---
- branch: MAIN
  date: Thu May  5 00:44:07 UTC 2022
  files:
  - new: '1.84'
    old: '1.83'
    path: pkgsrc/security/clamav/Makefile
    pathrev: pkgsrc/security/clamav/Makefile@1.84
    type: modified
  - new: '1.23'
    old: '1.22'
    path: pkgsrc/security/clamav/Makefile.common
    pathrev: pkgsrc/security/clamav/Makefile.common@1.23
    type: modified
  - new: '1.16'
    old: '1.15'
    path: pkgsrc/security/clamav/buildlink3.mk
    pathrev: pkgsrc/security/clamav/buildlink3.mk@1.16
    type: modified
  - new: '1.42'
    old: '1.41'
    path: pkgsrc/security/clamav/distinfo
    pathrev: pkgsrc/security/clamav/distinfo@1.42
    type: modified
  id: 20220505T004407Z.fd9b784f65c8624993149aa64a56ce29e985ea49
  log: "security/clamav: update to 0.103.6\n\n0.103.6 (2022-05-04)\n\nClamAV 0.103.6
    is a critical patch release with the following fixes:\n\n- [CVE-2022-20770](CVE-2022-20770):
    Fixed a possible infinite loop vulnerability\n  in the CHM file parser.\n  Issue
    affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and\n  prior
    versions.\n  Thank you to MichaÅ\x82 Dardas for reporting this issue.\n\n- [CVE-2022-20796](CVE-2022-20796):
    Fixed a possible NULL-pointer dereference\n  crash in the scan verdict cache check.\n
    \ Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2.\n  Thank you
    to Alexander Patrakov and Antoine Gatineau for reporting this issue.\n\n- [CVE-2022-20771](CVE-2022-20771):
    Fixed a possible infinite loop vulnerability\n  in the TIFF file parser.\n  Issue
    affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and\n  prior
    versions.\n  The issue only occurs if the \"--alert-broken-media\" ClamScan option
    is\n  enabled. For ClamD, the affected option is \"AlertBrokenMedia yes\", and
    for\n  libclamav it is the \"CL_SCAN_HEURISTIC_BROKEN_MEDIA\" scan option.\n  Thank
    you to MichaÅ\x82 Dardas for reporting this issue.\n\n- [CVE-2022-20785](CVE-2022-20785):
    Fixed a possible memory leak in the\n  HTML file parser / Javascript normalizer.\n
    \ Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and\n
    \ prior versions.\n  Thank you to MichaÅ\x82 Dardas for reporting this issue.\n\n-
    [CVE-2022-20792](CVE-2022-20792): Fixed a possible multi-byte heap buffer\n  overflow
    write vulnerability in the signature database load module.\n  The fix was to update
    the vendored regex library to the latest version.\n  Issue affects versions 0.104.0
    through 0.104.2 and LTS version 0.103.5 and\n  prior versions.\n  Thank you to
    MichaÅ\x82 Dardas for reporting this issue.\n\n- ClamOnAcc: Fixed a number of
    assorted stability issues and added niceties for\n  debugging ClamOnAcc. Patches
    courtesy of Frank Fegert.\n\n- Fixed an issue causing byte-compare subsignatures
    to cause an alert when they\n  match even if other conditions of the given logical
    signatures were not met.\n\n- Fix memleak when using multiple byte-compare subsignatures.\n
    \ This fix was backported from 0.104.0.\n  Thank you to Andrea De Pasquale for
    contributing the fix.\n\n- Assorted bug fixes and improvements.\n\nSpecial thanks
    to the following people for code contributions and bug reports:\n- Alexander Patrakov\n-
    Andrea De Pasquale\n- Antoine Gatineau\n- Frank Fegert\n- MichaÅ\x82 Dardas\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/clamav'
  unixtime: '1651711447'
  user: taca