The NetBSD Project

CVS log for pkgsrc/security/clamav/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / security / clamav

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.91 / (download) - annotate - [select for diffs], Wed Nov 8 13:20:45 2023 UTC (4 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q4-base, pkgsrc-2023Q4, HEAD
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored) to selected 1.40 (colored)

*: recursive bump for icu 74.1

Revision 1.90 / (download) - annotate - [select for diffs], Tue Oct 24 22:10:45 2023 UTC (5 months ago) by wiz
Branch: MAIN
Changes since 1.89: +2 -1 lines
Diff to previous 1.89 (colored) to selected 1.40 (colored)

*: bump for openssl 3

Revision 1.89 / (download) - annotate - [select for diffs], Tue Aug 29 14:43:01 2023 UTC (6 months, 4 weeks ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base, pkgsrc-2023Q3
Changes since 1.88: +2 -4 lines
Diff to previous 1.88 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.10

pkgsrc change:

* Do not always include mail/libmilter/buildlink3.mk in Makefile.
* Use clamav-unit-test PKG_OPTIONS instead of deprecated unit-test.
* pkglint clenn up.

0.103.10

ClamAV 0.103.10 is a critical patch release with the following fixes:

- Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.10.
  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1009

Revision 1.88 / (download) - annotate - [select for diffs], Wed Apr 19 08:08:40 2023 UTC (11 months, 1 week ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base, pkgsrc-2023Q2
Changes since 1.87: +2 -1 lines
Diff to previous 1.87 (colored) to selected 1.40 (colored)

revbump after textproc/icu update

Revision 1.87 / (download) - annotate - [select for diffs], Mon Feb 20 13:41:19 2023 UTC (13 months, 1 week ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base, pkgsrc-2023Q1
Changes since 1.86: +1 -2 lines
Diff to previous 1.86 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.8

pkgsrc change: avoid use empty in options.mk.

Security release.

0.103.8 (2023-02-15)

* CVE-2023-20032<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032>:
  Fixed a possible remote code execution vulnerability in the HFS+ file
  parser.  The issue affects versions 1.0.0 and earlier, 0.105.1 and
  earlier, and 0.103.7 and earlier.  Thank you to Simon Scannell for
  reporting this issue.

* CVE-2023-20052<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052>:
  Fixed a possible remote information leak vulnerability in the DMG file
  parser.  The issue affects versions 1.0.0 and earlier, 0.105.1 and
  earlier, and 0.103.7 and earlier.  Thank you to Simon Scannell for
  reporting this issue.

* Update the vendored libmspack library to version 0.11alpha.

* GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830

Revision 1.86 / (download) - annotate - [select for diffs], Wed Nov 23 16:18:58 2022 UTC (16 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored) to selected 1.40 (colored)

massive revision bump after textproc/icu update

Revision 1.85 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:56 2022 UTC (17 months ago) by wiz
Branch: MAIN
Changes since 1.84: +2 -1 lines
Diff to previous 1.84 (colored) to selected 1.40 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.84 / (download) - annotate - [select for diffs], Thu May 5 00:44:07 2022 UTC (22 months, 3 weeks ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.83: +1 -2 lines
Diff to previous 1.83 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.6

0.103.6 (2022-05-04)

ClamAV 0.103.6 is a critical patch release with the following fixes:

- [CVE-2022-20770](CVE-2022-20770): Fixed a possible infinite loop vulnerability
  in the CHM file parser.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Micha Dardas for reporting this issue.

- [CVE-2022-20796](CVE-2022-20796): Fixed a possible NULL-pointer dereference
  crash in the scan verdict cache check.
  Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2.
  Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

- [CVE-2022-20771](CVE-2022-20771): Fixed a possible infinite loop vulnerability
  in the TIFF file parser.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  The issue only occurs if the "--alert-broken-media" ClamScan option is
  enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for
  libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
  Thank you to Micha Dardas for reporting this issue.

- [CVE-2022-20785](CVE-2022-20785): Fixed a possible memory leak in the
  HTML file parser / Javascript normalizer.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Micha Dardas for reporting this issue.

- [CVE-2022-20792](CVE-2022-20792): Fixed a possible multi-byte heap buffer
  overflow write vulnerability in the signature database load module.
  The fix was to update the vendored regex library to the latest version.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Micha Dardas for reporting this issue.

- ClamOnAcc: Fixed a number of assorted stability issues and added niceties for
  debugging ClamOnAcc. Patches courtesy of Frank Fegert.

- Fixed an issue causing byte-compare subsignatures to cause an alert when they
  match even if other conditions of the given logical signatures were not met.

- Fix memleak when using multiple byte-compare subsignatures.
  This fix was backported from 0.104.0.
  Thank you to Andrea De Pasquale for contributing the fix.

- Assorted bug fixes and improvements.

Special thanks to the following people for code contributions and bug reports:
- Alexander Patrakov
- Andrea De Pasquale
- Antoine Gatineau
- Frank Fegert
- Micha Dardas

Revision 1.83 / (download) - annotate - [select for diffs], Mon Apr 18 19:10:04 2022 UTC (23 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.82: +2 -1 lines
Diff to previous 1.82 (colored) to selected 1.40 (colored)

revbump for textproc/icu update

Revision 1.81.2.1 / (download) - annotate - [select for diffs], Fri Jan 21 15:49:19 2022 UTC (2 years, 2 months ago) by bsiegert
Branch: pkgsrc-2021Q4
Changes since 1.81: +1 -2 lines
Diff to previous 1.81 (colored) next main 1.82 (colored) to selected 1.40 (colored)

Pullup ticket #6571 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav/Makefile                                      1.82
- security/clamav/Makefile.common                               1.22
- security/clamav/distinfo                                      1.41

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Jan 13 15:28:22 UTC 2022

   Modified Files:
   	pkgsrc/security/clamav: Makefile Makefile.common distinfo

   Log Message:
   security/clamav: update to 0.103.5

   0.103.5 (2022-01-12)

   ClamAV 0.103.5 is a critical patch release with the following fixes:

   * CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>:
     Fix for invalid pointer read that may cause a crash. This issue affects
     0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
     CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
     option) is enabled.

     Cisco would like to thank Laurent Delosieres of ManoMano for reporting
     this vulnerability.

   * Fixed ability to disable the file size limit with libclamav C API, like
     this:

     cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

     This issue didn't affect ClamD or ClamScan which also can disable the
     limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD,
     or clamscan --max-filesize=0 for ClamScan.

     Note: Internally, the max file size is still set to 2 GiB. Disabling the
     limit for a scan will fall back on the internal 2 GiB limitation.

   * Increased the maximum line length for ClamAV config files from 512 bytes
     to 1,024 bytes to allow for longer config option strings.

   * SigTool: Fix insufficient buffer size for --list-sigs that caused a
     failure when listing a database containing one or more very long
     signatures. This fix was backported from 0.104.

   Special thanks to the following for code contributions and bug reports:

   * Laurent Delosieres

Revision 1.82 / (download) - annotate - [select for diffs], Thu Jan 13 15:28:22 2022 UTC (2 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.81: +1 -2 lines
Diff to previous 1.81 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.5

0.103.5 (2022-01-12)

ClamAV 0.103.5 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>:
  Fix for invalid pointer read that may cause a crash. This issue affects
  0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
  CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
  option) is enabled.

  Cisco would like to thank Laurent Delosieres of ManoMano for reporting
  this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like
  this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

  This issue didn't affect ClamD or ClamScan which also can disable the
  limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD,
  or clamscan --max-filesize=0 for ClamScan.

  Note: Internally, the max file size is still set to 2 GiB. Disabling the
  limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes
  to 1,024 bytes to allow for longer config option strings.

* SigTool: Fix insufficient buffer size for --list-sigs that caused a
  failure when listing a database containing one or more very long
  signatures. This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres

Revision 1.81 / (download) - annotate - [select for diffs], Wed Dec 8 16:02:33 2021 UTC (2 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base
Branch point for: pkgsrc-2021Q4
Changes since 1.80: +2 -1 lines
Diff to previous 1.80 (colored) to selected 1.40 (colored)

revbump for icu and libffi

Revision 1.80 / (download) - annotate - [select for diffs], Mon Nov 8 14:49:23 2021 UTC (2 years, 4 months ago) by taca
Branch: MAIN
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.4

ClamAV 0.103.4 is a critical patch release with the following fixes:

- FreshClam:
  - Add a 24-hour cool-down for FreshClam clients that have received an HTTP
    403 (Forbidden) response from the CDN.
    This is to reduce the volume of 403-response data served to blocked
    FreshClam clients that are configured with a tight update-loop.
  - Fixed a bug where FreshClam treats an empty CDIFF as an incremental update
    failure instead of as an intentional request to download the whole CVD.

- ClamDScan: Fix a scan error when broken symlinks are encountered on macOS with
  "FollowDirectorySymlinks" and "FollowFileSymlinks" options disabled.

- Overhauled the scan recursion / nested archive extraction logic and added new
  limits on embedded file-type recognition performed during the "raw" scan of
  each file. This limits embedded file-type misidentification and prevents
  detecting embedded file content that is found/extracted and scanned at other
  layers in the scanning process.

- Fix an issue with the FMap module that failed to read from some nested files.

- Fixed an issue where failing to load some rules from a Yara file containing
  multiple rules may cause a crash.

- Fixed assorted compiler warnings.

- Fixed assorted Coverity static code analysis issues.

