Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (9) →
Alan Cooper
Alan Cooper
Offline
Issue

Critical CVE found in ClamAV

Resolved
0 votes
It looks like ClamAV have notified users of two new vulnerabilities in ClamAV. CVE-2023-20032 has been rated as critical with a score of 9.8/10. CVE-2023-20052 is not so important and is rated as medium.

If Clearos is no longer getting security updates what is the best course of action? Stop scanning emails and files for viruses at all and remove ClamAV or keep going with ClamAV knowing that one hostile file attached to an email or downloaded to your system and scanned can compromise your system. It is not a good choice either way.
In Mail Antivirus
Thursday, February 16 2023, 05:09 PM
Like
2
Subscribe via email
Share this post:
Responses (9)

  • Accepted Answer

    Alan Cooper
    Alan Cooper
    Offline
    Sunday, February 19 2023, 09:50 AM - #Permalink
    Resolved
    0 votes
    If you install from EPEL I am 99.99999999999999999999999999999% sure you'll break things. It will probably install OK but bits of ClearOS will break. That is why a separate version is (was!) maintained by ClearOS.
    The reply is currently minimized Show

  • Accepted Answer

    Patrick de Brabander
    Patrick de Brabander
    Offline
    Sunday, February 19 2023, 08:51 AM - #Permalink
    Resolved
    0 votes
    Alan Cooper wrote:

    If only we could use the EPEL version. Sigh!


    Is it maybe possible to make a package from source ?

    or just install the .rpm from epel?

    Alan Cooper wrote:

    If only we could use the EPEL version. Sigh!


    Is it maybe possible to make a package from source ?

    or just install the .rpm from epel?

    Download latest epel-release rpm from
    
http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/
    
Install epel-release rpm:
    
# rpm -Uvh epel-release*rpm
    
Install clamav rpm package:
    
# yum install clamav
    Attachments:
    The reply is currently minimized Show

  • Accepted Answer

    Alan Cooper
    Alan Cooper
    Offline
    Saturday, February 18 2023, 09:36 PM - #Permalink
    Resolved
    0 votes
    If only we could use the EPEL version. Sigh!
    Like
    1
    The reply is currently minimized Show

  • Accepted Answer

    nuke
    nuke
    Offline
    Saturday, February 18 2023, 02:54 PM - #Permalink
    Resolved
    0 votes
    Alan Cooper wrote:

    ClamAV is a ClearOS maintained package. ClearOS does not use the upstream version.

    That is unfortunate.
    BTW, the update to 0.103.8 is in epel-testing now.
    The reply is currently minimized Show

  • Accepted Answer

    Alan Cooper
    Alan Cooper
    Offline
    Thursday, February 16 2023, 09:42 PM - #Permalink
    Resolved
    0 votes
    ClamAV is a ClearOS maintained package. ClearOS does not use the upstream version.
    The reply is currently minimized Show

  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, February 16 2023, 08:50 PM - #Permalink
    Resolved
    0 votes
    BTW, the most recent version in the Centos 7 repo is 0.103.7v1 so we can't update to the new security patch release today even if we could.
    The reply is currently minimized Show

  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, February 16 2023, 06:24 PM - #Permalink
    Resolved
    0 votes
    FYI ClearOS 7 is on 0.103.6-1.v7 > we need 0.103.8 but I'm not sure where to find this if it exists already.

    yum list clamav --showduplicates
    
Loaded plugins: clearcenter-marketplace, fastestmirror
    
ClearCenter Marketplace: fetching repositories...
    
Loading mirror speeds from cached hostfile
    
 * clearos: mirror1-newyork.clearos.com
    
 * clearos-centos: download4.clearsdn.com
    
 * clearos-centos-sclo-rh: download4.clearsdn.com
    
 * clearos-centos-updates: download4.clearsdn.com
    
 * clearos-contribs: mirror1-newyork.clearos.com
    
 * clearos-contribs-paid: mirror1-newyork.clearos.com
    
 * clearos-epel: download4.clearsdn.com
    
 * clearos-fast-updates: download4.clearsdn.com
    
 * clearos-infra: mirror1-newyork.clearos.com
    
 * clearos-paid: mirror1-newyork.clearos.com
    
 * clearos-updates: mirror1-newyork.clearos.com
    
 * private-clearcenter-plex: download1.clearsdn.com:80
    
Installed Packages
    
clamav.x86_64                                            0.103.6-1.v7                                            @clearos-updates
    
Available Packages
    
clamav.x86_64                                            0.103.6-1.v7                                            clearos-updates
    The reply is currently minimized Show

  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, February 16 2023, 05:59 PM - #Permalink
    Resolved
    0 votes
    Patrick de Brabander wrote:

    Alan,

    I don't think we will get an update nor reply on this

    While I agree with you, I think for all the people who are still paying for support, a critical update should be provided.

    If Clear does nothing, can we figure out how to pull this from the Redhat or Centos repos or clamav github and update?
    The reply is currently minimized Show

  • Accepted Answer

    Patrick de Brabander
    Patrick de Brabander
    Offline
    Thursday, February 16 2023, 05:49 PM - #Permalink
    Resolved
    1 votes
    Alan,

    I don't think we will get an update nor reply on this
    The reply is currently minimized Show
Your Reply