diff --git a/clamav-clean.sh b/clamav-clean.sh index 8c95110..6379c3f 100755 --- a/clamav-clean.sh +++ b/clamav-clean.sh @@ -1,4 +1,4 @@ -VERSION=0.102.3 +VERSION=0.102.4 NAME=clamav TARBALL_CLEAN=${NAME}-${VERSION}-norar.tar.xz TARBALL=${NAME}-${VERSION}.tar.gz diff --git a/clamav.spec b/clamav.spec index 869f4b2..d19ace4 100644 --- a/clamav.spec +++ b/clamav.spec @@ -40,7 +40,7 @@ Summary: End-user tools for the Clam Antivirus scanner Name: clamav -Version: 0.102.3 +Version: 0.102.4 Release: 1%{?dist} License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2} URL: https://www.clamav.net/ @@ -322,6 +322,8 @@ install -D -m 0644 -p %SOURCE12 $RPM_BUILD_ROOT%homedir/bytecode.cvd ## prepare the clamd-files install -D -m 0644 -p %SOURCE3 _doc_server/clamd.logrotate install -D -m 0644 -p %SOURCE5 _doc_server/README +## Fixup URL for EPEL +%{?epel:sed -i -e s/product=Fedora/product=Fedora%20EPEL/ _doc_server/README} install -D -p -m 0644 %SOURCE100 $RPM_BUILD_ROOT%_unitdir/clamonacc.service @@ -615,9 +617,16 @@ fi %changelog +* Fri Jul 17 2020 Orion Poplawski - 0.102.4-1 +- Update to 0.102.4 (bz#1857867,1858262,1858263,1858265,1858266) +- Security fixes CVE-2020-3327 CVE-2020-3350 CVE-2020-3481 + +* Thu May 28 2020 Orion Poplawski - 0.102.3-2 +- Update clamd README file (bz#1798369) + * Thu May 14 2020 Orion Poplawski - 0.102.3-1 - Update to 0.102.3 (bz#1834910) -- Security fixes CVE-2020-3341 +- Security fixes CVE-2020-3327 CVE-2020-3341 * Sat May 02 2020 Orion Poplawski - 0.102.2-9 - Add upstream patch to fix "Attempt to allocate 0 bytes" errors while scanning diff --git a/clamd-README b/clamd-README index 1399542..1eb00ef 100644 --- a/clamd-README +++ b/clamd-README @@ -1,18 +1,16 @@ -To create individual clamd-instance take the following files and -modify/copy them in the suggested way: + By default, clamd provides a general "scan" service that requires minimal +configuration. To configure, edit /etc/clamd/scan.conf and: -/etc/clamd/scan.conf: - * set LocalSocket for localhost access or TCPSocket for network access - and User to suitable values. Logging through syslog is usually better than an individual - Logfile. - * place this file into /etc/clamd.d with an unique service-name; - e.g. as /etc/clamd.d/.conf + * set LocalSocket for localhost access or TCPSocket for network access. - When using TCPSocket, create iptables rules which are limiting the - access by source and/or by using '-m owner'. + Default configuration will: + + * Log to syslog + * Run as the user "clamscan" When LogFile feature is wanted, it must be writable for the assigned - User. Recommended way to reach this, is to: +User. The recommended way is to: + * make it owned by the User's *group* * assign at least 0620 (u+rw,g+w) permissions @@ -22,34 +20,41 @@ modify/copy them in the suggested way: | # chmod 0620 | # restorecon - NEVER use 'clamav' as the user since he can modify the database. - This is the user who is running the application; e.g. for mimedefang - (http://www.roaringpenguin.com/mimedefang), the user might be - 'defang'.Theoretically, distinct users could be used, but it must be - made sure that the application-user can write into the socket-file, - and that the clamd-user can access the files asked by the - application to be checked. + NEVER use 'clamav' as the user since it can modify the database. This is +the user who is running the application; e.g. for mimedefang +(http://www.roaringpenguin.com/mimedefang), the user might be 'defang'. +Theoretically, distinct users could be used, but it must be made sure that +the application-user can write into the socket-file, and that the clamd-user +can access the files asked by the application to be checked. + + The default service can be enabled and started with: + + systemctl enable clamd@scan.service + systemctl start clamd@scan.service + + To create other individual clamd-instances take the following files in +/usr/share/doc/clamd/ and modify/copy them in the suggested way: + +clamd.conf, copy to /etc/clamd.d/.conf + * Change as to match name of config file + * Any other changes as noted above clamd.logrotate: (only when LogFile feature is used) * set the correct value for the logfile * place it into /etc/logrotate.d -clamd@.service: (systemd instance) - * instance of clamd@.service - -Additionally, when using LocalSocket instead of TCPSocket, the directory -for the socket file must be created. For tmpfiles based systems, you -might want to create a file /etc/tmpfiles.d/clamd..conf -with a content of + Additionally, when using LocalSocket instead of TCPSocket, the directory +for the socket file must be created. For tmpfiles based systems, you might +want to create a file /etc/tmpfiles.d/clamd..conf with a content of | d /run/clamd. -Adjust (0710 should suffice for most cases) and + -so that the socket can be accessed by clamd and by the applications -using clamd. Make sure that the socket is not world accessible; else, -DOS attacks or worse are trivial. + Adjust (0710 should suffice for most cases) and + +so that the socket can be accessed by clamd and by the applications using +clamd. Make sure that the socket is not world accessible; else, DOS attacks +or worse are trivial. -After emulating these steps by hand (or else rebooting), you still need set + After emulating these steps by hand (or else rebooting), you still need set SELinux: chcon -t clamd_var_run_t /run/clamd. @@ -65,9 +70,15 @@ and also maybe this one (I need to confirm that is obsolete) setsebool -P antivirus_use_jit 1 + The new service can be enabled and started with: + + systemctl enable clamd@.service + systemctl start clamd@.service + + [Disclaimer: this file and the script/configfiles are not part of the official clamav package. Please send complaints and comments to - https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=clamav] + https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=clamav] diff --git a/sources b/sources index 7120900..45995f5 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (clamav-0.102.3-norar.tar.xz) = edf7c8405159c5230331e410d45208770b3fa7d4763990dffec20dd2842c92624dcc1ee1ec455e09b61632c2023a4046b8fd73b64baa9babfa4505da6cca9f4a +SHA512 (clamav-0.102.4-norar.tar.xz) = 202bf77edac1c6880b51981ef2508b90b935f9da62d235620ca457eaaa613ef3f1ac48ea3908f53bbc1a10cf204d9973cbe447cb2d96c1724b68eb3ef8cf4b80 SHA512 (bytecode-331.cvd) = 41957106337cb28fd0eb6459bd70ab23b4ce218b3691d592e0f1bc14841696b36b1fbbc4feaef64f7b572b6cbe400f5d44fc4efedd07afe37921a9044a1a8f53 -SHA512 (daily-25811.cvd) = 938bf443d59cbb946aefcd2eabfdb856c8cd6f98ec54f1f8c62fe0633e136e56ca20024ecfb04606e4a5265a5a83d86a76819e66d51e948d8a81cbdcabd5226d +SHA512 (daily-25876.cvd) = dd3ae3b1a95976014adeacf63574b7662212668676b0fc6a6d6f52bbb3c576e0c6e1188d6e8431ddd8da787e71de6d2e5ac25cfce9e824f41d7c271f16bcba9d SHA512 (main-59.cvd) = c01792bdb9e07889af04ead91ba49f440cd4510b81b1c83bdfb10c65f099cf29416699f5485cc13b07c4d24195c81abc0b1c4439f5ba6d5d391b7406ba9fe26c