...
|
...
|
@@ -5,17 +5,257 @@ Note: This file refers to the source tarball. Things described here may differ
|
5
|
5
|
|
6
|
6
|
## 0.101.0
|
7
|
7
|
|
8
|
|
-ClamAV 0.101.0 is in development!
|
|
8
|
+ClamAV 0.101.0 is a feature release with an assortment of improvements that
|
|
9
|
+we've cooked up over the past 6 months.
|
|
10
|
+
|
|
11
|
+### Some of the more obvious changes
|
|
12
|
+
|
|
13
|
+- Our user manual has been converted from latex/pdf/html into **Markdown**!
|
|
14
|
+ Markdown is easier to read & edit than latex, and is easier to contribute
|
|
15
|
+ to as it eliminates the need to generate documents (the PDF, HTML).
|
|
16
|
+ Find the user manual under docs/UserManual[.md].
|
|
17
|
+ [Check it out!](https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual.md)
|
|
18
|
+- Support for RAR v5 archive extraction! We replaced the legacy C-based unrar
|
|
19
|
+ implementation with RarLabs UnRAR 5.6.5 library. Licensing is the same as
|
|
20
|
+ before, although our `libclamunrar_iface` supporting library has changed from
|
|
21
|
+ LGPL to the BSD 3-Clause license.
|
|
22
|
+- Libclamav API changes:
|
|
23
|
+ - Scanning options have been converted from a single flag bit-field into
|
|
24
|
+ a structure of multiple categorized flag bit-fields. This change enabled
|
|
25
|
+ us to add new scanning options requested by the community. In addition,
|
|
26
|
+ the name of each scan option has changed a little.
|
|
27
|
+ As a result, the API changes will require libclamav users to modify
|
|
28
|
+ how they initialize and pass scan options into calls such as `cl_scandesc()`.
|
|
29
|
+ For details:
|
|
30
|
+ - [example code](https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/examples/ex1.c#L89)
|
|
31
|
+ - [documentation](https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual/libclamav.md#data-scan-functions)
|
|
32
|
+ - With our move to openssl versions >1.0.1, the `cl_cleanup_crypto()` function
|
|
33
|
+ has been deprecated. This is because cleanup of open-ssl init functions is
|
|
34
|
+ now handled by an auto-deinit procedure within the openssl library, meaning
|
|
35
|
+ the call to `EVP_cleanup()` may cause problems to processes external to Clam.
|
|
36
|
+ - `CL_SCAN_HEURISTIC_ENCRYPTED` scan option was replaced by 2 new scan options:
|
|
37
|
+ - `CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE`
|
|
38
|
+ - `CL_SCAN_HEURISTIC_ENCRYPTED_DOC`
|
|
39
|
+- `clamd.conf` and command line interface (CLI) changes:
|
|
40
|
+ - As in 0.100.2, the clamd.conf `OnAccessExtraScanning` has been temporarily
|
|
41
|
+ disabled in order to prevent resource cleanup issues from impacting clamd
|
|
42
|
+ stability. As noted below, `OnAccessExtraScanning` is an opt-in minor
|
|
43
|
+ feature of on-access scanning on Linux systems and its loss does not
|
|
44
|
+ significantly impact the effectiveness of on-access scanning.
|
|
45
|
+ The option still exists, but the feature will not be enabled and a warning
|
|
46
|
+ will show if `LogVerbose` is enabled.
|
|
47
|
+ For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
|
|
48
|
+ - "Heuristic Alerts" (aka "Algorithmic Detection") options have been changed
|
|
49
|
+ to make the names more consistent. The original options are deprecated in
|
|
50
|
+ 0.101, and will be removed in a future feature release.
