From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Clamav-announce] =?utf-8?q?ClamAV=C2=AE?= blog: ClamAV 0.104.0 released Date: Sat, 04 Sep 2021 12:38:18 +0100 Message-ID: <93151ACE-7569-4DAB-8D2C-1DED33B54373@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1981333273408451997==" List-Id: --===============1981333273408451997== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 4 Sep 2021, at 04:58, Matthias Fischer w= rote: >=20 > Hi all, >=20 > On 03.09.2021 18:36, Stefan Schantl wrote: >> Hello Michael, Hello Matthias, Hello list, >>> Hello everyone, >>>=20 >>> I just received this announcement that clamav 0.104.0 has been >>> released. >>>=20 >>> The interesting things for us are the changes in the build system: >>>=20 >>> * It now requires cmake which isn=E2=80=99t a problem >=20 > Yep. Done. > I already did a few - early tests with 'clamav 0.104-rc. I'm still not > 100% sure about the needed options, but it builds (see attached lfs-file). >=20 >>> * It now requires LLVM which we don=E2=80=99t have >>>=20 >>> LLVM is probably going to be large, but Stefan has already played >>> around with it and we might be able to merge his patches. So, Stefan, >>> could you please post them? I suppose Matthias is the de-facto >>> maintainer of clamav. You will need to merge these patches locally to >>> see if clamav is happy with what Stefan has built. >>=20 >> I've created and pushed a new LLVM git branch in my personal git >> repository, which builds the LLVM compiler suite. >>=20 >> https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dshortlog;h=3D= refs/heads/llvm >>=20 >> I hope this will do the trick with the new clamav version. >=20 > I'm not sure at this point. >=20 > I think we need to add something like "-D BYTECODE_RUNTIME=3D"llvm" \" for > building 'clamav'. >=20 > Stefan provided the current 'llvm 12.0.1'. Thanks again! >=20 > But the clamav announcement - please read below - says: > "We hoped to add support for newer versions of LLVM, but ran out of > time. If you're building ClamAV from source and you wish to use LLVM > instead of the bytecode interpreter, you will need to supply the > development libraries for LLVM version 3.6.2." This is outrageous. ClamAV is owned by Cisco, a multi-billion dollar company = that cannot afford to do things right. I hope they have a different strategy = for their other products. LLVM 3.6.2 was released in 2015 (https://releases.llvm.org). This is a 6 year= old release that is no longer maintained and I suppose many bugs and securit= y issues have been fixed in the meantime. > First build - *without* BYTECODE_RUNTIME=3D"llvm" - seems to build ok, > next I'll test building *with* this option. I'm just a bit puzzled if I > should use 12.0.1 or 3.6.2. The latter is a bit old(!?). Or do I miss > something? If it won=E2=80=99t build with recent releases we are facing the question whe= ther we want to ship old and outdated software that nobody cares for any more= and disable the functionality altogether. What is better? Not scanning certa= in signatures, or exposing the firewall to being exploited through its virus = scanner? I vote for disabling the bytecode runtime. > And since the 'llvm' rootfile is quite large: does anyone have an idea > what llvm-parts (/usr/bin/...? /usr/lib/...?) are needed (see attachment). Probably some libraries which we could have seen by checking what clamav is l= inked against (with lld). But that is a kind of moot question now :) Thank you for investigating this. -Michael > Best, > Matthias >=20 >> Best regards, >>=20 >> -Stefan >>=20 >>>=20 >>> This will be an interesting project :) >=20 > I think so... ;-) >=20 >>> -Michael >>>=20 >>>> Begin forwarded message: >>>>=20 >>>> From: "Joel Esler (jesler)" >>>> Subject: [Clamav-announce] ClamAV=C2=AE blog: ClamAV 0.104.0 released >>>> Date: 3 September 2021 at 16:51:29 BST >>>> To: "ClamAV-announce(a)lists.clamav.net" < >>>> ClamAV-announce(a)lists.clamav.net>, "clamav-users(a)lists.clamav.net" >>>> >>>> Reply-To: noreply(a)clamav.net >>>>=20 >>>>=20 >>>>>=20 >>>>> https://blog.clamav.net/2021/09/clamav-01040-released.html >>>>>=20 >>>>> ClamAV 0.104.0 releasedClamAV 0.104.0 is available as an official >>>>> release as of today. >>>>> We are also announcing