- Scan limits:
  - Added virus-name suffixes to the alerts that trigger when a scan limit has
    been exceeded. Rather than simply `Heuristics.Limits.Exceeded`, you may now
    see limit-specific virus-names, to include:
    - `Heuristics.Limits.Exceeded.MaxFileSize`
    - `Heuristics.Limits.Exceeded.MaxScanSize`
    - `Heuristics.Limits.Exceeded.MaxFiles`
    - `Heuristics.Limits.Exceeded.MaxRecursion`
    - `Heuristics.Limits.Exceeded.MaxScanTime`
  - Renamed the `Heuristics.Email.ExceedsMax.*` alerts to align with the other
    limit alerts names. These alerts include:
    - `Heuristics.Limits.Exceeded.EmailLineFoldcnt`
    - `Heuristics.Limits.Exceeded.EmailHeaderBytes`
    - `Heuristics.Limits.Exceeded.EmailHeaders`
    - `Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage`
    - `Heuristics.Limits.Exceeded.EmailMIMEArguments`
  - Fixed an issue where the Email-related scan limits would alert even when the
    "AlertExceedsMax" (`--alert-exceeds-max`) scan option is not enabled.
  - Fixes an issue in the Zip parser where exceeding the "MaxFiles" limit or
    the "MaxFileSize" limit would abort the scan but would fail to alert.
    The Zip scan limit issues were independently identified and reported by
    Aaron Leliaert and Max Allan.

- Fixed a leak in the Email parser when using the `--gen-json` scan option.

- Fixed an issue where a failure to record metadata in the Email parser when
  using the `--gen-json` scan option could cause the Email parser to abort the
  scan early and fail to extract and scan additional content.

- Fixed a file name memory leak in the Zip parser.

- Fixed an issue where certain signature patterns may cause a crash or cause
  unintended matches on some systems when converting characters to uppercase if
  a UTF-8 unicode single-byte grapheme becomes a multi-byte grapheme.
  Patch courtesy of Andrea De Pasquale.

Other fixes backported from 0.104.0:

- Fixed a crash in programs that use libclamav when the programs don't set a
  callback for the "virus found" event.
  Patch courtesy of Markus Strehle.

- Added checks to the the SIS archive parser to prevent an SIS file entry from
  pointing to the archive, which would result in a loop. This was not an actual
  infinite loop, as ClamAV's scan recursion limit limits the depth of nested
  archive extraction.

- ClamOnAcc: Fixed a socket file descriptor leak that could result in a crash
  when all available file descriptors are exhausted.

- FreshClam: Fixed an issue where FreshClam would download a CVD repeatedly if a
  zero-byte CDIFF is downloaded or if the incremental update failed and if the
  CVD downloaded after that is older than advertised.
  Patch courtesy of Andrew Williams.

- ClamDScan:
  - Fixed a memory leak of the scan target filename when using the
    `--fdpass` or `--stream` options.
  - Fixed an issue where ClamDScan would fail to scan any file after excluding
    a file with the "ExcludePath" option when using when using the `--multiscan`
    (`-m`) option along with either `--fdpass` or `--stream`.
    Also fixed a memory leak of the accidentally-excluded paths in this case.
  - Fixed a single file path memory leak when using `--fdpass`.
  - Fixed an issue where the "ExcludePath" regex may fail to exclude absolute
    paths when the scan is invoked with a relative path.

Special thanks to the following for code contributions and bug reports:
- Aaron Leliaert
- Andrea De Pasquale
- Andrew Williams
- Markus Strehle
- Max Allan

Revision 1.79 / (download) - annotate - [select for diffs], Wed Sep 29 19:01:15 2021 UTC (2 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.78: +2 -1 lines
Diff to previous 1.78 (colored) to selected 1.40 (colored)

revbump for boost-libs

Revision 1.78 / (download) - annotate - [select for diffs], Tue Sep 28 12:59:40 2021 UTC (2 years, 6 months ago) by jperkin
Branch: MAIN
Changes since 1.77: +2 -2 lines
Diff to previous 1.77 (colored) to selected 1.40 (colored)

clamav: Support GCC >= 10.

Revision 1.77 / (download) - annotate - [select for diffs], Thu Jun 3 15:47:34 2021 UTC (2 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.76: +1 -2 lines
Diff to previous 1.76 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.2

0.103.2 (2021-04-07)

ClamAV 0.103.2 is a security patch release with the following fixes:

* CVE-2021-1386: Fix for UnRAR DLL load privilege escalation.  Affects
  0.103.1 and prior on Windows only.

* CVE-2021-1252: Fix for Excel XLM parser infinite loop.  Affects 0.103.0
  and 0.103.1 only.

* CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash.
  Affects 0.103.0 and 0.103.1 only.

* CVE-2021-1405: Fix for mail parser NULL-dereference crash.  Affects
  0.103.1 and prior.

* Fix possible memory leak in PNG parser.

* Fix ClamOnAcc scan on file-creation race condition so files are scanned
  after their contents are written.

* FreshClam: Deprecate the SafeBrowsing config option.  The SafeBrowsing
  option will no longer do anything.

* For more details, see our blog post from last year about the future of the
  ClamAV Safe Browsing database.

* Tip: If creating and hosting your own safebrowing.gdb database, you can
  use the DatabaseCustomURL option in freshclam.conf to download it.

* FreshClam: Improved HTTP 304, 403, & 429 handling.

* FreshClam: Added back the mirrors.dat file to the database directory.
  This new mirrors.dat file will store:

	- A randomly generated UUID for the FreshClam User-Agent.
	- A retry-after timestamp that so FreshClam won't try to update
          after having received an HTTP 429 response until the Retry-After
          timeout has expired.

* FreshClam will now exit with a failure in daemon mode if an HTTP 403
  (Forbidden) was received, because retrying later won't help any.  The
  FreshClam user will have to take actions to get unblocked.

* Fix the FreshClam mirror-sync issue where a downloaded database is "older
  than the version advertised."

* If a new CVD download gets a version that is older than advertised,
  FreshClam will keep the older version and retry the update so that the
  incremental update process (CDIFF patch process) will update to the latest
  version.

Revision 1.76 / (download) - annotate - [select for diffs], Wed Apr 21 13:25:18 2021 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored) to selected 1.40 (colored)

revbump for boost-libs

Revision 1.75 / (download) - annotate - [select for diffs], Wed Apr 21 11:40:36 2021 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.74: +2 -1 lines
Diff to previous 1.74 (colored) to selected 1.40 (colored)

revbump for textproc/icu

Revision 1.74 / (download) - annotate - [select for diffs], Sun Feb 28 17:14:10 2021 UTC (3 years ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.73: +1 -2 lines
Diff to previous 1.73 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.1

0.103.1 (2021-01-31)

ClamAV 0.103.1 is a patch release with the following fixes and improvements.

Notable changes

* Added a new scan option to alert on broken media (graphics) file formats.
  This feature mitigates the risk of malformed media files intended to
  exploit vulnerabilities in other software.  At present media validation
  exists for JPEG, TIFF, PNG, and GIF files.  To enable this feature, set
  AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option
  when using clamscan.  These options are disabled by default in this patch
  release, but may be enabled in a subsequent release.  Application
  developers may enable this scan option by enabling
  CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.

* Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior.
  BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS
  because ClamAV does not yet have BMP or JPEG 2000 format checking
  capabilities.

Bug fixes

* Fixed PNG parser logic bugs that caused an excess of parsing errors and
  fixed a stack exhaustion issue affecting some systems when scanning PNG
  files.  PNG file type detection was disabled via signature database update
  for ClamAV version 0.103.0 to mitigate the effects from these bugs.

* Fixed an issue where PNG and GIF files no longer work with Target:5
  graphics signatures if detected as CL_TYPE_PNG/GIF rather than as
  CL_TYPE_GRAPHICS.  Target types now support up to 10 possible file types
  to make way for additional graphics types in future releases.

* Fixed clamonacc's --fdpass option.

* File descriptor passing (or "fd-passing") is a mechanism by which
  clamonacc and clamdscan may transfer an open file to clamd to scan, even
  if clamd is running as a non-privileged user and wouldn't otherwise have
  read-access to the file.  This enables clamd to scan all files without
  having to run clamd as root.  If possible, clamd should never be run as
  root so as to mitigate the risk in case clamd is somehow compromised while
  scanning malware.

* Interprocess file descriptor passing for clamonacc was broken since
  version 0.102.0 due to a bug introduced by the switch to curl for
  communicating with clamd.  On Linux, passing file descriptors from one
  process to another is handled by the kernel, so we reverted clamonacc to
  use standard system calls for socket communication when fd passing is
  enabled.

* Fixed a clamonacc stack corruption issue on some systems when using an
  older version of libcurl.  Patch courtesy of Emilio Pozuelo Monfort.

* Allow clamscan and clamdscan scans to proceed even if the realpath lookup
  failed.  This alleviates an issue on Windows scanning files hosted on
  file- systems that do not support the GetMappedFileNameW() API such as on
  ImDisk RAM-disks.

* Fixed freshclam --on-update-execute=EXIT_1 temporary directory cleanup
  issue.

* clamd's log output and VirusEvent now provide the scan target's file path
  instead of a file descriptor.  The clamd socket API for submitting a scan
  by FD-passing doesn't include a file path, this feature works by looking
  up the file path by file descriptor.  This feature works on Mac and Linux
  but is not yet implemented for other UNIX operating systems.  FD-passing
  is not available for Windows.

* Fixed an issue where freshclam database validation didn't work correctly
  when run in daemon mode on Linux/Unix.

Other improvements

* Scanning JPEG, TIFF, PNG, and GIF files will no longer return "parse"
  errors when file format validation fails.  Instead, the scan will alert
  with the "Heuristics.Broken.Media" signature prefix and a descriptive
  suffix to indicate the issue, provided that the "alert broken media"
  feature is enabled.

