News: Add notes for changes in 1.0.2 patch version

Cisco-Talos · Aug 15, 2023 · f5e0712 · f5e0712
1 parent 965cf3d
commit f5e0712
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -7,7 +7,60 @@ differ slightly from third-party binary packages.
 
 ClamAV 1.0.2 is a critical patch release with the following fixes:
 
+- [CVE-2023-20197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20197)
+  Fixed a possible denial of service vulnerability in the HFS+ file parser.
+  This issue affects versions 1.1.0, 1.0.1 through 1.0.0, 0.105.2 through 0.105.0,
+  0.104.4 through 0.104.0, and 0.103.8 through 0.103.0.
+  Thank you to Steve Smith for reporting this issue.
+
+- [CVE-2023-20212](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20212)
+  Fixed a possible denial of service vulnerability in the AutoIt file parser.
+  This issue affects versions 1.0.1 and 1.0.0.
+  This issue does not affect version 1.1.0.
+
+- Fixed a build issue when using the Rust nightly toolchain, which was
+  affecting the oss-fuzz build environment used for regression tests.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/996
+
+- Fixed a build issue on Windows when using Rust version 1.70 or newer.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/993
+
+- CMake build system improvement to support compiling with OpenSSL 3.x on
+  macOS with the Xcode toolchain.
+
+  The official ClamAV installers and packages are now built with OpenSSL 3.1.1
+  or newer.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/973
+
+- Fixed an issue where ClamAV does not abort the signature load process after
+  partially loading an invalid signature.
+  The bug would later cause a crash when scanning certain files.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/952
+
+- Fixed an issue so that ClamAV correctly removes temporary files generated
+  by the VBA and XLM extraction modules so that the files are not leaked in
+  patched versions of ClamAV where temporary files are written directly to the
+  temp-directory instead of writing to a unique subdirectory.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/900
+
+- Set Git attributes to prevent Git from altering line endings for bundled Rust
+  libraries. Third-party Rust libraries are bundled in the ClamAV release
+  tarball. We do not commit them to our own Git repository, but community
+  package maintainers may now store the tarball contents in Git.
+  The Rust build system verifies the library manifest, and this change
+  ensures that the hashes are correct.
+  Improvement courtesy of Nicolas R.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/856
+
+- Fixed two bugs that would cause Freshclam to fail update when applying a
+  CDIFF database patch if that patch adds a file to the database archive
+  or removes a file from the database archive.
+  This bug also caused Sigtool to fail to create such a patch.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/901
+
 Special thanks to the following people for code contributions and bug reports:
+- Nicolas R.
+- Steve Smith
 
 ## 1.0.1