clamav: Update to version 1.5.1

- Update from version 1.4.3 to 1.5.1
- Update of rootfile
- From version 1.5.0 clamav added signing/verification of the signature file downloads
   with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
   as a build option to create the certs directory and to install the clamav.crt file
- Tested out the execution of this version on a vm testbed. The .sign files were
   correctly downloaded and the databases approved. This was also the case with a
   reboot. This was where users had a problem with the version relaesed in CU199 after
   they had manually created a directory.
- Changelog
1.5.1
ClamAV 1.5.1 is a patch release with the following fixes:

  *
Fixed a significant performance issue when scanning some PE files
  *
Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
  *
Improved performance when scanning TNEF email attachments
  *
Fixed an issue with recording metadata for OOXML office documents
  *
Fixed an issue with signature matches for VBA in OLE2 office documents
  *
Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
  *
Fixed an issue with extracting some RAR archives embedded in other files
  *
Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
     *   This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0

GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1606>

1.5.0
Major changes

  *
Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
  *
Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
  *
Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
  *
Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
  *
Added CVD signing/verification with external .sign files.
Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
New options to set an alternative CVD certs directory:
Added two new APIs to the public clamav.h header:

cl_error_t cl_cvdverify_ex(
    const char *file,
    const char *certs_directory,
    uint32_t dboptions);

cl_error_t cl_cvdunpack_ex(
    const char *file,
    const char *dir,
    const char *certs_directory,
    uint32_t dboptions);

The original cl_cvdverify and cl_cvdunpack are deprecated.
Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
     *   The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
     *   The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
     *   The config option for Freshclam and ClamD is CVDCertsDirectory PATH
  *
Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
For freshclam.conf and clamd.conf set this config option:

FIPSCryptoHashLimits yes

For clamscan and sigtool use this command-line option:

--fips-limits

For libclamav: Enable FIPS-limits for a ClamAV engine like this:

cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);

ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
  *
ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
The new clamd.conf options are:

EnableShutdownCommand yes
EnableReloadCommand yes
EnableStatsCommand yes
EnableVersionCommand yes

This change courtesy of GitHub user ChaoticByte.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
  *
libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:

cl_error_t cl_hash_data_ex(
    const char *alg,
    const uint8_t *data,
    size_t data_len,
    uint8_t **hash,
    size_t *hash_len,
    uint32_t flags);

cl_error_t cl_hash_init_ex(
    const char *alg,
    uint32_t flags,
    cl_hash_ctx_t **ctx_out);

cl_error_t cl_update_hash_ex(
    cl_hash_ctx_t *ctx,
    const uint8_t *data,
    size_t length);

cl_error_t cl_finish_hash_ex(
    cl_hash_ctx_t *ctx,
    uint8_t **hash,
    size_t *hash_len,
    uint32_t flags);

void cl_hash_destroy(void *ctx);

cl_error_t cl_hash_file_fd_ex(
    const char *alg,
    int fd,
    size_t offset,
    size_t length,
    uint8_t **hash,
    size_t *hash_len,
    uint32_t flags);

GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
ClamScan: Add hash & file-type in/out CLI options:
We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
     *   --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
     *   --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
     *   --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
     *   --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
     *   --log-file-type: Print the file type after each file scanned.
  *
libclamav: Added new scan functions that provide additional functionality:

cl_error_t cl_scanfile_ex(
    const char *filename,
    cl_verdict_t *verdict_out,
    const char **last_alert_out,
    uint64_t *scanned_out,
    const struct cl_engine *engine,
    struct cl_scan_options *scanoptions,
    void *context,
    const char *hash_hint,
    char **hash_out,
    const char *hash_alg,
    const char *file_type_hint,
    char **file_type_out);

cl_error_t cl_scandesc_ex(
    int desc,
    const char *filename,
    cl_verdict_t *verdict_out,
    const char **last_alert_out,
    uint64_t *scanned_out,
    const struct cl_engine *engine,
    struct cl_scan_options *scanoptions,
    void *context,
    const char *hash_hint,
    char **hash_out,
    const char *hash_alg,
    const char *file_type_hint,
    char **file_type_out);

cl_error_t cl_scanmap_ex(
    cl_fmap_t *map,
    const char *filename,
    cl_verdict_t *verdict_out,
    const char **last_alert_out,
    uint64_t *scanned_out,
    const struct cl_engine *engine,
    struct cl_scan_options *scanoptions,
    void *context,
    const char *hash_hint,
    char **hash_out,
    const char *hash_alg,
    const char *file_type_hint,
    char **file_type_out);

The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
The new temp directory recursion option can be enabled with:

cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);

GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
libclamav: Added a class of scan callback functions that can be added with the following API function:

void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);

The scan callback location may be configured using the following five values:
Each callback may alter scan behavior using the following return codes:
Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:

  cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
  cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
  cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
  cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
  cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
  cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
  cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
  cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
  cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
  cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
  cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
  cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
  cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
  cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
  cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
  cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
  cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
  cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);

This deprecates, but does not immediately remove, the existing scan callbacks:

  void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
  void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
  void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
  void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
  void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
  void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);

There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
     *   CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
     *   CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
     *   CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
     *   CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
     *   CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
     *
CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
     *
CL_SUCCESS / CL_CLEAN: File scan will continue.
For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
     *
CL_VIRUS: This means you do not trust the file. A new alert will be added.
For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
     *
CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
  *
Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
For the "Generate Metadata JSON" feature:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
     *
The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
        *   "Indicators" records three types of indicators:
           *   Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
           *   Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
           *   Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
        *   "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
     *
Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
        *   libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
        *   ClamScan option: --json-store-extra-hashes (default off)
        *   clamd.conf option: JsonStoreExtraHashes (default 'no')
     *
The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
     *
Each object scanned now has a unique "Object ID".
  *
Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>

Other improvements

  *
Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
  *
Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
  *
Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
  *
Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
  *
Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
  *
Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
  *
Disabled the MyDoom hardcoded/heuristic detection because of false positives.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
  *
Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
  *
Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
  *
Improved the code quality of the ZIP module. Added inline documentation.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
  *
Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
  *
Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
  *
Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
  *
Improved support for compiling on Solaris.
This fix courtesy of Andrew Watkins.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
  *
Improved support for compiling on GNU/Hurd.
This fix courtesy of Pino Toscano.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
  *
Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>

Bug fixes

  *
Reduced email multipart message parser complexity.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
  *
Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
  *
Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
  *
Windows: Fixed a build issue when the same library dependency is found in two different locations.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
  *
Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
  *
Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
  *
Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
  *
Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
  *
Fix double-extraction of OOXML-based office documents.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
ClamBC: Fixed crashes on startup.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
  *
Fixed an assortment of issues found with Coverity static analysis.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
  *
Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
  *
Fixed crash in the Sigtool program when using the --html-normalize option.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
  *
Fixed some potential NULL-pointer dereference issues if memory allocations fail.
Fix courtesy of GitHub user JiangJias.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/clamav | 15 ++++++------
 lfs/clamav                       | 39 ++++++++++++++++----------------
 2 files changed, 28 insertions(+), 26 deletions(-)
  

Hello Adolf,

Thank you very much for the patch.

