SUSE-SU-2025:0327-1: important: Security update for clamav
SLE-SECURITY-UPDATES
null at suse.de
Mon Feb 3 12:32:15 UTC 2025
# Security update for clamav
Announcement ID: SUSE-SU-2025:0327-1
Release Date: 2025-02-03T09:39:44Z
Rating: important
References:
* bsc#1102840
* bsc#1103032
* bsc#1180296
* bsc#1202986
* bsc#1211594
* bsc#1214342
* bsc#1232242
* bsc#1236307
* jsc#PED-4596
Cross-References:
* CVE-2018-14679
* CVE-2023-20197
* CVE-2024-20380
* CVE-2024-20505
* CVE-2024-20506
* CVE-2025-20128
CVSS scores:
* CVE-2018-14679 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
* CVE-2018-14679 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2023-20197 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-20197 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-20380 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-20505 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-20505 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-20505 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-20505 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-20506 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2024-20506 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
* CVE-2024-20506 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
* CVE-2024-20506 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
* CVE-2025-20128 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-20128 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-20128 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-20128 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
An update that solves six vulnerabilities, contains one feature and has two
security fixes can now be installed.
## Description:
This update for clamav fixes the following issues:
New version 1.4.2:
* CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow read bug in
the OLE2 file parser that could cause a denial-of-service (DoS) condition.
* Start clamonacc with --fdpass to avoid errors due to clamd not being able to
access user files. (bsc#1232242)
* New version 1.4.1:
* https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
* New version 1.4.0:
* Added support for extracting ALZ archives.
* Added support for extracting LHA/LZH archives.
* Added the ability to disable image fuzzy hashing, if needed. For context,
image fuzzy hashing is a detection mechanism useful for identifying malware
by matching images included with the malware or phishing email/document.
* https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html
* New version 1.3.2:
* CVE-2024-20506: Changed the logging module to disable following symlinks on
Linux and Unix systems so as to prevent an attacker with existing access to
the 'clamd' or 'freshclam' services from using a symlink to corrupt system
files.
* CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file
parser that could cause a denial-of-service condition.
* Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
* Fix unit test caused by expiring signing certificate.
* Fixed a build issue on Windows with newer versions of Rust. Also upgraded
GitHub Actions imports to fix CI failures.
* Fixed an unaligned pointer dereference issue on select architectures.
* Fixes to Jenkins CI pipeline.
* New Version: 1.3.1:
* CVE-2024-20380: Fixed a possible crash in the HTML file parser that could
cause a denial-of-service (DoS) condition.
* Updated select Rust dependencies to the latest versions.
* Fixed a bug causing some text to be truncated when converting from UTF-16.
* Fixed assorted complaints identified by Coverity static analysis.
* Fixed a bug causing CVDs downloaded by the DatabaseCustomURL
* Added the new 'valhalla' database name to the list of optional databases in
preparation for future work.
* New version: 1.3.0:
* Added support for extracting and scanning attachments found in Microsoft
OneNote section files. OneNote parsing will be enabled by default, but may
be optionally disabled.
* Added file type recognition for compiled Python ('.pyc') files.
* Improved support for decrypting PDFs with empty passwords.
* Fixed a warning when scanning some HTML files.
* ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
* ClamOnAcc: Fixed an infinite loop when a file has been deleted before a
scan.
* New version: 1.2.0:
* Added support for extracting Universal Disk Format (UDF) partitions.
* Added an option to customize the size of ClamAV's clean file cache.
* Raised the MaxScanSize limit so the total amount of data scanned when
scanning a file or archive may exceed 4 gigabytes.
* Added ability for Freshclam to use a client certificate PEM file and a
private key PEM file for authentication to a private mirror.
* Fix an issue extracting files from ISO9660 partitions where the files are
listed in the plain ISO tree and there also exists an empty Joliet tree.
* PID and socket are now located under /run/clamav/clamd.pid and
/run/clamav/clamd.sock .
* bsc#1211594: Fixed an issue where ClamAV does not abort the signature load
process after partially loading an invalid signature.
* New version 1.1.0:
* https://blog.clamav.net/2023/05/clamav-110-released.html
* Added the ability to extract images embedded in HTML CSS <style> blocks.
* Updated to Sigtool so that the '\--vba' option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
* Added a new option --fail-if-cvd-older-than=days to clamscan and clamd, and
FailIfCvdOlderThan to clamd.conf
* Added a new function 'cl_cvdgetage()' to the libclamav API.
* Added a new function 'cl_engine_set_clcb_vba()' to the libclamav API.
* bsc#1180296: Integrate clamonacc as a service.
* New version 1.0.1 LTS (including changes in 0.104 and 0.105):
* As of ClamAV 0.104, CMake is required to build ClamAV.
* As of ClamAV 0.105, Rust is now required to compile ClamAV.