* GIF format validation will no longer fail if the GIF image is missing the
  trailer byte, as this appears to be a relatively common issue in otherwise
  functional GIF files.

* Added a TIFF dynamic configuration (DCONF) option, which was missing.
  This will allow us to disable TIFF format validation via signature
  database update in the event that it proves to be problematic.  This
  feature already exists for many other file types.

Acknowledgements

The ClamAV team thanks the following individuals for their code submissions:

Emilio Pozuelo Monfort

Revision 1.73 / (download) - annotate - [select for diffs], Thu Nov 5 09:07:06 2020 UTC (3 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.72: +2 -1 lines
Diff to previous 1.72 (colored) to selected 1.40 (colored)

*: Recursive revbump from textproc/icu-68.1

Revision 1.72 / (download) - annotate - [select for diffs], Sat Sep 19 13:41:42 2020 UTC (3 years, 6 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.71: +1 -2 lines
Diff to previous 1.71 (colored) to selected 1.40 (colored)

security/clamav: update to 0.103.0

Update clamav package to 0.103.0.


Quote from release announce:

ClamAV 0.103.0 highlights

With your feedback on the previous candidates, we've fixed these additional
issues:

* The freshclam PID file was not readable by other users in previous release
  candidates but is now readable by all.
* An issue with how freshclam was linked with the autotools build system
  caused SysLog settings to be ignored.
* The real-path checks introduced to clamscan and clamdscan in 0.102.4 broke
  scanning of some files with Unicode filenames and files on network shares
  for Windows users.

Thanks to the users for your help in fixing these bugs.

Major changes

* clamd can now reload the signature database without blocking
  scanning. This multi-threaded database reload improvement was made
  possible thanks to a community effort.

* Non-blocking database reloads are now the default behavior. Some systems
  that are more constrained on RAM may need to disable non-blocking reloads,
  as it will temporarily consume double the amount of memory. We added a new
  clamd config option ConcurrentDatabaseReload, which may be set to no.

Special thanks to those who made this feature a reality:

* Alberto Wu
* Alexander Sulfrian
* Arjen de Korte
* David Heidelberg
* Ged Haywood
* Julius Plenz
* Michael Orlitzky

Notable changes

* The DLP module has been enhanced with additional credit card ranges and a
  new engine option that allows ClamAV to alert only on credit cards (and
  not, for instance, gift cards) when scanning with the DLP module. John
  Schember developed this feature, with input from Alexander Sulfrian.
* We added support for Adobe Reader X PDF encryption and overhauled the
  PNG-scanning tool to detect PNG-specific exploits. We also made a major
  change to GIF parsing that now makes it more tolerant of problematic files
  and adds the ability to scan overlays, all thanks to work and patches
  submitted by Aldo Mazzeo.
* clamdtop.exe is now available for Windows users. The functionality is
  somewhat limited when compared to clamdtop on Linux. PDCurses is required
  to build clamdtop.exe for ClamAV on Windows.
* The phishing detection module will now print "Suspicious link found!"
  along with the "Real URL" and "Display URL" each time ClamAV detects
  phishing. In a future version, we would like to print out alert-related
  metadata like this at the end of a scan, but for now, this detail will
  help users understand why a given file is being flagged as phishing.
* Added new *experimental* CMake build tooling. CMake is not yet recommended
  for production builds. Our team would appreciate any assistance improving
  the CMake build tooling so we can one day deprecate autotools and remove
  the Visual Studio solutions.

	- Please see the new CMake installation instructions found in
          INSTALL.cmake.md for detailed instructions on how to build ClamAV
          with CMake.

* Added --ping and --wait options to the clamdscan and clamonacc client
  applications.

* The --ping (-p) command will attempt to ping clamd up to a specified
   maximum number of attempts at an optional interval. If the interval isn't
   specified, a default one-second interval is used. It will exit with
   status code `0` when it receives a PONG from clamd or status code `21` if
   the timeout expires before it receives a response.

Revision 1.71 / (download) - annotate - [select for diffs], Thu Sep 17 16:16:38 2020 UTC (3 years, 6 months ago) by jperkin
Branch: MAIN
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored) to selected 1.40 (colored)

clamav: Explicitly set SMF_METHODS.

RCD_SCRIPTS changes depending on configured options, and clamav-milter
is launched directly from the manifest without a separate method script.

Revision 1.70 / (download) - annotate - [select for diffs], Mon Sep 14 16:54:35 2020 UTC (3 years, 6 months ago) by taca
Branch: MAIN
Changes since 1.69: +2 -1 lines
Diff to previous 1.69 (colored) to selected 1.40 (colored)

security/clamav: add clamav-milter startup script

Add clamav-milter startup script.

Bump PKGREVISION.

Revision 1.68.2.1 / (download) - annotate - [select for diffs], Fri Aug 14 18:23:48 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: pkgsrc-2020Q2
Changes since 1.68: +1 -2 lines
Diff to previous 1.68 (colored) next main 1.69 (colored) to selected 1.40 (colored)

Pullup ticket #6297 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav/Makefile                                      1.69
- security/clamav/Makefile.common                               1.17
- security/clamav/distinfo                                      1.34

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jul 17 04:48:32 UTC 2020

   Modified Files:
   	pkgsrc/security/clamav: Makefile Makefile.common distinfo

   Log Message:
   security/clamav: update to 0.102.4

   Update clamav to 0.102.4.

   ## 0.102.4

   ClamAV 0.102.4 is a bug patch release to address the following issues.

   - [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
     Fix a vulnerability wherein a malicious user could replace a scan target's
     directory with a symlink to another path to trick clamscan, clamdscan, or
     clamonacc into removing or moving a different file (eg. a critical system
     file). The issue would affect users that use the --move or --remove options
     for clamscan, clamdscan, and clamonacc.

     For more information about AV quarantine attacks using links, see the
     [RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).

   - [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
     Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
     could cause a Denial-of-Service (DoS) condition. Improper bounds checking
     results in an out-of-bounds read which could cause a crash.
     The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
     resolves the issue.

   - [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
     Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
     could cause a Denial-of-Service (DoS) condition. Improper error handling
     may result in a crash due to a NULL pointer dereference.
     This vulnerability is mitigated for those using the official ClamAV
     signature databases because the file type signatures in daily.cvd
     will not enable the EGG archive parser in versions affected by the
     vulnerability.

Revision 1.69 / (download) - annotate - [select for diffs], Fri Jul 17 04:48:32 2020 UTC (3 years, 8 months ago) by taca
Branch: MAIN
Changes since 1.68: +1 -2 lines
Diff to previous 1.68 (colored) to selected 1.40 (colored)

security/clamav: update to 0.102.4

Update clamav to 0.102.4.


## 0.102.4

ClamAV 0.102.4 is a bug patch release to address the following issues.

- [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
  Fix a vulnerability wherein a malicious user could replace a scan target's
  directory with a symlink to another path to trick clamscan, clamdscan, or
  clamonacc into removing or moving a different file (eg. a critical system
  file). The issue would affect users that use the --move or --remove options
  for clamscan, clamdscan, and clamonacc.

  For more information about AV quarantine attacks using links, see the
  [RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).

- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking
  results in an out-of-bounds read which could cause a crash.
  The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
  resolves the issue.

- [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
  Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
  could cause a Denial-of-Service (DoS) condition. Improper error handling
  may result in a crash due to a NULL pointer dereference.
  This vulnerability is mitigated for those using the official ClamAV
  signature databases because the file type signatures in daily.cvd
  will not enable the EGG archive parser in versions affected by the
  vulnerability.

Revision 1.68 / (download) - annotate - [select for diffs], Tue Jun 2 08:22:54 2020 UTC (3 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base
Branch point for: pkgsrc-2020Q2
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored) to selected 1.40 (colored)

Revbump for icu

Revision 1.67 / (download) - annotate - [select for diffs], Fri May 22 10:56:35 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored) to selected 1.40 (colored)

revbump after updating security/nettle

Revision 1.66 / (download) - annotate - [select for diffs], Tue May 19 12:09:09 2020 UTC (3 years, 10 months ago) by nia
Branch: MAIN
Changes since 1.65: +2 -1 lines
Diff to previous 1.65 (colored) to selected 1.40 (colored)

Recursive revbump for json-c-0.14

Revision 1.63.2.1 / (download) - annotate - [select for diffs], Fri May 15 16:38:25 2020 UTC (3 years, 10 months ago) by bsiegert
Branch: pkgsrc-2020Q1
Changes since 1.63: +1 -2 lines
Diff to previous 1.63 (colored) next main 1.64 (colored) to selected 1.40 (colored)

Pullup ticket #6195 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav/Makefile                                      1.64-1.65
- security/clamav/Makefile.common                               1.16
- security/clamav/distinfo                                      1.33

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed May  6 14:05:09 UTC 2020

   Modified Files:
   	pkgsrc/security/clamav: Makefile

   Log Message:
   revbump after boost update

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed May 13 14:58:58 UTC 2020

   Modified Files:
   	pkgsrc/security/clamav: Makefile Makefile.common distinfo

   Log Message:
   security/clamav: update to 0.102.3

   Update clamav to 0.102.3.

   ## 0.102.3

   ClamAV 0.102.3 is a bug patch release to address the following issues.

   - [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
     Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
     could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
     an unsigned variable results in an out-of-bounds read which causes a crash.

     Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
     parsing vulnerability.

   - [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
     Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
     could cause a Denial-of-Service (DoS) condition. Improper size checking of
     a buffer used to initialize AES decryption routines results in an out-of-
     bounds read which may cause a crash. Bug found by OSS-Fuzz.

   - Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.