It did however not apply cleanly because I increased the release number earlier in next when Stefan submitted a new version of Rust. So you might not see this one as accepted on Patchwork.

I pushed another commit to increase the release once again, although nobody should have seen version 81 anywhere.

All the best,
-Michael

> On 23 Jan 2026, at 13:59, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - Update from version 1.4.3 to 1.5.1
> - Update of rootfile
> - From version 1.5.0 clamav added signing/verification of the signature file downloads
>   with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
>   as a build option to create the certs directory and to install the clamav.crt file
> - Tested out the execution of this version on a vm testbed. The .sign files were
>   correctly downloaded and the databases approved. This was also the case with a
>   reboot. This was where users had a problem with the version relaesed in CU199 after
>   they had manually created a directory.
> - Changelog
> 1.5.1
> ClamAV 1.5.1 is a patch release with the following fixes:
> 
>  *
> Fixed a significant performance issue when scanning some PE files
>  *
> Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
>  *
> Improved performance when scanning TNEF email attachments
>  *
> Fixed an issue with recording metadata for OOXML office documents
>  *
> Fixed an issue with signature matches for VBA in OLE2 office documents
>  *
> Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
>  *
> Fixed an issue with extracting some RAR archives embedded in other files
>  *
> Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
>     *   This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0
> 
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1606>
> 
> 1.5.0
> Major changes
> 
>  *
> Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
>  *
> Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
>  *
> Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
>  *
> Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
>  *
> Added CVD signing/verification with external .sign files.
> Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
> ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
> New options to set an alternative CVD certs directory:
> Added two new APIs to the public clamav.h header:
> 
> cl_error_t cl_cvdverify_ex(
>    const char *file,
>    const char *certs_directory,
>    uint32_t dboptions);
> 
> cl_error_t cl_cvdunpack_ex(
>    const char *file,
>    const char *dir,
>    const char *certs_directory,
>    uint32_t dboptions);
> 
> The original cl_cvdverify and cl_cvdunpack are deprecated.
> Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
> Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
>     *   The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
>     *   The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
>     *   The config option for Freshclam and ClamD is CVDCertsDirectory PATH
>  *
> Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
> For freshclam.conf and clamd.conf set this config option:
> 
> FIPSCryptoHashLimits yes
> 
> For clamscan and sigtool use this command-line option:
> 
> --fips-limits
> 
> For libclamav: Enable FIPS-limits for a ClamAV engine like this:
> 
> cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
> 
> ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
> This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
> Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
> This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
>  *
> ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
> The new clamd.conf options are:
> 
> EnableShutdownCommand yes
> EnableReloadCommand yes
> EnableStatsCommand yes
> EnableVersionCommand yes
> 
> This change courtesy of GitHub user ChaoticByte.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
>  *
> libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:
> 
> cl_error_t cl_hash_data_ex(
>    const char *alg,
>    const uint8_t *data,
>    size_t data_len,
>    uint8_t **hash,
>    size_t *hash_len,
>    uint32_t flags);
> 
> cl_error_t cl_hash_init_ex(
>    const char *alg,
>    uint32_t flags,
>    cl_hash_ctx_t **ctx_out);
> 
> cl_error_t cl_update_hash_ex(
>    cl_hash_ctx_t *ctx,
>    const uint8_t *data,
>    size_t length);
> 
> cl_error_t cl_finish_hash_ex(
>    cl_hash_ctx_t *ctx,
>    uint8_t **hash,
>    size_t *hash_len,
>    uint32_t flags);
> 
> void cl_hash_destroy(void *ctx);
> 
> cl_error_t cl_hash_file_fd_ex(
>    const char *alg,
>    int fd,
>    size_t offset,
>    size_t length,
>    uint8_t **hash,
>    size_t *hash_len,
>    uint32_t flags);
> 
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> ClamScan: Add hash & file-type in/out CLI options:
> We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>     *   --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
>     *   --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
>     *   --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
>     *   --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
>     *   --log-file-type: Print the file type after each file scanned.
>  *
> libclamav: Added new scan functions that provide additional functionality:
> 
> cl_error_t cl_scanfile_ex(
>    const char *filename,
>    cl_verdict_t *verdict_out,
>    const char **last_alert_out,
>    uint64_t *scanned_out,
>    const struct cl_engine *engine,
>    struct cl_scan_options *scanoptions,
>    void *context,
>    const char *hash_hint,
>    char **hash_out,
>    const char *hash_alg,
>    const char *file_type_hint,
>    char **file_type_out);
> 
> cl_error_t cl_scandesc_ex(
>    int desc,
>    const char *filename,
>    cl_verdict_t *verdict_out,
>    const char **last_alert_out,
>    uint64_t *scanned_out,
>    const struct cl_engine *engine,
>    struct cl_scan_options *scanoptions,
>    void *context,
>    const char *hash_hint,
>    char **hash_out,
>    const char *hash_alg,
>    const char *file_type_hint,
>    char **file_type_out);
> 
> cl_error_t cl_scanmap_ex(
>    cl_fmap_t *map,
>    const char *filename,
>    cl_verdict_t *verdict_out,
>    const char **last_alert_out,
>    uint64_t *scanned_out,
>    const struct cl_engine *engine,
>    struct cl_scan_options *scanoptions,
>    void *context,
>    const char *hash_hint,
>    char **hash_out,
>    const char *hash_alg,
>    const char *file_type_hint,
>    char **file_type_out);
> 
> The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> libclamav: Added a new engine option to toggle temp directory recursion.
> Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
> Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
> In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
> The new temp directory recursion option can be enabled with:
> 
> cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
> 
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> libclamav: Added a class of scan callback functions that can be added with the following API function:
> 
> void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
> 
> The scan callback location may be configured using the following five values:
> Each callback may alter scan behavior using the following return codes:
> Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:
> 
>  cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
>  cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
>  cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
>  cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
>  cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
>  cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
>  cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
>  cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
>  cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
>  cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
>  cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
>  cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
>  cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
>  cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
>  cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
>  cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
>  cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
>  cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
> 
> This deprecates, but does not immediately remove, the existing scan callbacks:
> 
>  void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
>  void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
>  void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
>  void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
>  void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
>  void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
> 
> There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>     *   CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
>     *   CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