a new Long Term Support (LTS) program >>>>> today in an update to our End-of-Life (EOL) policy. The LTS will >>>>> start retroactively with ClamAV 0.103, the previous feature >>>>> release. This new LTS policy extends the life of 0.103 up through >>>>> September 2023 and will facilitate the production of more >>>>> frequent feature releases while enabling users to rely on a >>>>> supported version for years to come if they cannot keep pace with >>>>> the feature release cadence. For full details about the Long Term >>>>> Support program, you can see the LTS announcement blog post and >>>>> review the LTS policy in our online documentation. >>>>> We're also introducing new install packages to make it easier for >>>>> folks to upgrade without having to build ClamAV from source and >>>>> without having to wait for a community volunteer to package the >>>>> latest release. You can find the new install packages on the >>>>> ClamAV.net Downloads Page. >>>>> Today you can find: >>>>> * x86_64 and i686 RPM packages compatible with RPM-based Linux >>>>> distributions running glibc version 2.17 or newer. >>>>> * x86_64 and i686 DEB packages compatible with Debian-based >>>>> Linux distributions running glibc version 2.23 or newer. >>>>> * An x86_64/ARM64 macOS installer package is compatible with >>>>> Intel and Apple M1 systems. >>>>> * x64 and win32 Windows packages are compatible with Windows 7 >>>>> and newer. >>>>> In the future, we hope to supplement these with ARM64 Linux DEB >>>>> and RPM packages and an x86_64 FreeBSD package. >>>>> Please note that you may find installations in this release >>>>> require more manual configuration than when using a preconfigured >>>>> package provided by a Linux or Unix distribution. See our >>>>> installation instructions on clamav.net for more information. >>>>> ClamAV 0.104.0 includes the following improvements and changes. >>>>>=20 >>>>> New Requirements * As of ClamAV 0.104, CMake is required to build >>>>> ClamAV.We have added comprehensive build instructions for using >>>>> CMake to the new INSTALL.md file. The online documentation will >>>>> also be updated to include CMake build instructions.The Autotools >>>>> and the Visual Studio build systems have been removed. >>>>>=20 >>>>> Major changes * The built-in LLVM for the bytecode runtime has >>>>> been removed.The bytecode interpreter is the default runtime for >>>>> bytecode signatures just as it was in ClamAV 0.103.We hoped to >>>>> add support for newer versions of LLVM, but ran out of time. If >>>>> you're building ClamAV from source and you wish to use LLVM >>>>> instead of the bytecode interpreter, you will need to supply the >>>>> development libraries for LLVM version 3.6.2. See the "bytecode >>>>> runtime" section in INSTALL.md to learn more. >>>>> * There are now official ClamAV images on Docker Hub.Docker Hub >>>>> ClamAV tags:clamav/clamav:: A release preloaded with >>>>> signature databases.Using this container will save the ClamAV >>>>> project some bandwidth. Use this if you will keep the image >>>>> around so that you don't download the entire database set every >>>>> time you start a new container. Updating with FreshClam from the >>>>> existing databases set does not use much >>>>> data.clamav/clamav:_base: A release with no signature >>>>> databases.Use this container only if you mount a volume in your >>>>> container under /var/lib/clamav to persist your signature >>>>> database databases. This method is the best option because it >>>>> will reduce data costs for ClamAV and for the Docker registry, >>>>> but it does require advanced familiarity with Linux and >>>>> Docker.Caution: Using this image without mounting an existing >>>>> database directory will cause FreshClam to download the entire >>>>> database set each time you start a new container.You can use >>>>> the unstable version >>>>> (i.e. clamav/clamav:unstable or clamav/clamav:unstable_base) to >>>>> try the latest from our development branch.Please, be kind when >>>>> using 'free' bandwidth, both for the virus databases but also the >>>>> Docker registry. Try not to download the entire database set or >>>>> the larger ClamAV database images on a regular basis.For more >>>>> details, see the ClamAV Docker