   - Fix a couple of minor memory leaks.

   - Updated libclamunrar to UnRAR 5.9.2.

Revision 1.65 / (download) - annotate - [select for diffs], Wed May 13 14:58:58 2020 UTC (3 years, 10 months ago) by taca
Branch: MAIN
Changes since 1.64: +1 -2 lines
Diff to previous 1.64 (colored) to selected 1.40 (colored)

security/clamav: update to 0.102.3

Update clamav to 0.102.3.


## 0.102.3

ClamAV 0.102.3 is a bug patch release to address the following issues.

- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
  an unsigned variable results in an out-of-bounds read which causes a crash.

  Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
  parsing vulnerability.

- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
  Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper size checking of
  a buffer used to initialize AES decryption routines results in an out-of-
  bounds read which may cause a crash. Bug found by OSS-Fuzz.

- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.

- Fix a couple of minor memory leaks.

- Updated libclamunrar to UnRAR 5.9.2.

Revision 1.64 / (download) - annotate - [select for diffs], Wed May 6 14:04:59 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored) to selected 1.40 (colored)

revbump after boost update

Revision 1.63 / (download) - annotate - [select for diffs], Sun Mar 8 16:51:06 2020 UTC (4 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base
Branch point for: pkgsrc-2020Q1
Changes since 1.62: +2 -1 lines
Diff to previous 1.62 (colored) to selected 1.40 (colored)

*: recursive bump for libffi

Revision 1.62 / (download) - annotate - [select for diffs], Sat Feb 15 02:40:43 2020 UTC (4 years, 1 month ago) by taca
Branch: MAIN
Changes since 1.61: +1 -2 lines
Diff to previous 1.61 (colored) to selected 1.40 (colored)

security/clamav: update to 0.102.2

Update clamav to 0.102.2.

## 0.102.2

ClamAV 0.102.2 is a bug patch release to address the following issues.

- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
  An Denial-of-Service (DoS) condition may occur when using the optional credit
  card data-loss-prevention (DLP) feature. Improper bounds checking of an
  unsigned variable resulted in an out-of-bounds read which causes a crash.

- Significantly improved scan speed of PDF files on Windows.

- Re-applied a fix to alleviate file access issues when scanning RAR files in
  downstream projects that use libclamav where the scanning engine is operating
  in a low-privelege process. This bug was originally fixed in 0.101.2 and the
  fix was mistakenly omitted from 0.102.0.

- Fixed an issue wherein freshclam failed to update if the database version
  downloaded is 1 version older than advertised. This situation may occur after
  a new database version is published. The issue affected users downloading the
  whole CVD database file.

- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
  The ReceiveTimeout had caused needless database update failures for users with
  slower internet connections.

- Correctly display number of kilobytes (KiB) in progress bar and reduced the
  size of the progress bar to accomodate 80-char width terminals.

- Fixed an issue where running freshclam manually causes a daemonized freshclam
  process to fail when it updates because the manual instance deletes the
  temporary download directory. Freshclam temporary files will now download to a
  unique directory created at the time of an update instead of using a hardcoded
  directory created/destroyed at the program start/exit.

- Fix for Freshclam's OnOutdatedExecute config option.

- Fixes a memory leak in the error condition handling for the email parser.

- Improved bound checking and error handling in ARJ archive parser.

- Improved error handling in PDF parser.

- Fix for memory leak in byte-compare signature handler.

- Updates to the unit test suite to support libcheck 0.13.

- Updates to support autoconf 2.69 and automake 1.15.

Special thanks to the following for code contributions and bug reports:

- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini

Revision 1.61 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:34 2020 UTC (4 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored) to selected 1.40 (colored)

*: Recursive revision bump for openssl 1.1.1.

Revision 1.60 / (download) - annotate - [select for diffs], Sun Jan 12 20:20:41 2020 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.59: +2 -1 lines
Diff to previous 1.59 (colored) to selected 1.40 (colored)

*: Recursive revbump from devel/boost-libs

Revision 1.59 / (download) - annotate - [select for diffs], Tue Dec 3 12:55:16 2019 UTC (4 years, 3 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.58: +1 -3 lines
Diff to previous 1.58 (colored) to selected 1.40 (colored)

security/clamav: update to 0.102.1

Update clamav to 0.102.1.


## 0.102.1

ClamAV 0.102.1 is a security patch release to address the following issues.

- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
  - [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
    A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
    crafted email file as a result of excessively long scan times. The issue is
    resolved by implementing several maximums in parsing MIME messages and by
    optimizing use of memory allocation.

- Build system fixes to build clamav-milter, to correctly link with libxml2 when
  detected, and to correctly detect fanotify for on-access scanning feature
  support.

- Signature load time is significantly reduced by changing to a more efficient
  algorithm for loading signature patterns and allocating the AC trie.
  Patch courtesy of Alberto Wu.

- Introduced a new configure option to statically link libjson-c with libclamav.
  Static linking with libjson is highly recommended to prevent crashes in
  applications that use libclamav alongside another JSON parsing library.

- Null-dereference fix in email parser when using the `--gen-json` metadata
  option.

- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.

Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef
- Reio Remma

Revision 1.58 / (download) - annotate - [select for diffs], Tue Nov 19 16:20:24 2019 UTC (4 years, 4 months ago) by prlw1
Branch: MAIN
Changes since 1.57: +8 -1 lines
Diff to previous 1.57 (colored) to selected 1.40 (colored)

Substitute CLAMAV_DBDIR (the point of patch-etc.clam*.conf.sample)

Revision 1.57 / (download) - annotate - [select for diffs], Thu Oct 31 11:22:15 2019 UTC (4 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.56: +4 -3 lines
Diff to previous 1.56 (colored) to selected 1.40 (colored)

clamav: Fix install with the milter option enabled.

Revision 1.56 / (download) - annotate - [select for diffs], Thu Oct 10 15:43:44 2019 UTC (4 years, 5 months ago) by prlw1
Branch: MAIN
Changes since 1.55: +1 -2 lines
Diff to previous 1.55 (colored) to selected 1.40 (colored)

remove pkgrevision

Revision 1.55 / (download) - annotate - [select for diffs], Thu Oct 10 15:41:29 2019 UTC (4 years, 5 months ago) by prlw1
Branch: MAIN
Changes since 1.54: +3 -5 lines
Diff to previous 1.54 (colored) to selected 1.40 (colored)

Update clamav to 0.102.0

* The On-Access Scanning feature has been migrated out of clamd and
  into a brand new utility named clamonacc, which is disabled in this
  package as it is for Linux only.
* The freshclam database update utility has undergone a significant
  update. This includes:
     + Added support for HTTPS.
     + Support for database mirrors hosted on ports other than 80.
     + Removal of the mirror management feature (mirrors.dat).
     + An all new libfreshclam library API.
* Added support for extracting ESTsoft .egg archives. This feature is
  new code developed from scratch using ESTsoft's Egg-archive
  specification and without referencing the UnEgg library provided by
  ESTsoft. This was necessary because the UnEgg library's license
  includes restrictions limiting the commercial use of the UnEgg library.

Full release notes available at:
https://github.com/Cisco-Talos/clamav-devel/blob/rel/0.102/NEWS.md

Revision 1.54 / (download) - annotate - [select for diffs], Sat Oct 5 20:52:52 2019 UTC (4 years, 5 months ago) by nros
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored) to selected 1.40 (colored)

Fix clamav install when PKG_SYSCONFDIR not set to ${PREFIX}/etc

Use PKG_SYSCONFDIR when moving files to EGDIR.
Fixes install when PKG_SYSCONFDIR is set to something else than
${PREFIX}/etc

Revision 1.53 / (download) - annotate - [select for diffs], Fri Sep 6 09:22:49 2019 UTC (4 years, 6 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.52: +3 -1 lines
Diff to previous 1.52 (colored) to selected 1.40 (colored)

clamav: Disable mapfile on SunOS.

There are a couple of functions that aren't defined, and this is easier than
patching (and doesn't impact other OS).

Revision 1.48.2.1 / (download) - annotate - [select for diffs], Thu Sep 5 09:26:25 2019 UTC (4 years, 6 months ago) by bsiegert
Branch: pkgsrc-2019Q2
Changes since 1.48: +11 -10 lines
Diff to previous 1.48 (colored) next main 1.49 (colored) to selected 1.40 (colored)

Pullup ticket #6036 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav/Makefile                                      1.51
- security/clamav/Makefile.common                               1.11
- security/clamav/PLIST                                         1.7
- security/clamav/buildlink3.mk                                 1.8
- security/clamav/distinfo                                      1.28
- security/clamav/options.mk                                    1.6
- security/clamav/patches/patch-Makefile.in                     1.5
- security/clamav/patches/patch-ab                              1.2

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sat Jul 20 22:46:59 UTC 2019

   Modified Files:

   	pkgsrc/security/clamav: Makefile

   Log Message:
   *: recursive bump for nettle 3.5.1

---
   Module Name:	pkgsrc
   Committed By:	prlw1
   Date:		Mon Aug  5 14:44:20 UTC 2019

   Modified Files:
   	pkgsrc/security/clamav: Makefile Makefile.common PLIST buildlink3.mk
   	    distinfo options.mk
   	pkgsrc/security/clamav/patches: patch-Makefile.in patch-ab

