issue was introduced in version 1.0.0 and affects all currently

+  supported versions. It will be fixed in:

+  - 1.4.2

+  - 1.0.8

+

+  Thank you to OSS-Fuzz for identifying this issue.

+

+## 1.4.1

+

+ClamAV 1.4.1 is a critical patch release with the following fixes:

+

+- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):

+  Changed the logging module to disable following symlinks on Linux and Unix

+  systems so as to prevent an attacker with existing access to the 'clamd' or

+  'freshclam' services from using a symlink to corrupt system files.

+

+  This issue affects all currently supported versions. It will be fixed in:

+  - 1.4.1

+  - 1.3.2

+  - 1.0.7

+  - 0.103.12

+

+  Thank you to Detlef for identifying this issue.

+

+- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):

+  Fixed a possible out-of-bounds read bug in the PDF file parser that could

+  cause a denial-of-service (DoS) condition.

+

+  This issue affects all currently supported versions. It will be fixed in:

+  - 1.4.1

+  - 1.3.2

+  - 1.0.7

+  - 0.103.12

+

+  Thank you to OSS-Fuzz for identifying this issue.

+

+- Removed unused Python modules from freshclam tests including deprecated

+  'cgi' module that is expected to cause test failures in Python 3.13.

+

 ## 1.4.0

 ClamAV 1.4.0 includes the following improvements and changes:

@@ -146,13 +674,15 @@ ClamAV 1.4.0 includes the following improvements and changes:

   option to enable or disable ALZ archive support.

   > _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some

   > configuration changes to be made via ClamAV `.cfg` "signatures".

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183)

 - Added support for extracting LHA/LZH archives.

   The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`.

   Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)

   option to enable or disable LHA/LZH archive support.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192)

 - Added the ability to disable image fuzzy hashing, if needed. For context,

   image fuzzy hashing is a detection mechanism useful for identifying malware

@@ -178,7 +708,8 @@ ClamAV 1.4.0 includes the following improvements and changes:

   Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)

   option to enable or disable image fuzzy hashing support.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)

 ### Other improvements

@@ -186,83 +717,100 @@ ClamAV 1.4.0 includes the following improvements and changes:

   [Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md)

   and

   [Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md).

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116)

 - Improved the Freshclam warning messages when being blocked or rate limited

   so as to include the Cloudflare Ray ID, which helps with issue triage.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195)

 - Removed unnecessary memory allocation checks when the size to be allocated

   is fixed or comes from a trusted source.

   We also renamed internal memory allocation functions and macros, so it is

   more obvious what each function does.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137)

 - Improved the Freshclam documentation to make it clear that the `--datadir`

   option must be an absolute path to a directory that already exists, is

   writable by Freshclam, and is readable by ClamScan and ClamD.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199)

 - Added an optimization to avoid calculating the file hash if the clean file

   cache has been disabled. The file hash may still be calculated as needed to

   perform hash-based signature matching if any hash-based signatures exist that

   target a file of the same size, or if any hash-based signatures exist that

   target "any" file size.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167)

 - Added an improvement to the SystemD service file for ClamOnAcc so that the

   service will shut down faster on some systems.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164)

 - Added a CMake build dependency on the version map files so that the build

   will re-run if changes are made to the version map files.

   Work courtesy of Sebastian Andrzej Siewior.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294)

 - Added an improvement to the CMake build so that the RUSTFLAGS settings

   are inherited from the environment.

   Work courtesy of liushuyu.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301)

 ### Bug fixes

 - Silenced confusing warning message when scanning some HTML files.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252)

 - Fixed minor compiler warnings.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197)

 - Since the build system changed from Autotools to CMake, ClamAV no longer

   supports building with configurations where bzip2, libxml2, libz, libjson-c,

   or libpcre2 are not available. Libpcre is no longer supported in favor of

   libpcre2. In this release, we removed all the dead code associated with those

   unsupported build configurations.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217)

 - Fixed assorted typos. Patch courtesy of RainRat.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228)

 - Added missing documentation for the ClamScan `--force-to-disk` option.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)

 - Fixed an issue where ClamAV unit tests would prefer an older

   libclamunrar_iface library from the install path, if present, rather than

   the recently compiled library in the build path.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258)

 - Fixed a build issue on Windows with newer versions of Rust.

   Also upgraded GitHub Actions imports to fix CI failures.

   Fixes courtesy of liushuyu.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)

 - Fixed an unaligned pointer dereference issue on select architectures.

   Fix courtesy of Sebastian Andrzej Siewior.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)

 - Fixed a bug that prevented loading plaintext (non-CVD) signature files

   when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option.

   Fix courtesy of Bark.

-  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309)

+

+  [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309)

 ### Acknowledgments

@@ -272,6 +820,57 @@ Special thanks to the following people for code contributions and bug reports:

 - Sebastian Andrzej Siewior

 - RainRat

+## 1.3.2

+

+ClamAV 1.3.2 is a patch release with the following fixes:

+

+- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):

+  Changed the logging module to disable following symlinks on Linux and Unix

+  systems so as to prevent an attacker with existing access to the 'clamd' or

+  'freshclam' services from using a symlink to corrupt system files.

+

+  This issue affects all currently supported versions. It will be fixed in:

+  - 1.4.1

+  - 1.3.2

+  - 1.0.7

+  - 0.103.12

+

+  Thank you to Detlef for identifying this issue.

+

+- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):

+  Fixed a possible out-of-bounds read bug in the PDF file parser that could