diff --git a/NEWS.md b/NEWS.md index 3cfac39931..f139701469 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,7 +7,60 @@ differ slightly from third-party binary packages. ClamAV 1.0.2 is a critical patch release with the following fixes: +- [CVE-2023-20197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20197) + Fixed a possible denial of service vulnerability in the HFS+ file parser. + This issue affects versions 1.1.0, 1.0.1 through 1.0.0, 0.105.2 through 0.105.0, + 0.104.4 through 0.104.0, and 0.103.8 through 0.103.0. + Thank you to Steve Smith for reporting this issue. + +- [CVE-2023-20212](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20212) + Fixed a possible denial of service vulnerability in the AutoIt file parser. + This issue affects versions 1.0.1 and 1.0.0. + This issue does not affect version 1.1.0. + +- Fixed a build issue when using the Rust nightly toolchain, which was + affecting the oss-fuzz build environment used for regression tests. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/996 + +- Fixed a build issue on Windows when using Rust version 1.70 or newer. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/993 + +- CMake build system improvement to support compiling with OpenSSL 3.x on + macOS with the Xcode toolchain. + + The official ClamAV installers and packages are now built with OpenSSL 3.1.1 + or newer. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/973 + +- Fixed an issue where ClamAV does not abort the signature load process after + partially loading an invalid signature. + The bug would later cause a crash when scanning certain files. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/952 + +- Fixed an issue so that ClamAV correctly removes temporary files generated + by the VBA and XLM extraction modules so that the files are not leaked in + patched versions of ClamAV where temporary files are written directly to the + temp-directory instead of writing to a unique subdirectory. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/900 + +- Set Git attributes to prevent Git from altering line endings for bundled Rust + libraries. Third-party Rust libraries are bundled in the ClamAV release + tarball. We do not commit them to our own Git repository, but community + package maintainers may now store the tarball contents in Git. + The Rust build system verifies the library manifest, and this change + ensures that the hashes are correct. + Improvement courtesy of Nicolas R. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/856 + +- Fixed two bugs that would cause Freshclam to fail update when applying a + CDIFF database patch if that patch adds a file to the database archive + or removes a file from the database archive. + This bug also caused Sigtool to fail to create such a patch. + - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/901 + Special thanks to the following people for code contributions and bug reports: +- Nicolas R. +- Steve Smith ## 1.0.1