Be careful with ClamAV

[fabian]

There are several vulnerabilities:
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Heise (german) has an article about it: https://www.heise.de/security/meldung/Jetzt-patchen-Angriffe-auf-Viren-Scanner-ClamAV-3951801.html

[PCServices]

I'm not seeing an update available through the 'Check for Updates'

[franco]

There won't be an update this week. Impossible timing. At work the secondary ClamAV signature fail caused worldwide issues so there was no time do deal with any of the actual updates yet...

http://lists.clamav.net/pipermail/clamav-users/2018-January/005722.html

Also note that ClamAV is not part of our core distribution.

The update hit the ports tree now: https://github.com/opnsense/ports/commit/46134d255

If anyone cares to upgrade *if* they use the os-clamav plugin:

# opnsense-code tools ports
# cd /usr/ports/security/clamav
# make
# make deinstall
# make install


Cheers,
Franco

[PCServices]

Thanks Franco.

It required gmake to be installed but, once done, it installed.

[lattera]

Keep in mind that because the OPNsense Core Team has intelligently put security first by incorporating ASLR and SafeStack from HardenedBSD that attackers will likely have an extremely difficult time exploiting these vulnerabilities. Patching is still important (I'd say critical), but HardenedBSD's enhancements drive up the economic cost for attackers and help prevent successful exploitation.

[fabian]

@lattera: sure but DoS is still an issue...