|
|
51
|
+ - In addition, _two new scan options_ were added to alert specifically on
|
|
52
|
+ encrypted archives or encrypted docs. Previous functionality did both, even
|
|
53
|
+ though it claimed to be specific to archives:
|
|
54
|
+ - Scan option details:
|
|
55
|
+
|
|
56
|
+ | Old `clamd.conf` option | *New* `clamd.conf` option |
|
|
57
|
+ | -------------------------------- | ---------------------------- |
|
|
58
|
+ | `AlgorithmicDetection` | `HeuristicAlerts` |
|
|
59
|
+ | `DetectBrokenExecutables` | `AlertBrokenExecutables` |
|
|
60
|
+ | `PhishingAlwaysBlockCloak` | `AlertPhishingCloak` |
|
|
61
|
+ | `PhishingAlwaysBlockSSLMismatch` | `AlertPhishingSSLMismatch` |
|
|
62
|
+ | `PartitionIntersection` | `AlertPartitionIntersection` |
|
|
63
|
+ | `BlockMax` | `AlertExceedsMax` |
|
|
64
|
+ | `OLE2BlockMacros` | `AlertOLE2Macros` |
|
|
65
|
+ | `ArchiveBlockEncrypted` | `AlertEncrypted` |
|
|
66
|
+ | | `AlertEncryptedArchive` |
|
|
67
|
+ | | `AlertEncryptedDoc` |
|
|
68
|
+
|
|
69
|
+ | Old `clamscan` option | *New* `clamscan` option |
|
|
70
|
+ | ---------------------------- | -------------------------------- |
|
|
71
|
+ | `--algorithmic-detection` | `--heuristic-alerts` |
|
|
72
|
+ | `--detect-broken` | `--alert-broken` |
|
|
73
|
+ | `--phishing-cloak` | `--alert-phishing-cloak` |
|
|
74
|
+ | `--phishing-ssl` | `--alert-phishing-ssl` |
|
|
75
|
+ | `--partition-intersection` | `--alert-partition-intersection` |
|
|
76
|
+ | `--block-max` | `--alert-exceeds-max` |
|
|
77
|
+ | `--block-macros` | `--alert-macros` |
|
|
78
|
+ | `--block-encrypted` | `--alert-encrypted` |
|
|
79
|
+ | | `--alert-encrypted-archive` |
|
|
80
|
+ | | `--alert-encrypted-doc` |
|
|
81
|
+
|
|
82
|
+### Some more subtle improvements
|
|
83
|
+
|
|
84
|
+- Logical signatures have been extended with a new subsignature type which
|
|
85
|
+ allows for numerical byte sequence comparison. For those familiar with
|
|
86
|
+ Snort, this byte comparison feature works similarly to the byte_extract
|
|
87
|
+ and byte_test feature, in that it allows signature writers to extract and
|
|
88
|
+ compare a specified number of bytes (offset from a match) against another
|
|
89
|
+ numeric value. You can read more about this feature, see how it works, and
|
|
90
|
+ look over examples in [our documentation](docs/UserManual/Signatures.md).
|
|
91
|
+- Backwards compatibility improvements for detecting the OpenSSL dependency.
|
|
92
|
+- Freshclam updated to match exit codes defined in the freshclam.1 man page.
|
|
93
|
+- Upgrade from libmspack 0.5alpha to libmspack 0.7.1alpha. As a reminder, we
|
|
94
|
+ support system-installed versions of libmspack. _However_, at this time the
|
|
95
|
+ ClamAV-provided version of libmspack provides additional abilities to parse
|
|
96
|
+ broken or non-standard CAB files beyond what the stock libmspack 0.7.1alpha
|
|
97
|
+ provides. We are working with the upstream project to incorporate our
|
|
98
|
+ modifications, and hopefully these changes will appear in a future release
|
|
99
|
+ of libmspack.
|
|
100
|
+- Updated the bundled 3rd party library libxml2 included for Windows builds to
|
|
101
|
+ version 2.9.8.
|
|
102
|
+- Updated the bundled 3rd party library pcre included for Windows builds to
|
|
103
|
+ pcre2 version 10.31.
|
|
104
|
+- Upgraded Aspack PE unpacking capability with support up to version 2.42.
|
|
105
|
+- Improvements to PDF parsing capability.
|
|
106
|
+- Replaced the Windows installer with a new installer built using InnoSetup 5.
|
|
107
|
+- Improved `curl-config` detection logic.
|
|
108
|
+ GitHub pull-request by Thomas Petazzoni.
|
|
109
|
+- Added file type `CL_TYPE_LNK` to more easily identify Windows Shortcut files
|
|
110
|
+ when writing signatures.
|
|
111
|
+- Windows executable (PE) Authenticode parsing improvements.
|
|
112
|
+- Some simplification to freshclam mirror management code, including changes
|
|
113
|
+ to reduce timeout on ignoring mirrors after errors, and to make freshclam
|
|
114
|
+ more tolerant when there is a delay between the time the new signature
|
|
115
|
+ database content is announced and the time that the content-delivery-network
|
|
116
|
+ has the content available for download.
|
|
117
|
+- Email MIME Header parsing changes to accept argument values with unbalanced
|
|
118
|
+ quotes. Improvement should improve detection of attachments on malformed
|
|
119
|
+ emails.
|
|
120
|
+ GitHub pull-request by monnerat.
|
|
121
|
+- Included the config filename when reporting errors parsing ClamAV configs.
|
|
122
|
+ GitHub pull-request by Josh Soref.
