ClamAV update 1.0.8 -> 1.0.9

[oetiker]

Hi

Zimbra 10 runs still ClamAV 1.0.8 (ZBUG-5100, Clam-av has critical vulnerabilities)

https://blog.clamav.net/2025/06/clamav- ... patch.html

Code: Select all

zimbra-clamav                              1.0.8-1zimbra8.8b4.22.04     ClamAV Binaries

should be updated to 1.0.9 since June 18, 2025

Has anyone created a patch for Zimbra 1.10.12 ? It does not look like Zimbra is fixing it....

Manuel

[adrian.gibanel.btactic]

Hi

Zimbra 10 runs still ClamAV 1.0.8 (ZBUG-5100, Clam-av has critical vulnerabilities)

Code: Select all

zimbra-clamav                              1.0.8-1zimbra8.8b4.22.04     ClamAV Binaries

should be updated to 1.0.9 since June 18, 2025


https://blog.clamav.net/2025/06/clamav- ... patch.html

> The max file-size scan limit is set greater than or equal to 1024MB.
> The max scan-size scan limit is set greater than or equal to 1025MB.

1 GiB seems a very high limit for received emails.
Are those settings set as high in Zimbra by default ?
I have no idea what are the equivalent settings in zimbra to be honest.

[ghen]

Zimbra's clamd.conf.in sets:

Code: Select all

MaxFileSize %%zimbraMtaMaxMessageSize%%
MaxScanSize %%zimbraMtaMaxMessageSize%%

where zimbraMtaMaxMessageSize is configurable but defaults to 10 MB.

(but even a 10 MB message could contain a compression bomb attachment that unpacks to a huge file.)

[oetiker]

Zimbra Daffodil (v10.1.13) Patch Release

Package Upgrade
The ClamAV package has been upgraded from 1.0.8 to 1.4.3

so this is fixed

[halfgaar]

Clamav is really a liability at this point. Disabling it is safer. I mean, this (https://www.cve.org/CVERecord?id=CVE-2025-20260) is a zero-click hack: just send someone a PDF. The chance of that happening is a lot higher than me opening a virus. In fact, I've been getting all sorts of pdf attachment as spam since a few weeks. Now I know why.

To disable:

Code: Select all

zmprov ms $(zmhostname) -zimbraServiceEnabled antivirus
zmcontrol restart # (or perhaps reboot)

To test if it's really off, you can send yourself an eicar. Actually sending one may require a Postfix server somewhere. I do the following:

have a file 'eicarbody.eml':

Code: Select all

------=_Part_29448_2072652119.1762457578183
Content-Type: multipart/alternative; 
        boundary="=_6d43d7cf-6dd2-40c5-91c7-0c0a5486b5da"

--=_6d43d7cf-6dd2-40c5-91c7-0c0a5486b5da
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

asdf 

--=_6d43d7cf-6dd2-40c5-91c7-0c0a5486b5da
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><body><div style="font-family: Arial; font-size: 12pt; color: #000000"><div>asdf</div></div></body></html>
--=_6d43d7cf-6dd2-40c5-91c7-0c0a5486b5da--

------=_Part_29448_2072652119.1762457578183
Content-Type: text/plain; name=eicar.txt
Content-Disposition: attachment; filename=eicar.txt
Content-Transfer-Encoding: base64

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCoK
------=_Part_29448_2072652119.1762457578183--

Send with:

Code: Select all

cat eicarbody.eml | mail -a 'From: me@example.com' -a 'Content-Type: multipart/mixed; boundary="----=_Part_29448_2072652119.1762457578183"' -s 'eicar attachment' me@example.com

[halfgaar]

Note BTW: as open source user, updating your packages may be difficult. See IMPORTANT: DO NOT let system package manger update zimbra-jetty-distribution w/o 10.1.13.

I just tried upgrading clamav stuff only, but it's now broken because it also requires a newer openssl. But, I'll wait with that, until I have an update zimbra FOSS installer.