   Log Message:
   Update clamav to 0.101.2

   Remove rar support to workaround PR pkg/54420

     This release includes 3 extra security related bug fixes that do not
      apply to prior versions. In addition, it includes a number of minor bug
      fixes and improvements.
        * Fixes for the following vulnerabilities affecting 0.101.1 and
          prior:
             + CVE-2019-1787: An out-of-bounds heap read condition may occur
               when scanning PDF documents. The defect is a failure to
               correctly keep track of the number of bytes remaining in a
               buffer when indexing file data.
             + CVE-2019-1789: An out-of-bounds heap read condition may occur
               when scanning PE files (i.e. Windows EXE and DLL files) that
               have been packed using Aspack as a result of inadequate
               bound-checking.
             + CVE-2019-1788: An out-of-bounds heap write condition may occur
               when scanning OLE2 files such as Microsoft Office 97-2003
               documents. The invalid write happens when an invalid pointer
               is mistakenly used to initialize a 32bit integer to zero. This
               is likely to crash the application.
        * Fixes for the following ClamAV vulnerabilities:
             + CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
               feature that could allow an unauthenticated, remote attacker
               to cause a denial of service (DoS) condition on an affected
               device. Reported by Secunia Research at Flexera.
             + Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
               code. Reported by Alex Gaynor.
        * Fixes for the following vulnerabilities in bundled third-party
          libraries:
             + CVE-2018-14680: An issue was discovered in mspack/chmd.c in
               libmspack before 0.7alpha. It does not reject blank CHM
               filenames.
             + CVE-2018-14681: An issue was discovered in kwajd_read_headers
               in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
               header extensions could cause a one or two byte overwrite.
             + CVE-2018-14682: An issue was discovered in mspack/chmd.c in
               libmspack before 0.7alpha. There is an off-by-one error in the
               TOLOWER() macro for CHM decompression.
             + Additionally, 0.100.2 reverted 0.100.1's patch for
               CVE-2018-14679, and applied libmspack's version of the fix in
               its place.
        * Fixes for the following CVE's:
             + CVE-2017-16932: Vulnerability in libxml2 dependency (affects
               ClamAV on Windows only).
             + CVE-2018-0360: HWP integer overflow, infinite loop
               vulnerability. Reported by Secunia Research at Flexera.
             + CVE-2018-0361: ClamAV PDF object length check, unreasonably
               long time to parse relatively small file. Reported by aCaB.

   For the full release notes, see:
   https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md

Revision 1.52 / (download) - annotate - [select for diffs], Thu Aug 22 12:23:44 2019 UTC (4 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.51: +2 -1 lines
Diff to previous 1.51 (colored) to selected 1.40 (colored)

Recursive revbump from boost-1.71.0

Revision 1.51 / (download) - annotate - [select for diffs], Mon Aug 5 14:44:20 2019 UTC (4 years, 7 months ago) by prlw1
Branch: MAIN
Changes since 1.50: +11 -10 lines
Diff to previous 1.50 (colored) to selected 1.40 (colored)

Update clamav to 0.101.2

Remove rar support to workaround PR pkg/54420

  This release includes 3 extra security related bug fixes that do not
   apply to prior versions. In addition, it includes a number of minor bug
   fixes and improvements.
     * Fixes for the following vulnerabilities affecting 0.101.1 and
       prior:
          + CVE-2019-1787: An out-of-bounds heap read condition may occur
            when scanning PDF documents. The defect is a failure to
            correctly keep track of the number of bytes remaining in a
            buffer when indexing file data.
          + CVE-2019-1789: An out-of-bounds heap read condition may occur
            when scanning PE files (i.e. Windows EXE and DLL files) that
            have been packed using Aspack as a result of inadequate
            bound-checking.
          + CVE-2019-1788: An out-of-bounds heap write condition may occur
            when scanning OLE2 files such as Microsoft Office 97-2003
            documents. The invalid write happens when an invalid pointer
            is mistakenly used to initialize a 32bit integer to zero. This
            is likely to crash the application.
     * Fixes for the following ClamAV vulnerabilities:
          + CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
            feature that could allow an unauthenticated, remote attacker
            to cause a denial of service (DoS) condition on an affected
            device. Reported by Secunia Research at Flexera.
          + Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
            code. Reported by Alex Gaynor.
     * Fixes for the following vulnerabilities in bundled third-party
       libraries:
          + CVE-2018-14680: An issue was discovered in mspack/chmd.c in
            libmspack before 0.7alpha. It does not reject blank CHM
            filenames.
          + CVE-2018-14681: An issue was discovered in kwajd_read_headers
            in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
            header extensions could cause a one or two byte overwrite.
          + CVE-2018-14682: An issue was discovered in mspack/chmd.c in
            libmspack before 0.7alpha. There is an off-by-one error in the
            TOLOWER() macro for CHM decompression.
          + Additionally, 0.100.2 reverted 0.100.1's patch for
            CVE-2018-14679, and applied libmspack's version of the fix in
            its place.
     * Fixes for the following CVE's:
          + CVE-2017-16932: Vulnerability in libxml2 dependency (affects
            ClamAV on Windows only).
          + CVE-2018-0360: HWP integer overflow, infinite loop
            vulnerability. Reported by Secunia Research at Flexera.
          + CVE-2018-0361: ClamAV PDF object length check, unreasonably
            long time to parse relatively small file. Reported by aCaB.

For the full release notes, see:
https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md

Revision 1.50 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:46 2019 UTC (4 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored) to selected 1.40 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.49 / (download) - annotate - [select for diffs], Mon Jul 1 04:08:44 2019 UTC (4 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored) to selected 1.40 (colored)

Recursive revbump from boost-1.70.0

Revision 1.48 / (download) - annotate - [select for diffs], Sat May 4 16:12:00 2019 UTC (4 years, 10 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base
Branch point for: pkgsrc-2019Q2
Changes since 1.47: +1 -2 lines
Diff to previous 1.47 (colored) to selected 1.40 (colored)

security/clamav: remove unrecognized configure option --disable-clamav

Revision 1.47 / (download) - annotate - [select for diffs], Thu Dec 13 19:52:19 2018 UTC (5 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored) to selected 1.40 (colored)

revbump for boost 1.69.0

Revision 1.46 / (download) - annotate - [select for diffs], Wed Oct 24 14:10:59 2018 UTC (5 years, 5 months ago) by jperkin
Branch: MAIN
Changes since 1.45: +5 -2 lines
Diff to previous 1.45 (colored) to selected 1.40 (colored)

clamav: Fix build on SunOS C99.

Revision 1.45 / (download) - annotate - [select for diffs], Thu Aug 16 18:55:09 2018 UTC (5 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored) to selected 1.40 (colored)

revbump after boost-libs update

Revision 1.44 / (download) - annotate - [select for diffs], Sun Apr 29 21:32:02 2018 UTC (5 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.43: +2 -1 lines
Diff to previous 1.43 (colored) to selected 1.40 (colored)

revbump for boost-libs update

Revision 1.43 / (download) - annotate - [select for diffs], Wed Mar 21 06:55:57 2018 UTC (6 years ago) by prlw1
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.42: +1 -2 lines
Diff to previous 1.42 (colored) to selected 1.40 (colored)

Update clamav to 0.99.4 (fixes build)

ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.

- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
  CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
  a handful of other important bugs, including patches to support g++ 6, C++11.

Revision 1.42 / (download) - annotate - [select for diffs], Fri Jan 26 16:26:57 2018 UTC (6 years, 2 months ago) by bouyer
Branch: MAIN
Changes since 1.41: +2 -1 lines
Diff to previous 1.41 (colored) to selected 1.40 (colored)

Fix memory/file descriptor leak in cli_scanscript().
Bump PKGREVISION.

Revision 1.41 / (download) - annotate - [select for diffs], Fri Jan 26 16:24:32 2018 UTC (6 years, 2 months ago) by bouyer
Branch: MAIN
Changes since 1.40: +1 -2 lines
Diff to previous 1.40 (colored)

Reset PKGREVISION, ride previous package version bump.

Revision 1.40 / (download) - annotate - [selected], Mon Jan 1 21:18:50 2018 UTC (6 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)

Revbump after boost update

Revision 1.39 / (download) - annotate - [select for diffs], Fri Sep 1 23:56:00 2017 UTC (6 years, 6 months ago) by gdt
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.38: +4 -4 lines
Diff to previous 1.38 (colored) to selected 1.40 (colored)

Flip to pcre2

If pcre2 is installed, configure finds pcre2-config in /usr/pkg/bin,
even though it is not include via bl3, resulting in a build failure.
There's no reason to avoid moving to pcre2, and it's easier than
making clamav not find it.

Revision 1.38 / (download) - annotate - [select for diffs], Thu Aug 24 20:03:38 2017 UTC (6 years, 7 months ago) by adam
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored) to selected 1.40 (colored)

Revbump for boost update

Revision 1.37 / (download) - annotate - [select for diffs], Fri Aug 18 15:19:49 2017 UTC (6 years, 7 months ago) by gdt
Branch: MAIN
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored) to selected 1.40 (colored)

Tidy Makefile.common (no functional change)

- Move PKGREVISION (unchanged) to Makefiles.
- Fix used-by annotation.
- Add PATCHDIR so clamav-doc has consistent distinfo/patches (even
  though clamav-doc just copies files that aren't patched).

Revision 1.36 / (download) - annotate - [select for diffs], Mon Jul 24 09:39:42 2017 UTC (6 years, 8 months ago) by maya
Branch: MAIN
Changes since 1.35: +2 -11 lines
Diff to previous 1.35 (colored) to selected 1.40 (colored)

rename cl_fmap's gets to my_gets to allow gets to be overriden by macro,
allows us to force-enable fortify. as far as I can tell this is an opaque
type.

drop workaround for netbsd 1.x

bump pkgrevision

Revision 1.35 / (download) - annotate - [select for diffs], Mon Jul 10 00:22:15 2017 UTC (6 years, 8 months ago) by gdt
Branch: MAIN
Changes since 1.34: +5 -1 lines
Diff to previous 1.34 (colored) to selected 1.40 (colored)

Disable fortify due to build failure

clamav defines a gets macro, which confuses fortify.  Until resolved,
disable fortify so that it builds.  (Note that SSP is still enabled;
clamav with SSP and without FORTIFY appears to work.)