>     *   CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
>     *   CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
>     *   CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
>     *
> CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
>     *
> CL_SUCCESS / CL_CLEAN: File scan will continue.
> For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
> This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
>     *
> CL_VIRUS: This means you do not trust the file. A new alert will be added.
> For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
>     *
> CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
>  *
> Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> For the "Generate Metadata JSON" feature:
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>     *
> The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
>        *   "Indicators" records three types of indicators:
>           *   Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
>           *   Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
>           *   Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
>        *   "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
>     *
> Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
>        *   libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
>        *   ClamScan option: --json-store-extra-hashes (default off)
>        *   clamd.conf option: JsonStoreExtraHashes (default 'no')
>     *
> The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
>     *
> Each object scanned now has a unique "Object ID".
>  *
> Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
> 
> Other improvements
> 
>  *
> Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
>  *
> Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
>  *
> Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
>  *
> Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
>  *
> Added file type recognition for an initial set of AI model file types.
> The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
> When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
>  *
> Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
>  *
> Disabled the MyDoom hardcoded/heuristic detection because of false positives.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
>  *
> Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
>  *
> Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
>  *
> Improved the code quality of the ZIP module. Added inline documentation.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
>  *
> Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
> A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
> This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
>  *
> Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
>  *
> Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
>  *
> Improved support for compiling on Solaris.
> This fix courtesy of Andrew Watkins.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>  *
> Improved support for compiling on GNU/Hurd.
> This fix courtesy of Pino Toscano.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>  *
> Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>
> 
> Bug fixes
> 
>  *
> Reduced email multipart message parser complexity.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
>  *
> Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
>  *
> Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
>  *
> Windows: Fixed a build issue when the same library dependency is found in two different locations.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
>  *
> Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
>  *
> Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
>  *
> Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
>  *
> Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
>  *
> Fix double-extraction of OOXML-based office documents.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> ClamBC: Fixed crashes on startup.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>  *
> Fixed an assortment of issues found with Coverity static analysis.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
>  *
> Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
>  *
> Fixed crash in the Sigtool program when using the --html-normalize option.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
>  *
> Fixed some potential NULL-pointer dereference issues if memory allocations fail.
> Fix courtesy of GitHub user JiangJias.
> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>
> 
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/packages/clamav | 15 ++++++------
> lfs/clamav                       | 39 ++++++++++++++++----------------
> 2 files changed, 28 insertions(+), 26 deletions(-)
> 
> diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
> index d5495e4b7..43c5585d9 100644
> --- a/config/rootfiles/packages/clamav
> +++ b/config/rootfiles/packages/clamav
> @@ -1,3 +1,6 @@
> +etc/clamav
> +etc/clamav/certs
> +etc/clamav/certs/clamav.crt
> etc/rc.d/init.d/clamav
> usr/bin/clamav-config
> usr/bin/clambc
> @@ -14,20 +17,20 @@ usr/bin/sigtool
> #usr/include/libfreshclam.h
> usr/lib/libclamav.so
> usr/lib/libclamav.so.12
> -usr/lib/libclamav.so.12.0.3
> +usr/lib/libclamav.so.12.1.0
> #usr/lib/libclamav_rust.a
> usr/lib/libclammspack.so
> usr/lib/libclammspack.so.0
> usr/lib/libclammspack.so.0.8.0
> usr/lib/libclamunrar.so
> usr/lib/libclamunrar.so.12
> -usr/lib/libclamunrar.so.12.0.3
> +usr/lib/libclamunrar.so.12.1.0
> usr/lib/libclamunrar_iface.so
> usr/lib/libclamunrar_iface.so.12
> -usr/lib/libclamunrar_iface.so.12.0.3
> +usr/lib/libclamunrar_iface.so.12.1.0
> usr/lib/libfreshclam.so
> -usr/lib/libfreshclam.so.3
> -usr/lib/libfreshclam.so.3.0.2
> +usr/lib/libfreshclam.so.4
> +usr/lib/libfreshclam.so.4.0.0
> #usr/lib/pkgconfig/libclamav.pc
> usr/sbin/clamd
> #usr/share/doc/ClamAV
> @@ -133,7 +136,6 @@ usr/sbin/clamd
> #usr/share/doc/ClamAV/html/manual/Installing/Add-clamav-user.html
> #usr/share/doc/ClamAV/html/manual/Installing/Community-projects.html
> #usr/share/doc/ClamAV/html/manual/Installing/Docker.html
> -#usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix-old.html
> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix.html
> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Windows.html
> #usr/share/doc/ClamAV/html/manual/Installing/Packages.html
> @@ -168,7 +170,6 @@ usr/sbin/clamd
> #usr/share/doc/ClamAV/html/print.html
> #usr/share/doc/ClamAV/html/searcher.js
> #usr/share/doc/ClamAV/html/searchindex.js
> -#usr/share/doc/ClamAV/html/searchindex.json
> #usr/share/doc/ClamAV/html/sitemap.xml
> #usr/share/doc/ClamAV/html/theme-dawn.js
> #usr/share/doc/ClamAV/html/theme-tomorrow_night.js
> diff --git a/lfs/clamav b/lfs/clamav
> index 254da1281..1d4d0ba8b 100644
> --- a/lfs/clamav
> +++ b/lfs/clamav
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -26,7 +26,7 @@ include Config
> 
> SUMMARY    = Antivirus Toolkit
> 
> -VER        = 1.4.3
> +VER        = 1.5.1
> 
> THISAPP    = clamav-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
> DIR_APP    = $(DIR_SRC)/$(THISAPP)
> TARGET     = $(DIR_INFO)/$(THISAPP)
> PROG       = clamav
> -PAK_VER    = 80
> +PAK_VER    = 81
> 
> DEPS       =
> 
> @@ -50,7 +50,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_BLAKE2 = 144be77e7104ebf78482c9efc411a4a168bb4ea3ad18abb237e7bcc1f5cf3e2c10d5478a54d9dc0d82b028c923065bc614cd535fd4f67fb1e73f5fe1c6425861
> +$(DL_FILE)_BLAKE2 = d6fd0885ea2864b0fecf040d6b0a088b8d9ad05a555697eab6c999b4a8b3d14bc2ee0968ef4dcb3f3b56d8361faecb98afa5ff4ffbb843cf1bf221a4e27a4496
> 
> 
> install : $(TARGET)
> @@ -87,21 +87,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 
> cd $(DIR_APP) && mkdir -pv build
> cd $(DIR_APP)/build && cmake .. -G Ninja \
> - -DCMAKE_BUILD_TYPE=Release \
> - -DCMAKE_INSTALL_PREFIX=/usr \
> - -DCMAKE_INSTALL_LIBDIR=/usr/lib \
> - -DOPTIMIZE=ON \
> - -DBYTECODE_RUNTIME="interpreter" \
> - -DENABLE_TESTS=OFF \
> - -DENABLE_CLAMONACC=OFF \
> - -DENABLE_MILTER=OFF \
> - -DENABLE_MAN_PAGES=OFF \
> - -DENABLE_EXTERNAL_MSPACK=OFF \
> - -DENABLE_FRESHCLAM_DNS_FIX=ON \
> - -DENABLE_SYSTEMD=OFF \
> - -DAPP_CONFIG_DIRECTORY=/var/ipfire/clamav \
> - -DCURSES_LIBRARY=/usr/lib/libncurses.so \
> - -DDATABASE_DIRECTORY=$(DATABASE_DIR)
> + -D CMAKE_BUILD_TYPE=Release \
> + -D CMAKE_INSTALL_PREFIX=/usr \
> + -D CMAKE_INSTALL_LIBDIR=/usr/lib \
> + -D CVD_CERTS_DIRECTORY=/etc/clamav/certs \
> + -D OPTIMIZE=ON \
> + -D BYTECODE_RUNTIME="interpreter" \
> + -D ENABLE_TESTS=OFF \
> + -D ENABLE_CLAMONACC=OFF \
> + -D ENABLE_MILTER=OFF \
> + -D ENABLE_MAN_PAGES=OFF \
> + -D ENABLE_EXTERNAL_MSPACK=OFF \
> + -D ENABLE_FRESHCLAM_DNS_FIX=ON \
> + -D ENABLE_SYSTEMD=OFF \
> + -D APP_CONFIG_DIRECTORY=/var/ipfire/clamav \
> + -D CURSES_LIBRARY=/usr/lib/libncurses.so \
> + -D DATABASE_DIRECTORY=$(DATABASE_DIR)
> cd $(DIR_APP)/build && ninja $(MAKETUNING) && ninja install
> 
> mkdir -pv $(DATABASE_DIR)
> -- 
> 2.52.0
> 
>
  

