[CPANEL-29016] ClamAV patch for non-recursive zip bombs
Hey, cPanel.
ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive zip bombs. When can we expect to see this release rolled out to cPanel servers?
Information here: ClamAV 0.101.3 security patch release and 0.102.0-beta have been published
And here: Bug 12356 " ZIP bomb causes extreme CPU spikes
Currently, my CL 7 system has "ClamAV 0.101.2/25540/Tue Aug 13 04:16:47 2019" installed.
-
Hello :) Internal case CPANEL-28735 is open to publish an updated ClamAV version with cPanel & WHM. I'll monitor this case and update this thread with more information as it becomes available. In the meantime, you can temporarily disable ClamAV by uninstalling it via the WHM >> Manage Plugins interface. Once it's uninstalled, you'll need to execute the following command to avoid the issue described on Thank you. 0 -
Hi, Michael. It is unnecessary to remove ClamAV. To mitigate the issue pending the new version being rolled out, users can disable scanning archives: * Use your favourite editor to open /usr/local/cpanel/3rdparty/etc/clamd.conf; * Find the "ScanArchive" option in the file and create an entry: ScanArchive no; * Save the configuration file; * Restart ClamAV - /scripts/restartsrv_clamd. Once the new version is rolled out, users can visit the clamd.conf file again and undo their changes to enable scanning archives again. I hope this helps, trane 0 -
Lauren, Respectfully, this should be backported to all supported versions. This particular vulnerability is not widely being discussed and there are going to be many, many servers out there with admins who will simply be unaware of their servers' vulnerability to this exploit. 0 -
Respectfully, this should be backported to all supported versions. This particular vulnerability is not widely being discussed and there are going to be many, many servers out there with admins who will simply be unaware of their servers' vulnerability to this exploit.
Hello @Trane Francks, I've reported cPanel & WHM versions 78 and 82 as affected versions in the new case referenced in my last response (CPANEL-29016). I'll let you know any planned updates to version 78 (the supported LTS version) as soon as that information is available. Thank you.0 -
Is there a reason why 78 isn't getting this patch? I know it's trivial to mitigate against, but shouldn't your LTS build receive all security fixes? 0 -
Is there a reason why 78 isn't getting this patch? I know it's trivial to mitigate against, but shouldn't your LTS build receive all security fixes?
Internal case CPANEL-29016 is now tentatively marked for backport to version 78. I don't have a firm time frame to share, but I'll update this thread with new information as soon as it's available. Thank you. Update: There are no plans to backport this update to cPanel & WHM version 78.0 -
sorry, wrong thread 0 -
Hello :) This was solved several months ago so we're going to go ahead and archive this. Please open a new thread if you have any additional questions. Thanks! 0
Please sign in to leave a comment.
Comments
13 comments