documentation.Special thanks to >>>>> Olliver Schinagl for his excellent work creating ClamAV's new >>>>> Docker files, image database deployment tooling, and user >>>>> documentation. >>>>> * clamd and freshclam are now available as Windows services. To >>>>> install and run them, use the --install-service option and net >>>>> start [name] command.Special thanks to Gianluigi Tiesi for his >>>>> original work on this feature. >>>>>=20 >>>>> Notable changesThe following was added in 0.103.1 and is repeated >>>>> here for awareness, as patch versions do not generally introduce >>>>> new options: >>>>> * Added a new scan option to alert on broken media (graphics) >>>>> file formats. This feature mitigates the risk of malformed media >>>>> files intended to exploit vulnerabilities in other software. At >>>>> present, media validation exists for JPEG, TIFF, PNG and GIF >>>>> files. To enable this feature, set AlertBrokenMedia yes in >>>>> clamd.conf, or use the --alert-broken-media option when >>>>> using clamscan. These options are disabled by default in this >>>>> patch release but may be enabled in a subsequent release. >>>>> Application developers may enable this scan option by >>>>> enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan >>>>> option bit field. >>>>> * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG >>>>> typing behavior. BMP and JPEG 2000 files will continue to detect >>>>> as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG >>>>> 2000 format checking capabilities. >>>>> * Added progress callbacks to libclamav for:database >>>>> load: cl_engine_set_clcb_sigload_progress()engine >>>>> compile: cl_engine_set_clcb_engine_compile_progress()engine >>>>> free: cl_engine_set_clcb_engine_free_progress()These new >>>>> callbacks enable an application to monitor and estimate load, >>>>> compile, and unload progress. See clamav.h for API details. >>>>> * Added progress bars to ClamScan for the signature load and >>>>> engine compile steps before a scan begins. The start-up progress >>>>> bars won't be enabled if ClamScan isn't running in a terminal >>>>> (i.e. stdout is not a TTY), or if any of these options are used:- >>>>> -debug--quiet--infected--no-summary >>>>> Other improvements * Added the %f format string option to the >>>>> ClamD VirusEvent feature to insert the file path of the scan >>>>> target when a virus-event occurs. This supplements the >>>>> VirusEvent %v option which prints the signature (virus) name. The >>>>> ClamD VirusEvent feature also provides two environment >>>>> variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNA >>>>> ME for a similar effect. Patch courtesy of Vasile Papp. >>>>> * Improvements to the AutoIt extraction module. Patch courtesy >>>>> of cw2k. >>>>> * Added support for extracting images from Excel *.xls (OLE2) >>>>> documents. >>>>> * Trusted SHA256-based Authenticode hashes can now be loaded in >>>>> from *.cat files. For more information, visit our Authenticode >>>>> documentation about using *.cat files with *.crb rules to trust >>>>> signed Windows executables. >>>>>=20 >>>>> Bug fixes * Fixed a memory leak affecting logical signatures that >>>>> use the "byte compare" feature. Patch courtesy of Andrea De >>>>> Pasquale. >>>>> * Fixed bytecode match evaluation for PDF bytecode hooks in PDF >>>>> file scans. >>>>> * Other minor bug fixes. >>>>>=20 >>>>> AcknowledgmentsThe ClamAV team thanks the following individuals >>>>> for their code submissions: >>>>> * Alexander Golovach >>>>> * Andrea De Pasquale >>>>> * Andrew Williams >>>>> * Arjen de Korte >>>>> * Armin Kuster >>>>> * Brian Bergstrand >>>>> * cw2k >>>>> * Duane Waddle >>>>> * Gianluigi Tiesi >>>>> * Jonas Zaddach >>>>> * Kenneth Hau >>>>> * Mark Fortescue >>>>> * Markus Strehle >>>>> * Olliver Schinagl >>>>> * Orion Poplawski >>>>> * Sergey Valentey >>>>> * Sven Rue=C3=9F >>>>> * Tom Briden >>>>> * Tuomo Soini >>>>> * Vasile Papp >>>>> * Yasuhiro Kimura >>>> _______________________________________________ >>>>=20 >>>> clamav-announce mailing list >>>> clamav-announce(a)lists.clamav.net >>>> https://lists.clamav.net/mailman/listinfo/clamav-announce >>>>=20 >>>> http://www.clamav.net/contact.html#ml >>>=20 >>=20 >>=20 >=20 > --===============1981333273408451997==--