|
|
123
|
+- Improvement to build scripts for clamav-milter.
|
|
124
|
+ GitHub pull-request by Renato Botelho.
|
|
125
|
+
|
|
126
|
+### Other changes
|
|
127
|
+
|
|
128
|
+- Removed option handler for `AllowSupplementaryGroups` from libfreshclam.
|
|
129
|
+ This option was previously deprecated from freshclam in ClamAV 0.100.0 but
|
|
130
|
+ remained in libfreshclam by mistake.
|
|
131
|
+- In older versions of pcre2 and in pcre, a higher `PCRERecMatchLimit` may
|
|
132
|
+ cause `clamd` to crash on select files. We have lowered the default
|
|
133
|
+ `PCRERecMatchLimit` to 2000 to reduce the likelihood of a crash and have
|
|
134
|
+ added warnings to recommend using pcre2 v10.30 or higher to eliminate
|
|
135
|
+ the issue.
|
|
136
|
+
|
|
137
|
+### Supporting infrastructure
|
|
138
|
+
|
|
139
|
+As you might imagine, ClamAV is much more than just the tarball or EXE you
|
|
140
|
+download and install. Here at Talos, we've been working hard on the support
|
|
141
|
+infrastructure that's so easy to take for granted.
|
|
142
|
+
|
|
143
|
+- Test Frameworks
|
|
144
|
+ - Feature Testing:
|
|
145
|
+ Throughout the development of ClamAV 0.101, our quality assurance engineers
|
|
146
|
+ have been hard at work rebuilding our QA automation framework in Python from
|
|
147
|
+ the ground up to test ClamAV features on 32-and-64bit versions:
|
|
148
|
+ - Linux: Ubuntu, Debian, CentOS, Fedora
|
|
149
|
+ - FreeBSD 11
|
|
150
|
+ - Windows 10
|
|
151
|
+
|
|
152
|
+ In addition to building out the framework, they've written over 260
|
|
153
|
+ individual feature tests to validate correctness of the new features going
|
|
154
|
+ into 0.101 as well as to validate many existing features.
|
|
155
|
+
|
|
156
|
+ - Build Acceptance Testing:
|
|
157
|
+ Another major task accomplished during the development of 0.101 was the
|
|
158
|
+ creation of a build acceptance test framework that we run from our Jenkins
|
|
159
|
+ CI server.
|
|
160
|
+
|
|
161
|
+ Similar to the feature testing framework, our build acceptance framework
|
|
162
|
+ tests accross 64bit and 32bit (where available):
|
|
163
|
+ - macOS 10 (.10, .11, .13)
|
|
164
|
+ - Windows (7, 10)
|
|
165
|
+ - Debian (8, 9), Ubuntu (16.04, 18.04), CentOS (6, 7)
|
|
166
|
+ - FreeBSD (10, 11)
|
|
167
|
+
|
|
168
|
+ This pipeline creates our release materials including the Windows installers,
|
|
169
|
+ and then validates that the basic install, update, start, scan, and stop
|
|
170
|
+ procedures all work as expected each time commits are made to our
|
|
171
|
+ development branches.
|
|
172
|
+
|
|
173
|
+- Signature Database Distribution:
|
|
174
|
+ During the course of ClamAV 0.101 development, our web and ops teams have been
|
|
175
|
+ able to migrate us from a network of third-party mirrors over to use the
|
|
176
|
+ services of CloudFlare to provide a more unified content-delivery-network.
|
|
177
|
+
|
|
178
|
+ With CloudFlare, some users in geographic regions that had few mirrors
|
|
179
|
+ will notice much improved signature update speeds and reliability.
|
|
180
|
+ In addition, we're excited to be able to finally see user metrics that will
|
|
181
|
+ help us continue to improve ClamAV.
|
|
182
|
+
|
|
183
|
+ We are of course grateful to all of the community members who have donated
|
|
184
|
+ their server bandwidth to mirror the ClamAV signature databases over the
|
|
185
|
+ years. Thank-you so much!
|
|
186
|
+
|
|
187
|
+- Development Processes:
|
|
188
|
+ As many of you know, ClamAV 0.100 was in development for a good two years.
|
|
189
|
+ Not only was this frustrating for users awaiting new features and bug-fixes,
|
|
190
|
+ it also made for a difficult transition for users that weren't expecting two
|
|
191
|
+ years worth of change when 0.100 landed.
|
|
192
|
+
|
|
193
|
+ We have learned from the experience and are committed to providing shorter
|
|
194
|
+ and more responsive ClamAV development cycles.