Hi Michael,

On 23/01/2026 15:57, Michael Tremer wrote:
> Hello Adolf,
> 
> Thank you very much for the patch.
> 
> It did however not apply cleanly because I increased the release number earlier in next when Stefan submitted a new version of Rust. So you might not see this one as accepted on Patchwork.
> 
> I pushed another commit to increase the release once again, although nobody should have seen version 81 anywhere.

I had seen that the clamav version had been bumped and wondered why.

I did my build of clamav 3 or 4 days ago and have been testing it since then to try and make sure that I minimise the chances of having another clamav update problem as we had with CU199. Of course it would have helped if somebody had tested out clamav during the Testing phase.

Hopefully some actual user will test it out in CU200 Testing.

Regards,

Adolf.

> 
> All the best,
> -Michael
> 
>> On 23 Jan 2026, at 13:59, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> - Update from version 1.4.3 to 1.5.1
>> - Update of rootfile
>> - From version 1.5.0 clamav added signing/verification of the signature file downloads
>>    with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
>>    as a build option to create the certs directory and to install the clamav.crt file
>> - Tested out the execution of this version on a vm testbed. The .sign files were
>>    correctly downloaded and the databases approved. This was also the case with a
>>    reboot. This was where users had a problem with the version relaesed in CU199 after
>>    they had manually created a directory.
>> - Changelog
>> 1.5.1
>> ClamAV 1.5.1 is a patch release with the following fixes:
>>
>>   *
>> Fixed a significant performance issue when scanning some PE files
>>   *
>> Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
>>   *
>> Improved performance when scanning TNEF email attachments
>>   *
>> Fixed an issue with recording metadata for OOXML office documents
>>   *
>> Fixed an issue with signature matches for VBA in OLE2 office documents
>>   *
>> Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
>>   *
>> Fixed an issue with extracting some RAR archives embedded in other files
>>   *
>> Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
>>      *   This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0
>>
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1606>
>>
>> 1.5.0
>> Major changes
>>
>>   *
>> Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
>>   *
>> Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
>>   *
>> Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
>> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
>>   *
>> Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
>>   *
>> Added CVD signing/verification with external .sign files.
>> Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
>> ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
>> New options to set an alternative CVD certs directory:
>> Added two new APIs to the public clamav.h header:
>>
>> cl_error_t cl_cvdverify_ex(
>>     const char *file,
>>     const char *certs_directory,
>>     uint32_t dboptions);
>>
>> cl_error_t cl_cvdunpack_ex(
>>     const char *file,
>>     const char *dir,
>>     const char *certs_directory,
>>     uint32_t dboptions);
>>
>> The original cl_cvdverify and cl_cvdunpack are deprecated.
>> Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
>> Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
>> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
>>      *   The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
>>      *   The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
>>      *   The config option for Freshclam and ClamD is CVDCertsDirectory PATH
>>   *
>> Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
>> For freshclam.conf and clamd.conf set this config option:
>>
>> FIPSCryptoHashLimits yes
>>
>> For clamscan and sigtool use this command-line option:
>>
>> --fips-limits
>>
>> For libclamav: Enable FIPS-limits for a ClamAV engine like this:
>>
>> cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
>>
>> ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
>> This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
>> Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
>> This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
>>   *
>> ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
>> The new clamd.conf options are:
>>
>> EnableShutdownCommand yes
>> EnableReloadCommand yes
>> EnableStatsCommand yes
>> EnableVersionCommand yes
>>
>> This change courtesy of GitHub user ChaoticByte.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
>>   *
>> libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:
>>
>> cl_error_t cl_hash_data_ex(
>>     const char *alg,
>>     const uint8_t *data,
>>     size_t data_len,
>>     uint8_t **hash,
>>     size_t *hash_len,
>>     uint32_t flags);
>>
>> cl_error_t cl_hash_init_ex(
>>     const char *alg,
>>     uint32_t flags,
>>     cl_hash_ctx_t **ctx_out);
>>
>> cl_error_t cl_update_hash_ex(
>>     cl_hash_ctx_t *ctx,
>>     const uint8_t *data,
>>     size_t length);
>>
>> cl_error_t cl_finish_hash_ex(
>>     cl_hash_ctx_t *ctx,
>>     uint8_t **hash,
>>     size_t *hash_len,
>>     uint32_t flags);
>>
>> void cl_hash_destroy(void *ctx);
>>
>> cl_error_t cl_hash_file_fd_ex(
>>     const char *alg,
>>     int fd,
>>     size_t offset,
>>     size_t length,
>>     uint8_t **hash,
>>     size_t *hash_len,
>>     uint32_t flags);
>>
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> ClamScan: Add hash & file-type in/out CLI options:
>> We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>      *   --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
>>      *   --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
>>      *   --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
>>      *   --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
>>      *   --log-file-type: Print the file type after each file scanned.
>>   *
>> libclamav: Added new scan functions that provide additional functionality:
>>
>> cl_error_t cl_scanfile_ex(
>>     const char *filename,
>>     cl_verdict_t *verdict_out,
>>     const char **last_alert_out,
>>     uint64_t *scanned_out,
>>     const struct cl_engine *engine,
>>     struct cl_scan_options *scanoptions,
>>     void *context,
>>     const char *hash_hint,
>>     char **hash_out,
