...
|
...
|
@@ -14,11 +14,13 @@ ClamAV 0.101.4 is a security patch release that addresses the following issues.
|
14
|
14
|
|
15
|
15
|
Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371)
|
16
|
16
|
|
17
|
|
-- A workaround for the zip-bomb vulnerability patch found in 0.101.3 was
|
18
|
|
- identified. To remediate future denial of service conditions caused by
|
19
|
|
- excessive scan times, a scan time limit has been introduced.
|
|
17
|
+- The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
|
|
18
|
+ CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb
|
|
19
|
+ mitigation was immediately identified. To remediate the zip-bomb scantime
|
|
20
|
+ issue, a scan time limit has been introduced in 0.101.4. This limit now
|
|
21
|
+ resolves ClamAV's vulnerability to CVE-2019-12625.
|
20
|
22
|
|
21
|
|
- The default value is 2 minutes (120000 milliseconds).
|
|
23
|
+ The default scan time limit is 2 minutes (120000 milliseconds).
|
22
|
24
|
|
23
|
25
|
To customize the time limit:
|
24
|
26
|
|