Revision 1.34 / (download) - annotate - [select for diffs], Thu Jan 5 11:27:21 2017 UTC (7 years, 2 months ago) by roy
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2, pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.33: +3 -2 lines
Diff to previous 1.33 (colored) to selected 1.40 (colored)

Use the curses framework.
Punt silly buildlink depds.

Revision 1.33 / (download) - annotate - [select for diffs], Sat Sep 10 23:23:21 2016 UTC (7 years, 6 months ago) by szptvlfn
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.32: +2 -1 lines
Diff to previous 1.32 (colored) to selected 1.40 (colored)

Bump PKGREVISION for NOT_PAX_MPROTECT_SAFE

Revision 1.32 / (download) - annotate - [select for diffs], Thu Jul 7 14:36:34 2016 UTC (7 years, 8 months ago) by jperkin
Branch: MAIN
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored) to selected 1.40 (colored)

Pull in GNU sed, required for correct LLVM detection.  Fixes SunOS.

Revision 1.31 / (download) - annotate - [select for diffs], Sun Jun 12 16:06:01 2016 UTC (7 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.30: +2 -3 lines
Diff to previous 1.30 (colored) to selected 1.40 (colored)

Update clamav to 0.99.2, based on patch vy Matthias Ferdinand
on pkgsrc-users.


Changes from 0.99.1 to 0.99.2 are available only with ChangeLog and it
is too many to write here.  Please refer ChangeLog file.

0.99.1
------

ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes. Please see ChangeLog for details.

Revision 1.30 / (download) - annotate - [select for diffs], Mon Jun 6 22:49:36 2016 UTC (7 years, 9 months ago) by pgoyette
Branch: MAIN
Changes since 1.29: +3 -2 lines
Diff to previous 1.29 (colored) to selected 1.40 (colored)

bin/freshclam also needs paxctl +m

Bump revision

Revision 1.29 / (download) - annotate - [select for diffs], Mon May 30 12:25:36 2016 UTC (7 years, 10 months ago) by pgoyette
Branch: MAIN
Changes since 1.28: +4 -2 lines
Diff to previous 1.28 (colored) to selected 1.40 (colored)

Seems that clamd needs to disable mprotect.  Bump pkg revision.

Revision 1.28 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:18 2016 UTC (8 years ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.27: +2 -1 lines
Diff to previous 1.27 (colored) to selected 1.40 (colored)

Bump PKGREVISION for security/openssl ABI bump.

Revision 1.27 / (download) - annotate - [select for diffs], Fri Dec 11 16:31:06 2015 UTC (8 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.26: +4 -10 lines
Diff to previous 1.26 (colored) to selected 1.40 (colored)

ClamAV 0.99 contains major new features and changes. YARA rules,
Perl Compatible Regular Expressions, revamped on-access scanning
for Linux, and other new features join the many great features of ClamAV:

    - Processing of YARA rules(some limitations- see signatures.pdf).
    - Support in ClamAV logical signatures for many of the features
      added for YARA, such as Perl Compatible Regular Expressions,
      alternate strings, and YARA string attributes. See signatures.pdf
      for full details.
    - New and improved on-access scanning for Linux. See the recent blog
      post and clamdoc.pdf for details on the new on-access capabilities.
    - A new ClamAV API callback function that is invoked when a virus
      is found. This is intended primarily for applications running in
      all-match mode. Any applications using all-match mode must use
      the new callback function to record and report detected viruses.
    - Configurable default password list to attempt zip file decryption.
    - TIFF file support.
    - Upgrade Windows pthread library to 2.9.1.
    - A new signature target type for designating signatures to run
      against files with unknown file types.
    - Improved fidelity of the "data loss prevention" heuristic
      algorithm. Code supplied by Bill Parker.
    - Support for LZMA decompression within Adobe Flash files.
    - Support for MSO attachments within Microsoft Office 2003 XML files.
    - A new sigtool option(--ascii-normalize) allowing signature authors
      to more easily generate normalized versions of ascii files.
    - Windows installation directories changed from \Program Files\Sourcefire\
      ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.

Revision 1.26 / (download) - annotate - [select for diffs], Tue Aug 18 07:31:01 2015 UTC (8 years, 7 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored) to selected 1.40 (colored)

Bump all packages that depend on curses.bui* or terminfo.bui* since they
might incur ncurses dependencies on some platforms, and ncurses just bumped
its shlib.
Some packages were bumped twice now, sorry for that.

Revision 1.25 / (download) - annotate - [select for diffs], Mon Aug 17 17:11:19 2015 UTC (8 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.24: +2 -1 lines
Diff to previous 1.24 (colored) to selected 1.40 (colored)

Bump PKGREVISION for ncurses shlib bump.

Revision 1.23.2.1 / (download) - annotate - [select for diffs], Sun May 24 11:33:38 2015 UTC (8 years, 10 months ago) by tron
Branch: pkgsrc-2015Q1
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored) next main 1.24 (colored) to selected 1.40 (colored)

Pullup ticket #4732 - requested by bouyer
security/clamav: security update

Revisions pulled up:
- security/clamav/Makefile                                      1.24
- security/clamav/Makefile.common                               1.2
- security/clamav/distinfo                                      1.19

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Wed May 20 21:15:26 UTC 2015

   Modified Files:
   	pkgsrc/security/clamav: Makefile Makefile.common distinfo

   Log Message:
   Update clamav to 0.98.7.
   This release contains new scanning features and bug fixes.
       - Improvements to PDF processing: decryption, escape sequence
         handling, and file property collection.
       - Scanning/analysis of additional Microsoft Office 2003 XML format.
       - Fix infinite loop condition on crafted y0da cryptor file. Identified
         and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
       - Fix crash on crafted petite packed file. Reported and patch
         supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
       - Fix false negatives on files within iso9660 containers. This issue
         was reported by Minzhuan Gong.
       - Fix a couple crashes on crafted upack packed file. Identified and
         patches supplied by Sebastian Andrzej Siewior.
       - Fix a crash during algorithmic detection on crafted PE file.
         Identified and patch supplied by Sebastian Andrzej Siewior.
       - Fix an infinite loop condition on a crafted "xz" archive file.
         This was reported by Dimitri Kirchner and Goulven Guiheux.
         CVE-2015-2668.
       - Fix compilation error after ./configure --disable-pthreads.
         Reported and fix suggested by John E. Krokes.
       - Apply upstream patch for possible heap overflow in Henry Spencer's
         regex library. CVE-2015-2305.
       - Fix crash in upx decoder with crafted file. Discovered and patch
         supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
       - Fix segfault scanning certain HTML files. Reported with sample by
         Kai Risku.
       - Improve detections within xar/pkg files.

Revision 1.24 / (download) - annotate - [select for diffs], Wed May 20 21:15:26 2015 UTC (8 years, 10 months ago) by bouyer
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored) to selected 1.40 (colored)

Update clamav to 0.98.7.
This release contains new scanning features and bug fixes.
    - Improvements to PDF processing: decryption, escape sequence
      handling, and file property collection.
    - Scanning/analysis of additional Microsoft Office 2003 XML format.
    - Fix infinite loop condition on crafted y0da cryptor file. Identified
      and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
    - Fix crash on crafted petite packed file. Reported and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
    - Fix false negatives on files within iso9660 containers. This issue
      was reported by Minzhuan Gong.
    - Fix a couple crashes on crafted upack packed file. Identified and
      patches supplied by Sebastian Andrzej Siewior.
    - Fix a crash during algorithmic detection on crafted PE file.
      Identified and patch supplied by Sebastian Andrzej Siewior.
    - Fix an infinite loop condition on a crafted "xz" archive file.
      This was reported by Dimitri Kirchner and Goulven Guiheux.
      CVE-2015-2668.
    - Fix compilation error after ./configure --disable-pthreads.
      Reported and fix suggested by John E. Krokes.
    - Apply upstream patch for possible heap overflow in Henry Spencer's
      regex library. CVE-2015-2305.
    - Fix crash in upx decoder with crafted file. Discovered and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
    - Fix segfault scanning certain HTML files. Reported with sample by
      Kai Risku.
    - Improve detections within xar/pkg files.

Revision 1.23 / (download) - annotate - [select for diffs], Tue Mar 17 08:55:57 2015 UTC (9 years ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base
Branch point for: pkgsrc-2015Q1
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored) to selected 1.40 (colored)

Bump PKGREVISION.

Missing entries for patch files might cause creating broken binary package.
Noted by bouyer@.

Revision 1.22 / (download) - annotate - [select for diffs], Sun Mar 15 00:52:53 2015 UTC (9 years ago) by taca
Branch: MAIN
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored) to selected 1.40 (colored)

* Add unit-test PKG_OPTIONS.
* Allow version information to be shared with an another package
  (documentation).

Bump PKGREVISION.

Revision 1.20.2.1 / (download) - annotate - [select for diffs], Sun Mar 1 14:26:41 2015 UTC (9 years, 1 month ago) by tron
Branch: pkgsrc-2014Q4
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored) next main 1.21 (colored) to selected 1.40 (colored)

Pullup ticket #4630 - requested by hiramatsu
security/clamav: security update

Revisions pulled up:
- security/clamav/Makefile                                      1.21
- security/clamav/distinfo                                      1.16

---
   Module Name:	pkgsrc
   Committed By:	hiramatsu
   Date:		Tue Feb 24 07:28:59 UTC 2015

   Modified Files:
   	pkgsrc/security/clamav: Makefile distinfo

   Log Message:
   Update clamav to 0.98.6.