>>     const char *hash_alg,
>>     const char *file_type_hint,
>>     char **file_type_out);
>>
>> cl_error_t cl_scandesc_ex(
>>     int desc,
>>     const char *filename,
>>     cl_verdict_t *verdict_out,
>>     const char **last_alert_out,
>>     uint64_t *scanned_out,
>>     const struct cl_engine *engine,
>>     struct cl_scan_options *scanoptions,
>>     void *context,
>>     const char *hash_hint,
>>     char **hash_out,
>>     const char *hash_alg,
>>     const char *file_type_hint,
>>     char **file_type_out);
>>
>> cl_error_t cl_scanmap_ex(
>>     cl_fmap_t *map,
>>     const char *filename,
>>     cl_verdict_t *verdict_out,
>>     const char **last_alert_out,
>>     uint64_t *scanned_out,
>>     const struct cl_engine *engine,
>>     struct cl_scan_options *scanoptions,
>>     void *context,
>>     const char *hash_hint,
>>     char **hash_out,
>>     const char *hash_alg,
>>     const char *file_type_hint,
>>     char **file_type_out);
>>
>> The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> libclamav: Added a new engine option to toggle temp directory recursion.
>> Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
>> Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
>> In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
>> The new temp directory recursion option can be enabled with:
>>
>> cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
>>
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> libclamav: Added a class of scan callback functions that can be added with the following API function:
>>
>> void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
>>
>> The scan callback location may be configured using the following five values:
>> Each callback may alter scan behavior using the following return codes:
>> Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:
>>
>>   cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
>>   cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
>>   cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
>>   cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
>>   cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
>>   cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
>>   cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
>>   cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
>>   cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
>>   cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
>>   cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
>>   cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
>>   cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
>>   cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
>>   cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
>>   cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
>>   cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
>>   cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
>>
>> This deprecates, but does not immediately remove, the existing scan callbacks:
>>
>>   void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
>>   void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
>>   void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
>>   void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
>>   void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
>>   void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
>>
>> There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>      *   CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
>>      *   CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
>>      *   CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
>>      *   CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
>>      *   CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
>>      *
>> CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
>>      *
>> CL_SUCCESS / CL_CLEAN: File scan will continue.
>> For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
>> This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
>>      *
>> CL_VIRUS: This means you do not trust the file. A new alert will be added.
>> For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
>>      *
>> CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
>>   *
>> Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> For the "Generate Metadata JSON" feature:
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>      *
>> The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
>>         *   "Indicators" records three types of indicators:
>>            *   Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
>>            *   Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
>>            *   Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
>>         *   "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
>>      *
>> Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
>>         *   libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
>>         *   ClamScan option: --json-store-extra-hashes (default off)
>>         *   clamd.conf option: JsonStoreExtraHashes (default 'no')
>>      *
>> The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
>>      *
>> Each object scanned now has a unique "Object ID".
>>   *
>> Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>
>> Other improvements
>>
>>   *
>> Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
>>   *
>> Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
>>   *
>> Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
>>   *
>> Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
>>   *
>> Added file type recognition for an initial set of AI model file types.
>> The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
>> When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
>>   *
>> Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
>>   *
>> Disabled the MyDoom hardcoded/heuristic detection because of false positives.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
>>   *
>> Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
>>   *
>> Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
>>   *
>> Improved the code quality of the ZIP module. Added inline documentation.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
>>   *
>> Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
>> A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
>> This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