* Increased the default limits for file and scan size:
* MaxScanSize: 100M to 400M
* MaxFileSize: 25M to 100M
* StreamMaxLength: 25M to 100M
* PCREMaxFileSize: 25M to 100M
* MaxEmbeddedPE: 10M to 40M
* MaxHTMLNormalize: 10M to 40M
* MaxScriptNormalize: 5M to 20M
* MaxHTMLNoTags: 2M to 8M
* Added image fuzzy hash subsignatures for logical signatures.
* Support for decrypting read-only OLE2-based XLS files that are encrypted
with the default password.
* Overhauled the implementation of the all-match feature.
* Added a new callback to the public API for inspecting file content during a
scan at each layer of archive extraction.
* Added a new function to the public API for unpacking CVD signature archives.
* The option to build with an external TomsFastMath library has been removed.
ClamAV requires non-default build options for TomsFastMath to support bigger
floating point numbers.
* For a full list of changes see the release announcements:
* https://blog.clamav.net/2022/11/clamav-100-lts-released.html
* https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
* https://blog.clamav.net/2021/09/clamav-01040-released.html
* Build clamd with systemd support.
* CVE-2023-20197: Fixed a possible denial of service vulnerability in the HFS+
file parser. (bsc#1214342)
* CVE-2018-14679: Fixed that an issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. There isan off-by-one error in the CHM PMGI/PMGL
chunk number validity checks, which could lead to denial of service
(uninitialized da (bsc#1103032)
* Package huge .html documentation in a separate subpackage.
* Update to 0.103.7 (bsc#1202986)
* Zip parser: tolerate 2-byte overlap in file entries
* Fix bug with logical signature Intermediates feature
* Update to UnRAR v6.1.7
* Patch UnRAR: allow skipping files in solid archives
* Patch UnRAR: limit dict winsize to 1GB
* Use a split-provides for clamav-milter instead of recommending it.
* Package clamav-milter in a subpackage
* Remove virus signatures upon uninstall
* Check for database existence before starting clamd
* Restart clamd when it exits
* Don't daemonize freshclam, but use a systemd timer instead to trigger
updates
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-327=1 openSUSE-SLE-15.6-2025-327=1
* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-327=1
## Package List:
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* clamav-1.4.2-150600.18.6.1
* libfreshclam3-debuginfo-1.4.2-150600.18.6.1
* libclamav12-1.4.2-150600.18.6.1
* clamav-devel-1.4.2-150600.18.6.1
* libclammspack0-debuginfo-1.4.2-150600.18.6.1
* clamav-debuginfo-1.4.2-150600.18.6.1
* libfreshclam3-1.4.2-150600.18.6.1
* libclamav12-debuginfo-1.4.2-150600.18.6.1
* clamav-debugsource-1.4.2-150600.18.6.1
* libclammspack0-1.4.2-150600.18.6.1
* clamav-milter-debuginfo-1.4.2-150600.18.6.1
* clamav-milter-1.4.2-150600.18.6.1
* openSUSE Leap 15.6 (noarch)
* clamav-docs-html-1.4.2-150600.18.6.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* clamav-1.4.2-150600.18.6.1
* libfreshclam3-debuginfo-1.4.2-150600.18.6.1
* libclamav12-1.4.2-150600.18.6.1
* clamav-devel-1.4.2-150600.18.6.1
* libclammspack0-debuginfo-1.4.2-150600.18.6.1
* clamav-debuginfo-1.4.2-150600.18.6.1
* libfreshclam3-1.4.2-150600.18.6.1
* libclamav12-debuginfo-1.4.2-150600.18.6.1
* clamav-debugsource-1.4.2-150600.18.6.1
* libclammspack0-1.4.2-150600.18.6.1
* clamav-milter-debuginfo-1.4.2-150600.18.6.1
* clamav-milter-1.4.2-150600.18.6.1
* Basesystem Module 15-SP6 (noarch)
* clamav-docs-html-1.4.2-150600.18.6.1
## References:
* https://www.suse.com/security/cve/CVE-2018-14679.html
* https://www.suse.com/security/cve/CVE-2023-20197.html
* https://www.suse.com/security/cve/CVE-2024-20380.html
* https://www.suse.com/security/cve/CVE-2024-20505.html
* https://www.suse.com/security/cve/CVE-2024-20506.html
* https://www.suse.com/security/cve/CVE-2025-20128.html
* https://bugzilla.suse.com/show_bug.cgi?id=1102840
* https://bugzilla.suse.com/show_bug.cgi?id=1103032
* https://bugzilla.suse.com/show_bug.cgi?id=1180296
* https://bugzilla.suse.com/show_bug.cgi?id=1202986
* https://bugzilla.suse.com/show_bug.cgi?id=1211594
* https://bugzilla.suse.com/show_bug.cgi?id=1214342
* https://bugzilla.suse.com/show_bug.cgi?id=1232242
* https://bugzilla.suse.com/show_bug.cgi?id=1236307
* https://jira.suse.com/browse/PED-4596
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250203/78ed3679/attachment.htm>
More information about the sle-security-updates
mailing list