   Changes from 0.98.5.
   --------------------
   - library shared object revisions.
   - installation issues on some Mac OS X and FreeBSD platforms.
   - includes a patch from Sebastian Andrzej Siewior making
     ClamAV pid files compatible with systemd.
   - Fix a heap out of bounds condition with crafted Yoda's
     crypter files. This issue was discovered by Felix Groebert
     of the Google Security Team.
   - Fix a heap out of bounds condition with crafted mew packer
     files. This issue was discovered by Felix Groebert of the
     Google Security Team.
   - Fix a heap out of bounds condition with crafted upx packer
     files. This issue was discovered by Kevin Szkudlapski of
     Quarkslab.
   - Fix a heap out of bounds condition with crafted upack packer
     files. This issue was discovered by Sebastian Andrzej Siewior.
     CVE-2014-9328.
   - Compensate a crash due to incorrect compiler optimization when
     handling crafted petite packer files. This issue was discovered
     by Sebastian Andrzej Siewior.

Revision 1.21 / (download) - annotate - [select for diffs], Tue Feb 24 07:28:59 2015 UTC (9 years, 1 month ago) by hiramatsu
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored) to selected 1.40 (colored)

Update clamav to 0.98.6.

Changes from 0.98.5.
--------------------
- library shared object revisions.
- installation issues on some Mac OS X and FreeBSD platforms.
- includes a patch from Sebastian Andrzej Siewior making
  ClamAV pid files compatible with systemd.
- Fix a heap out of bounds condition with crafted Yoda's
  crypter files. This issue was discovered by Felix Groebert
  of the Google Security Team.
- Fix a heap out of bounds condition with crafted mew packer
  files. This issue was discovered by Felix Groebert of the
  Google Security Team.
- Fix a heap out of bounds condition with crafted upx packer
  files. This issue was discovered by Kevin Szkudlapski of
  Quarkslab.
- Fix a heap out of bounds condition with crafted upack packer
  files. This issue was discovered by Sebastian Andrzej Siewior.
  CVE-2014-9328.
- Compensate a crash due to incorrect compiler optimization when
  handling crafted petite packer files. This issue was discovered
  by Sebastian Andrzej Siewior.

Revision 1.20 / (download) - annotate - [select for diffs], Sat Dec 6 07:31:33 2014 UTC (9 years, 3 months ago) by khorben
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base
Branch point for: pkgsrc-2014Q4
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored) to selected 1.40 (colored)

Updated security/clamav to version 0.98.5

ChangeLog for this version:

Wed, 12 Nov 2014 14:30:39 EDT (swebb)
-------------------------------------
* bb11176 - Instruct OpenSSL to allow MD5 when in FIPS-compliant mode.
  Patch submitted by Reinhard Max.

Mon, 10 Nov 2014 11:03:29 EDT (swebb)
-------------------------------------
* bb11155 - Adjust the logic surrounding adjusting the PE section sizes
  This fixes a crash with maliciously crafted yoda's crypter files and
  also improves virus detections for PE files.

Thu, 6 Nov 2014 14:51:26 EDT (swebb)
-------------------------------------
* bb11088 - Merge in fixes for clamscan -a crash bug

Mon, 20 Oct 2014 11:33:18 EDT (swebb)
-------------------------------------
* Revert "bb#10731 - Allow to specificy a group for the socket of which
  the user is not a member"

Thu, 31 Jul 2014 19:11:22 EDT (swebb)
-------------------------------------
* Add support for XDP PDF file format

Thu, Jul 31 11:50:23 EDT 2014 (swebb)
------------------------------------
* bb#10731 - Allow specification of a group for the milter socket of which
the user is not a member - patch submitted by Sebastian Andrzej Siewior

Fri, 25 Jul 2014 12:26:04 EDT (klin)
------------------------------------
* bb#10981 - applied LLVM 3.1-3.4 - patch submitted by Andreas Cadhalpun

Fri, 25 Jul 2014 12:06:13 (klin)
--------------------------------
* clambc: added diagnostic tools for bytecode IR

Tue, 8 Jul 2014 19:53:41 EDT (swebb)
------------------------------------
* mass cleanup of compiler warnings

Tue, 08 Jul 11:30:00 EDT 2014 (morgan)
------------------------------------
* 0.98.5 beta release

Mon, 07 Jul 09:00:00 EDT 2014 (swebb)
------------------------------------
* 0.98.5-beta1 release engineering

Thu, 03 Jul 22:14:40 EDT 2014 (swebb)
------------------------------------
* Call cl_initialize_crypto() in cl_init()

Thu, 03 Jul 16:28:10 EDT 2014 (swebb)
------------------------------------
* Finalize PDF parsing code for the preclassification feature

Wed, 25 Jun 16:26:33 EDT 2014 (swebb)
------------------------------------
* Finalize linking in libjson, a new optional dependency

Fri, 13 Jun 2014 16:11:15 EDT (smorgan)
---------------------------------------
* add timeout facility for file property scanning

Tue, 3 Jun 2014 13:31:50 EDT (smorgan)
--------------------------------------
* add callback for user processing of json string and json scan result

Wed, 7 May 2014 10:56:35 EDT (swebb)
------------------------------------
* PE file properties collection

Tue, 6 May 2014 15:26:30 EDT (klin)
-----------------------------------
* add api to read json to the bytecode api

Thu, 1 May 2014 16:59:01 EDT (klin)
-----------------------------------
* docx/pptx/xlsx file properties collection

Wed, 30 Apr 2014 16:38:55 EDT (swebb)
-------------------------------------
* pdf file properties collection

Tue, 22 Apr 2014 14:22:39 EDT (klin)
------------------------------------
* json api wrapper

Mon, 21 Apr 2014 18:30:28 EDT (klin)
------------------------------------
* doc/ppt/xls file properties collection

Wed, 16 Apr 18:14:45 2014 EDT (smorgan)
--------------------------------------
* Initial libjson-c configure/build support and json file properties work

Revision 1.19 / (download) - annotate - [select for diffs], Thu Oct 9 14:06:51 2014 UTC (9 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.18: +1 -3 lines
Diff to previous 1.18 (colored) to selected 1.40 (colored)

Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.

Revision 1.18 / (download) - annotate - [select for diffs], Wed Jul 2 11:38:28 2014 UTC (9 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored) to selected 1.40 (colored)

Changes 0.98.4:
- Various build problems on Solaris, OpenBSD, AIX.
- Crashes of clamd on Windows and Mac OS X platforms when reloading&nbsp;the virus signature database.
- Infinite loop in clamdscan when clamd is not running.
- Freshclam failure on Solaris 10.
- Buffer underruns when handling multi-part MIME email attachments.
- Configuration of OpenSSL on various platforms.
- Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1.
- Linking issues with libclamunrar

Revision 1.17 / (download) - annotate - [select for diffs], Thu May 8 16:01:09 2014 UTC (9 years, 10 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Changes since 1.16: +11 -3 lines
Diff to previous 1.16 (colored) to selected 1.40 (colored)

Update to clamav-0.98.3.  Changes:

 - Support for common raw disk image formats using 512 byte sectors,
   specifically GPT, APM, and MBR partitioning.

 - Experimental support of OpenIOC files. ClamAV will now extract file
   hashes from OpenIOC files residing in the signature database location,
   and generate ClamAV hash signatures. ClamAV uses no other OpenIOC
   features at this time. No OpenIOC files will be delivered through
   freshclam. See openioc.org and iocbucket.com for additional information
   about OpenIOC.

 - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop)
   now support IPV6 addresses and configuration parameters.

 - Use OpenSSL file hash functions for improved performance. OpenSSL
   is now prerequisite software for ClamAV 0.98.3.

 - Improved detection of malware scripts within image files. Issue reported
   by Maarten Broekman.

 - Change to circumvent possible denial of service when processing icons within
   specially crafted PE files. Icon limits are now in place with corresponding
   clamd and clamscan configuration parameters. This issue was reported by
   Joxean Koret.

 - Improvements to the fidelity of the ClamAV pattern matcher, an issue
   reported by Christian Blichmann.

 - Opt-in collection of statistics. Statistics collected are: sizes and MD5
   hashes of files, PE file section counts and section MD5 hashes, and names
   and counts of detected viruses. Enable statistics collection with the
  --enable-stats clamscan flag or StatsEnabled clamd configuration
   parameter.

 - Improvements to ClamAV build process, unit tests, and platform support with
   assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman,
   and Dave Simonson.

 - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam.

 - ClamAV 0.98.3 also includes miscellaneous bug fixes and documentation
   improvements.

Revision 1.16 / (download) - annotate - [select for diffs], Thu May 8 10:19:53 2014 UTC (9 years, 10 months ago) by jperkin
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored) to selected 1.40 (colored)

Pull in libxml2 for additional functionality, from Matthias Ferdinand.

Revision 1.15 / (download) - annotate - [select for diffs], Tue Mar 11 14:34:39 2014 UTC (10 years ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base, pkgsrc-2014Q1
Changes since 1.14: +11 -2 lines
Diff to previous 1.14 (colored) to selected 1.40 (colored)

Import initial SMF support for individual packages.

Revision 1.14 / (download) - annotate - [select for diffs], Thu Jan 16 09:51:54 2014 UTC (10 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored) to selected 1.40 (colored)

ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and
quality improvements. These include:

    - Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format.

    - Extraction, decompression, and scanning of files within Extensible Archive (XAR) format.
      XAR format is commonly used for software packaging, such as PKG and RPM, as well as
      general archival.