>>   *
>> Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
>>   *
>> Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
>>   *
>> Improved support for compiling on Solaris.
>> This fix courtesy of Andrew Watkins.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>>   *
>> Improved support for compiling on GNU/Hurd.
>> This fix courtesy of Pino Toscano.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>>   *
>> Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>
>>
>> Bug fixes
>>
>>   *
>> Reduced email multipart message parser complexity.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
>>   *
>> Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
>>   *
>> Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
>>   *
>> Windows: Fixed a build issue when the same library dependency is found in two different locations.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
>>   *
>> Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
>>   *
>> Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
>>   *
>> Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
>>   *
>> Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
>>   *
>> Fix double-extraction of OOXML-based office documents.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> ClamBC: Fixed crashes on startup.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>   *
>> Fixed an assortment of issues found with Coverity static analysis.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
>>   *
>> Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
>>   *
>> Fixed crash in the Sigtool program when using the --html-normalize option.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
>>   *
>> Fixed some potential NULL-pointer dereference issues if memory allocations fail.
>> Fix courtesy of GitHub user JiangJias.
>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>
>>
>> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/rootfiles/packages/clamav | 15 ++++++------
>> lfs/clamav                       | 39 ++++++++++++++++----------------
>> 2 files changed, 28 insertions(+), 26 deletions(-)
>>
>> diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
>> index d5495e4b7..43c5585d9 100644
>> --- a/config/rootfiles/packages/clamav
>> +++ b/config/rootfiles/packages/clamav
>> @@ -1,3 +1,6 @@
>> +etc/clamav
>> +etc/clamav/certs
>> +etc/clamav/certs/clamav.crt
>> etc/rc.d/init.d/clamav
>> usr/bin/clamav-config
>> usr/bin/clambc
>> @@ -14,20 +17,20 @@ usr/bin/sigtool
>> #usr/include/libfreshclam.h
>> usr/lib/libclamav.so
>> usr/lib/libclamav.so.12
>> -usr/lib/libclamav.so.12.0.3
>> +usr/lib/libclamav.so.12.1.0
>> #usr/lib/libclamav_rust.a
>> usr/lib/libclammspack.so
>> usr/lib/libclammspack.so.0
>> usr/lib/libclammspack.so.0.8.0
>> usr/lib/libclamunrar.so
>> usr/lib/libclamunrar.so.12
>> -usr/lib/libclamunrar.so.12.0.3
>> +usr/lib/libclamunrar.so.12.1.0
>> usr/lib/libclamunrar_iface.so
>> usr/lib/libclamunrar_iface.so.12
>> -usr/lib/libclamunrar_iface.so.12.0.3
>> +usr/lib/libclamunrar_iface.so.12.1.0
>> usr/lib/libfreshclam.so
>> -usr/lib/libfreshclam.so.3
>> -usr/lib/libfreshclam.so.3.0.2
>> +usr/lib/libfreshclam.so.4
>> +usr/lib/libfreshclam.so.4.0.0
>> #usr/lib/pkgconfig/libclamav.pc
>> usr/sbin/clamd
>> #usr/share/doc/ClamAV
>> @@ -133,7 +136,6 @@ usr/sbin/clamd
>> #usr/share/doc/ClamAV/html/manual/Installing/Add-clamav-user.html
>> #usr/share/doc/ClamAV/html/manual/Installing/Community-projects.html
>> #usr/share/doc/ClamAV/html/manual/Installing/Docker.html
>> -#usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix-old.html
>> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix.html
>> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Windows.html
>> #usr/share/doc/ClamAV/html/manual/Installing/Packages.html
>> @@ -168,7 +170,6 @@ usr/sbin/clamd
>> #usr/share/doc/ClamAV/html/print.html
>> #usr/share/doc/ClamAV/html/searcher.js
>> #usr/share/doc/ClamAV/html/searchindex.js
>> -#usr/share/doc/ClamAV/html/searchindex.json
>> #usr/share/doc/ClamAV/html/sitemap.xml
>> #usr/share/doc/ClamAV/html/theme-dawn.js
>> #usr/share/doc/ClamAV/html/theme-tomorrow_night.js
>> diff --git a/lfs/clamav b/lfs/clamav
>> index 254da1281..1d4d0ba8b 100644
>> --- a/lfs/clamav
>> +++ b/lfs/clamav
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -26,7 +26,7 @@ include Config
>>
>> SUMMARY    = Antivirus Toolkit
>>
>> -VER        = 1.4.3
>> +VER        = 1.5.1
>>
>> THISAPP    = clamav-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>> DIR_APP    = $(DIR_SRC)/$(THISAPP)
>> TARGET     = $(DIR_INFO)/$(THISAPP)
>> PROG       = clamav
>> -PAK_VER    = 80
>> +PAK_VER    = 81
>>
>> DEPS       =
>>
>> @@ -50,7 +50,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_BLAKE2 = 144be77e7104ebf78482c9efc411a4a168bb4ea3ad18abb237e7bcc1f5cf3e2c10d5478a54d9dc0d82b028c923065bc614cd535fd4f67fb1e73f5fe1c6425861
>> +$(DL_FILE)_BLAKE2 = d6fd0885ea2864b0fecf040d6b0a088b8d9ad05a555697eab6c999b4a8b3d14bc2ee0968ef4dcb3f3b56d8361faecb98afa5ff4ffbb843cf1bf221a4e27a4496
>>
>>
>> install : $(TARGET)
>> @@ -87,21 +87,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>
>> cd $(DIR_APP) && mkdir -pv build
>> cd $(DIR_APP)/build && cmake .. -G Ninja \
>> - -DCMAKE_BUILD_TYPE=Release \
>> - -DCMAKE_INSTALL_PREFIX=/usr \
>> - -DCMAKE_INSTALL_LIBDIR=/usr/lib \
>> - -DOPTIMIZE=ON \
>> - -DBYTECODE_RUNTIME="interpreter" \
>> - -DENABLE_TESTS=OFF \
>> - -DENABLE_CLAMONACC=OFF \
>> - -DENABLE_MILTER=OFF \
>> - -DENABLE_MAN_PAGES=OFF \
>> - -DENABLE_EXTERNAL_MSPACK=OFF \
>> - -DENABLE_FRESHCLAM_DNS_FIX=ON \
>> - -DENABLE_SYSTEMD=OFF \
>> - -DAPP_CONFIG_DIRECTORY=/var/ipfire/clamav \
>> - -DCURSES_LIBRARY=/usr/lib/libncurses.so \
>> - -DDATABASE_DIRECTORY=$(DATABASE_DIR)
>> + -D CMAKE_BUILD_TYPE=Release \
>> + -D CMAKE_INSTALL_PREFIX=/usr \
>> + -D CMAKE_INSTALL_LIBDIR=/usr/lib \
>> + -D CVD_CERTS_DIRECTORY=/etc/clamav/certs \
>> + -D OPTIMIZE=ON \
>> + -D BYTECODE_RUNTIME="interpreter" \
>> + -D ENABLE_TESTS=OFF \
>> + -D ENABLE_CLAMONACC=OFF \
>> + -D ENABLE_MILTER=OFF \
>> + -D ENABLE_MAN_PAGES=OFF \
>> + -D ENABLE_EXTERNAL_MSPACK=OFF \
>> + -D ENABLE_FRESHCLAM_DNS_FIX=ON \
>> + -D ENABLE_SYSTEMD=OFF \
>> + -D APP_CONFIG_DIRECTORY=/var/ipfire/clamav \
>> + -D CURSES_LIBRARY=/usr/lib/libncurses.so \
>> + -D DATABASE_DIRECTORY=$(DATABASE_DIR)
>> cd $(DIR_APP)/build && ninja $(MAKETUNING) && ninja install
>>
>> mkdir -pv $(DATABASE_DIR)
>> -- 
>> 2.52.0
>>
>>
>
  

