Browse code
Update to the NEWS blurb to include CVE ID for zip-bomb issue.
Micah Snyder authored on 2019/08/15 07:14:24Showing 1 changed files
| ... | ... |
@@ -14,11 +14,13 @@ ClamAV 0.101.4 is a security patch release that addresses the following issues. |
| 14 | 14 |
|
| 15 | 15 |
Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371) |
| 16 | 16 |
|
| 17 |
-- A workaround for the zip-bomb vulnerability patch found in 0.101.3 was |
|
| 18 |
- identified. To remediate future denial of service conditions caused by |
|
| 19 |
- excessive scan times, a scan time limit has been introduced. |
|
| 17 |
+- The zip bomb vulnerability mitigated in 0.101.3 has been assigned the |
|
| 18 |
+ CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb |
|
| 19 |
+ mitigation was immediately identified. To remediate the zip-bomb scantime |
|
| 20 |
+ issue, a scan time limit has been introduced in 0.101.4. This limit now |
|
| 21 |
+ resolves ClamAV's vulnerability to CVE-2019-12625. |
|
| 20 | 22 |
|
| 21 |
- The default value is 2 minutes (120000 milliseconds). |
|
| 23 |
+ The default scan time limit is 2 minutes (120000 milliseconds). |
|
| 22 | 24 |
|
| 23 | 25 |
To customize the time limit: |
| 24 | 26 |
|