    - Decompression and scanning of files in "Xz" compression format.

    - Improvements and fixes to extraction and scanning of ole formats.

    - Option to force all scanned data to disk. This impacts only a few file types where
      some embedded content is normally scanned in memory. Enabling this option
      ensures that a file descriptor exists when callback functions are used, at a small
      performance cost. This should only be needed when callback functions are used
      that need file access.

    - Various improvements to ClamAV configuration, support of third party libraries,
      and unit tests.

Revision 1.13 / (download) - annotate - [select for diffs], Wed Oct 2 18:30:13 2013 UTC (10 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4
Changes since 1.12: +11 -6 lines
Diff to previous 1.12 (colored) to selected 1.40 (colored)

ClamAV 0.98 includes many new features, across many different components
of ClamAV. There are new scanning options, extensions to the libclamav API,
support for additional filetypes, and internal upgrades.

Revision 1.12 / (download) - annotate - [select for diffs], Tue Apr 23 18:27:41 2013 UTC (10 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3, pkgsrc-2013Q2-base, pkgsrc-2013Q2
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored) to selected 1.40 (colored)

Changes 0.97.8:
ClamAV 0.97.8 addresses several reported potential security bugs.

Revision 1.11 / (download) - annotate - [select for diffs], Fri Mar 15 08:48:37 2013 UTC (11 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored) to selected 1.40 (colored)

Changes 0.97.7:
This is a bugfix release.

Revision 1.8.2.1 / (download) - annotate - [select for diffs], Tue Oct 23 18:30:37 2012 UTC (11 years, 5 months ago) by tron
Branch: pkgsrc-2012Q3
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored) next main 1.9 (colored) to selected 1.40 (colored)

Pullup ticket #3953 - requested by wiz
security/clamav: security update

Revisions pulled up:
- security/clamav/Makefile                                      1.9
- security/clamav/distinfo                                      1.7

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Oct  3 10:39:13 UTC 2012

   Modified Files:
   	pkgsrc/security/clamav: Makefile distinfo

   Log Message:
   ClamAV 0.97.6 includes minor bug fixes and detection improvements.

Revision 1.10 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:22 2012 UTC (11 years, 5 months ago) by asau
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.9: +1 -2 lines
Diff to previous 1.9 (colored) to selected 1.40 (colored)

Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.9 / (download) - annotate - [select for diffs], Wed Oct 3 10:39:13 2012 UTC (11 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored) to selected 1.40 (colored)

ClamAV 0.97.6 includes minor bug fixes and detection improvements.

Revision 1.8 / (download) - annotate - [select for diffs], Mon Jul 2 07:12:58 2012 UTC (11 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base
Branch point for: pkgsrc-2012Q3
Changes since 1.7: +3 -7 lines
Diff to previous 1.7 (colored) to selected 1.40 (colored)

Changes 0.97.5:
* libclamav: Scan output at end of truncated tar
* libclamav: Fix handling of tar file with malformed header
* libclamav: Scan chm with invalid handling
* freshclam: give custom dbs higher priority during update
* libclamav: detect read races and abort the scan with an error
* libclamav/pe.c: drop old header check

Revision 1.7 / (download) - annotate - [select for diffs], Thu Jan 26 06:34:19 2012 UTC (12 years, 2 months ago) by sbd
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1
Changes since 1.6: +2 -4 lines
Diff to previous 1.6 (colored) to selected 1.40 (colored)

Use SET_LIBDIR with packages that want to use to lib64

Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 17 21:43:21 2012 UTC (12 years, 2 months ago) by sbd
Branch: MAIN
Changes since 1.5: +4 -3 lines
Diff to previous 1.5 (colored) to selected 1.40 (colored)

Convert packages with add --libdir=* to CONFIGURE_ARGS to use
GNU_CONFIGURE_LIBDIR or GNU_CONFIGURE_LIBSUBDIR.

Revision 1.4.2.1 / (download) - annotate - [select for diffs], Wed Nov 2 20:19:28 2011 UTC (12 years, 4 months ago) by tron
Branch: pkgsrc-2011Q3
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored) next main 1.5 (colored) to selected 1.40 (colored)

Pullup ticket #3585 - requested by tez
security/clamav: security update

Revisions pulled up:
- security/clamav/Makefile                                      1.5
- security/clamav/distinfo                                      1.5

---
   Module Name:    pkgsrc
   Committed By:   tez
   Date:           Wed Oct 26 17:55:05 UTC 2011

   Modified Files:
           pkgsrc/security/clamav: Makefile distinfo

   Log Message:
   update to 0.97.3 fixes SA46455
   freshclam/manager.c: fix error when compiling without DNS support (bb#3056)
   libclamav/pdf.c: flag and dump PDF objects with /Launch (bb #3514)
   libclamav/bytecode.c,bytecode_api.c: fix recursion level crash

Revision 1.5 / (download) - annotate - [select for diffs], Wed Oct 26 17:55:05 2011 UTC (12 years, 5 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4
Changes since 1.4: +1 -1 lines
Diff to previous 1.4 (colored) to selected 1.40 (colored)

update to 0.97.3 fixes SA46455
freshclam/manager.c: fix error when compiling without DNS support (bb#3056)
libclamav/pdf.c: flag and dump PDF objects with /Launch (bb #3514)
libclamav/bytecode.c,bytecode_api.c: fix recursion level crash

Revision 1.2.4.2 / (download) - annotate - [select for diffs], Thu Jul 28 02:30:16 2011 UTC (12 years, 8 months ago) by sbd
Branch: pkgsrc-2011Q2
Changes since 1.2.4.1: +1 -1 lines
Diff to previous 1.2.4.1 (colored) to branchpoint 1.2 (colored) next main 1.3 (colored) to selected 1.40 (colored)

Pullup ticket #3480 - requested by obache
security/clamav security update

Revisions pulled up:
- security/clamav/Makefile                                      1.4
- security/clamav/distinfo                                      1.4

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Mon Jul 25 22:59:12 UTC 2011

   Modified Files:
   	pkgsrc/security/clamav: Makefile distinfo

   Log Message:
   Changes 0.97.2
   ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection,
   hash matcher, and other minor issues. Please see the ChangeLog file for
   details.

Revision 1.4 / (download) - annotate - [select for diffs], Mon Jul 25 22:59:12 2011 UTC (12 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base
Branch point for: pkgsrc-2011Q3
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored) to selected 1.40 (colored)

Changes 0.97.2
ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection,
hash matcher, and other minor issues. Please see the ChangeLog file for
details.

Revision 1.2.4.1 / (download) - annotate - [select for diffs], Fri Jul 8 16:33:12 2011 UTC (12 years, 8 months ago) by tron
Branch: pkgsrc-2011Q2
Changes since 1.2: +2 -3 lines
Diff to previous 1.2 (colored) to selected 1.40 (colored)

Pullup ticket #3466 - requested by adam
security/clama: bug fix update

Revisions pulled up:
- security/clamav/Makefile                                      1.3
- security/clamav/PLIST                                         1.2
- security/clamav/distinfo                                      1.3
- security/clamav/patches/patch-ad                              1.2
- security/clamav/patches/patch-af                              1.2

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Fri Jul  8 09:28:06 UTC 2011

   Modified Files:
           pkgsrc/security/clamav: Makefile PLIST distinfo
           pkgsrc/security/clamav/patches: patch-ad patch-af

   Log Message:
   Changes 0.97.1:
   This is a bugfix release recommended for all users. Please refer to the
   ChangeLog file for details.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Jul 8 09:28:06 2011 UTC (12 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.2: +2 -3 lines
Diff to previous 1.2 (colored) to selected 1.40 (colored)

Changes 0.97.1:
This is a bugfix release recommended for all users. Please refer to the
ChangeLog file for details.

Revision 1.1.1.1.2.1 / (download) - annotate - [select for diffs], Sat Mar 5 23:06:05 2011 UTC (13 years ago) by schnoebe
Branch: pkgsrc-2010Q4
Changes since 1.1.1.1: +4 -2 lines
Diff to previous 1.1.1.1 (colored) next main 1.2 (colored) to selected 1.40 (colored)



Pull up ticket 3376, requested by tron@

   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Tue Feb  8 07:56:09 UTC 2011

   Modified Files:
	   pkgsrc/security/clamav: Makefile distinfo

   Log Message:
   Changes 0.97:
   ClamAV 0.97 brings many improvements, including complete Windows
   support (all major components compile out-of-box under Visual
   Studio), support for signatures based on SHA1 and SHA256, better
   error detection, as well as speed and memory optimizations. The
   complete list of changes is available in the ChangeLog file.

Revision 1.2 / (download) - annotate - [select for diffs], Tue Feb 8 07:56:09 2011 UTC (13 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q1-base, pkgsrc-2011Q1
Branch point for: pkgsrc-2011Q2
Changes since 1.1: +4 -2 lines
Diff to previous 1.1 (colored) to selected 1.40 (colored)

Changes 0.97:
ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support for
signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is available
in the ChangeLog file.

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Fri Dec 24 07:11:05 2010 UTC (13 years, 3 months ago) by kefren
Branch: TNF
CVS Tags: pkgsrc-base, pkgsrc-2010Q4-base
Branch point for: pkgsrc-2010Q4
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored) to selected 1.40 (colored)

Move clamav into security/. No objections on tech-pkg@
Part of PR/32554

Revision 1.1 / (download) - annotate - [select for diffs], Fri Dec 24 07:11:05 2010 UTC (13 years, 3 months ago) by kefren
Branch: MAIN
Diff to selected 1.40 (colored)

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>