Hello Adolf,

It was me in this commit:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=934a30f84f8b3e2b659f5c6d76ca6177186da6e3

I wanted to avoid pushing too many times today because the builders would takes ages to build multiple builds and I was hoping to be able to verify the Rust/Suricata changes as soon as possible.

-Michael

> On 23 Jan 2026, at 17:06, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 23/01/2026 15:57, Michael Tremer wrote:
>> Hello Adolf,
>> Thank you very much for the patch.
>> It did however not apply cleanly because I increased the release number earlier in next when Stefan submitted a new version of Rust. So you might not see this one as accepted on Patchwork.
>> I pushed another commit to increase the release once again, although nobody should have seen version 81 anywhere.
> 
> I had seen that the clamav version had been bumped and wondered why.
> 
> I did my build of clamav 3 or 4 days ago and have been testing it since then to try and make sure that I minimise the chances of having another clamav update problem as we had with CU199. Of course it would have helped if somebody had tested out clamav during the Testing phase.
> 
> Hopefully some actual user will test it out in CU200 Testing.
> 
> Regards,
> 
> Adolf.
> 
>> All the best,
>> -Michael
>>> On 23 Jan 2026, at 13:59, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> - Update from version 1.4.3 to 1.5.1
>>> - Update of rootfile
>>> - From version 1.5.0 clamav added signing/verification of the signature file downloads
>>>   with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
>>>   as a build option to create the certs directory and to install the clamav.crt file
>>> - Tested out the execution of this version on a vm testbed. The .sign files were
>>>   correctly downloaded and the databases approved. This was also the case with a
>>>   reboot. This was where users had a problem with the version relaesed in CU199 after
>>>   they had manually created a directory.
>>> - Changelog
>>> 1.5.1
>>> ClamAV 1.5.1 is a patch release with the following fixes:
>>> 
>>>  *
>>> Fixed a significant performance issue when scanning some PE files
>>>  *
>>> Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
>>>  *
>>> Improved performance when scanning TNEF email attachments
>>>  *
>>> Fixed an issue with recording metadata for OOXML office documents
>>>  *
>>> Fixed an issue with signature matches for VBA in OLE2 office documents
>>>  *
>>> Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
>>>  *
>>> Fixed an issue with extracting some RAR archives embedded in other files
>>>  *
>>> Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
>>>     *   This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0
>>> 
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1606>
>>> 
>>> 1.5.0
>>> Major changes
>>> 
>>>  *
>>> Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
>>>  *
>>> Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
>>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
>>>  *
>>> Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
>>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
>>> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
>>>  *
>>> Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
>>>  *
>>> Added CVD signing/verification with external .sign files.
>>> Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
>>> ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
>>> New options to set an alternative CVD certs directory:
>>> Added two new APIs to the public clamav.h header:
>>> 
>>> cl_error_t cl_cvdverify_ex(
>>>    const char *file,
>>>    const char *certs_directory,
>>>    uint32_t dboptions);
>>> 
>>> cl_error_t cl_cvdunpack_ex(
>>>    const char *file,
>>>    const char *dir,
>>>    const char *certs_directory,
>>>    uint32_t dboptions);
>>> 
>>> The original cl_cvdverify and cl_cvdunpack are deprecated.
>>> Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
>>> Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
>>> GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
>>> GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
>>>     *   The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
>>>     *   The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
>>>     *   The config option for Freshclam and ClamD is CVDCertsDirectory PATH
>>>  *
>>> Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
>>> For freshclam.conf and clamd.conf set this config option:
>>> 
>>> FIPSCryptoHashLimits yes
>>> 
>>> For clamscan and sigtool use this command-line option:
>>> 
>>> --fips-limits
>>> 
>>> For libclamav: Enable FIPS-limits for a ClamAV engine like this:
>>> 
>>> cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
>>> 
>>> ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
>>> This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
>>> Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
>>> This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
>>>  *
>>> ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
>>> The new clamd.conf options are:
>>> 
>>> EnableShutdownCommand yes
>>> EnableReloadCommand yes
>>> EnableStatsCommand yes
>>> EnableVersionCommand yes
>>> 
>>> This change courtesy of GitHub user ChaoticByte.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
>>>  *
>>> libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:
>>> 
>>> cl_error_t cl_hash_data_ex(
>>>    const char *alg,
>>>    const uint8_t *data,
>>>    size_t data_len,
>>>    uint8_t **hash,
>>>    size_t *hash_len,
>>>    uint32_t flags);
>>> 
>>> cl_error_t cl_hash_init_ex(
>>>    const char *alg,
>>>    uint32_t flags,
>>>    cl_hash_ctx_t **ctx_out);
>>> 
>>> cl_error_t cl_update_hash_ex(
>>>    cl_hash_ctx_t *ctx,
>>>    const uint8_t *data,
>>>    size_t length);
>>> 
>>> cl_error_t cl_finish_hash_ex(
>>>    cl_hash_ctx_t *ctx,
>>>    uint8_t **hash,
>>>    size_t *hash_len,
>>>    uint32_t flags);
>>> 
>>> void cl_hash_destroy(void *ctx);
>>> 
>>> cl_error_t cl_hash_file_fd_ex(
>>>    const char *alg,
>>>    int fd,
>>>    size_t offset,
>>>    size_t length,
>>>    uint8_t **hash,
>>>    size_t *hash_len,
>>>    uint32_t flags);
>>> 
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> ClamScan: Add hash & file-type in/out CLI options:
>>> We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>     *   --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
>>>     *   --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
>>>     *   --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
>>>     *   --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
>>>     *   --log-file-type: Print the file type after each file scanned.
>>>  *
>>> libclamav: Added new scan functions that provide additional functionality:
>>> 
>>> cl_error_t cl_scanfile_ex(
>>>    const char *filename,
>>>    cl_verdict_t *verdict_out,
>>>    const char **last_alert_out,
>>>    uint64_t *scanned_out,
>>>    const struct cl_engine *engine,
>>>    struct cl_scan_options *scanoptions,
>>>    void *context,
>>>    const char *hash_hint,
>>>    char **hash_out,
>>>    const char *hash_alg,
>>>    const char *file_type_hint,
>>>    char **file_type_out);
>>> 
>>> cl_error_t cl_scandesc_ex(
>>>    int desc,
>>>    const char *filename,
>>>    cl_verdict_t *verdict_out,
>>>    const char **last_alert_out,
>>>    uint64_t *scanned_out,
>>>    const struct cl_engine *engine,
>>>    struct cl_scan_options *scanoptions,
>>>    void *context,
>>>    const char *hash_hint,
>>>    char **hash_out,
>>>    const char *hash_alg,
>>>    const char *file_type_hint,
>>>    char **file_type_out);
>>> 
>>> cl_error_t cl_scanmap_ex(
>>>    cl_fmap_t *map,
>>>    const char *filename,
>>>    cl_verdict_t *verdict_out,
>>>    const char **last_alert_out,
>>>    uint64_t *scanned_out,
>>>    const struct cl_engine *engine,
>>>    struct cl_scan_options *scanoptions,
>>>    void *context,
>>>    const char *hash_hint,
>>>    char **hash_out,
>>>    const char *hash_alg,
>>>    const char *file_type_hint,
>>>    char **file_type_out);
>>> 
>>> The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> libclamav: Added a new engine option to toggle temp directory recursion.
>>> Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
>>> Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
>>> In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
>>> The new temp directory recursion option can be enabled with:
>>> 
>>> cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
>>> 