|
|
195
|
+
|
|
196
|
+ ClamAV 0.101 is the first of many smaller feature releases where we created
|
|
197
|
+ a roadmap with distinct deadlines and with specific planned features. We based
|
|
198
|
+ the feature list on both community requests and our own needs and then
|
|
199
|
+ executed that plan.
|
|
200
|
+
|
|
201
|
+ We're very proud of ClamAV 0.101 and we hope you enjoy it.
|
9
|
202
|
|
10
|
|
-Here are the new features and improvements found in 0.101.0 in addition to
|
11
|
|
-an assortment of minor fixes:
|
|
203
|
+### Acknowledgements
|
12
|
204
|
|
13
|
|
-- User manual has been converted from latex/pdf/html over to Markdown. Markdown
|
14
|
|
- is easier to read & edit than latex, and is easier to contribute to as it
|
15
|
|
- eliminates the need to generate documents (the PDF, HTML). Find the user
|
16
|
|
- manual under docs/UserManual[.md].
|
17
|
|
-- Backwards compatibility improvements for detecting the OpenSSL dependency.
|
18
|
|
-- freshclam updated to match exit codes defined in the freshclam.1 man page.
|
|
205
|
+The ClamAV team thanks the following individuals for their code submissions:
|
|
206
|
+
|
|
207
|
+- Craig Andrews
|
|
208
|
+- Josh Soref
|
|
209
|
+- monnerat
|
|
210
|
+- Renato Botelho
|
|
211
|
+- tchernomax
|
|
212
|
+- Thomas Petazzoni
|
|
213
|
+
|
|
214
|
+## 0.100.2
|
|
215
|
+
|
|
216
|
+ClamAV 0.100.2 is a patch release to address a set of vulnerabilities.
|
|
217
|
+
|
|
218
|
+- Fixes for the following ClamAV vulnerabilities:
|
|
219
|
+ - [CVE-2018-15378](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378):
|
|
220
|
+ Vulnerability in ClamAV's MEW unpacking feature that could allow an
|
|
221
|
+ unauthenticated, remote attacker to cause a denial of service (DoS)
|
|
222
|
+ condition on an affected device.
|
|
223
|
+ Reported by Secunia Research at Flexera.
|
|
224
|
+ - Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing code.
|
|
225
|
+ Reported by Alex Gaynor.
|
|
226
|
+- Fixes for the following vulnerabilities in bundled third-party libraries:
|
|
227
|
+ - [CVE-2018-14680](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680):
|
|
228
|
+ An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It
|
|
229
|
+ does not reject blank CHM filenames.
|
|
230
|
+ - [CVE-2018-14681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681):
|
|
231
|
+ An issue was discovered in kwajd_read_headers in mspack/kwajd.c in
|
|
232
|
+ libmspack before 0.7alpha. Bad KWAJ file header extensions could cause
|
|
233
|
+ a one or two byte overwrite.
|
|
234
|
+ - [CVE-2018-14682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682):
|
|
235
|
+ An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha.
|
|
236
|
+ There is an off-by-one error in the TOLOWER() macro for CHM decompression.
|
|
237
|
+ - Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied
|
|
238
|
+ libmspack's version of the fix in its place.
|
|
239
|
+- Other changes:
|
|
240
|
+ - Some users have reported freshclam signature update failures as a result of
|
|
241
|
+ a delay between the time the new signature database content is announced and
|
|
242
|
+ the time that the content-delivery-network has the content available for
|
|
243
|
+ download. To mitigate these errors, this patch release includes some
|
|
244
|
+ modifications to freshclam to make it more lenient, and to reduce the time
|
|
245
|
+ that freshclam will ignore a mirror when it detects an issue.
|
|
246
|
+ - On-Access "Extra Scanning", an opt-in minor feature of OnAccess scanning on
|
|
247
|
+ Linux systems, has been disabled due to a known issue with resource cleanup.
|
|
248
|
+ OnAccessExtraScanning will be re-enabled in a future release when the issue
|
|
249
|
+ is resolved. In the mean-time, users who enabled the feature in clamd.conf
|
|
250
|
+ will see a warning informing them that the feature is not active.
|
|
251
|
+ For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
|
|
252
|
+
|
|
253
|
+Thank you to the following ClamAV community members for your code submissions
|
|
254
|
+and bug reports!
|
|
255
|
+
|
|
256
|
+- Alex Gaynor
|
|
257
|
+- Hiroya Ito
|
|
258
|
+- Laurent Delosieres, Secunia Research at Flexera
|
19
|
259
|
|
20
|
260
|
## 0.100.1
|
21
|
261
|
|