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> libclamav: Added a class of scan callback functions that can be added with the following API function:
>>> 
>>> void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
>>> 
>>> The scan callback location may be configured using the following five values:
>>> Each callback may alter scan behavior using the following return codes:
>>> Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:
>>> 
>>>  cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
>>>  cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
>>>  cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
>>>  cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
>>>  cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
>>>  cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
>>>  cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
>>>  cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
>>>  cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
>>>  cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
>>>  cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
>>>  cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
>>>  cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
>>>  cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
>>>  cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
>>>  cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
>>>  cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
>>>  cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
>>> 
>>> This deprecates, but does not immediately remove, the existing scan callbacks:
>>> 
>>>  void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
>>>  void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
>>>  void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
>>>  void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
>>>  void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
>>>  void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
>>> 
>>> There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>     *   CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
>>>     *   CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
>>>     *   CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
>>>     *   CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
>>>     *   CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
>>>     *
>>> CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
>>>     *
>>> CL_SUCCESS / CL_CLEAN: File scan will continue.
>>> For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
>>> This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
>>>     *
>>> CL_VIRUS: This means you do not trust the file. A new alert will be added.
>>> For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
>>>     *
>>> CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
>>>  *
>>> Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> For the "Generate Metadata JSON" feature:
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>     *
>>> The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
>>>        *   "Indicators" records three types of indicators:
>>>           *   Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
>>>           *   Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
>>>           *   Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
>>>        *   "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
>>>     *
>>> Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
>>>        *   libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
>>>        *   ClamScan option: --json-store-extra-hashes (default off)
>>>        *   clamd.conf option: JsonStoreExtraHashes (default 'no')
>>>     *
>>> The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
>>>     *
>>> Each object scanned now has a unique "Object ID".
>>>  *
>>> Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>> 
>>> Other improvements
>>> 
>>>  *
>>> Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
>>>  *
>>> Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
>>>  *
>>> Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
>>>  *
>>> Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
>>>  *
>>> Added file type recognition for an initial set of AI model file types.
>>> The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
>>> When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
>>>  *
>>> Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
>>>  *
>>> Disabled the MyDoom hardcoded/heuristic detection because of false positives.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
>>>  *
>>> Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
>>>  *
>>> Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
>>>  *
>>> Improved the code quality of the ZIP module. Added inline documentation.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
>>>  *
>>> Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
>>> A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
>>> This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
>>>  *
>>> Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
>>>  *
>>> Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
>>>  *
>>> Improved support for compiling on Solaris.
>>> This fix courtesy of Andrew Watkins.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>>>  *
>>> Improved support for compiling on GNU/Hurd.
>>> This fix courtesy of Pino Toscano.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
>>>  *
>>> Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>
>>> 
>>> Bug fixes
>>> 
>>>  *
>>> Reduced email multipart message parser complexity.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
>>>  *
>>> Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
>>>  *
>>> Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
>>>  *
>>> Windows: Fixed a build issue when the same library dependency is found in two different locations.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
>>>  *
>>> Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
>>>  *
>>> Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
>>>  *
>>> Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
>>>  *
>>> Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
>>>  *
>>> Fix double-extraction of OOXML-based office documents.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> ClamBC: Fixed crashes on startup.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
>>>  *
>>> Fixed an assortment of issues found with Coverity static analysis.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
>>>  *
>>> Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
>>> GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
>>> GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
>>>  *
>>> Fixed crash in the Sigtool program when using the --html-normalize option.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
>>>  *
>>> Fixed some potential NULL-pointer dereference issues if memory allocations fail.
>>> Fix courtesy of GitHub user JiangJias.
>>> GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>
>>> 
>>> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>> ---
>>> config/rootfiles/packages/clamav | 15 ++++++------
>>> lfs/clamav                       | 39 ++++++++++++++++----------------
>>> 2 files changed, 28 insertions(+), 26 deletions(-)
>>> 
>>> diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
>>> index d5495e4b7..43c5585d9 100644
>>> --- a/config/rootfiles/packages/clamav
>>> +++ b/config/rootfiles/packages/clamav
>>> @@ -1,3 +1,6 @@
>>> +etc/clamav
>>> +etc/clamav/certs
>>> +etc/clamav/certs/clamav.crt
>>> etc/rc.d/init.d/clamav
>>> usr/bin/clamav-config
>>> usr/bin/clambc
>>> @@ -14,20 +17,20 @@ usr/bin/sigtool
>>> #usr/include/libfreshclam.h
>>> usr/lib/libclamav.so
>>> usr/lib/libclamav.so.12
>>> -usr/lib/libclamav.so.12.0.3
>>> +usr/lib/libclamav.so.12.1.0
>>> #usr/lib/libclamav_rust.a
>>> usr/lib/libclammspack.so
>>> usr/lib/libclammspack.so.0
>>> usr/lib/libclammspack.so.0.8.0
>>> usr/lib/libclamunrar.so
>>> usr/lib/libclamunrar.so.12
>>> -usr/lib/libclamunrar.so.12.0.3
>>> +usr/lib/libclamunrar.so.12.1.0
>>> usr/lib/libclamunrar_iface.so
>>> usr/lib/libclamunrar_iface.so.12
>>> -usr/lib/libclamunrar_iface.so.12.0.3
>>> +usr/lib/libclamunrar_iface.so.12.1.0
>>> usr/lib/libfreshclam.so
>>> -usr/lib/libfreshclam.so.3
>>> -usr/lib/libfreshclam.so.3.0.2
>>> +usr/lib/libfreshclam.so.4
>>> +usr/lib/libfreshclam.so.4.0.0
>>> #usr/lib/pkgconfig/libclamav.pc
>>> usr/sbin/clamd
>>> #usr/share/doc/ClamAV
>>> @@ -133,7 +136,6 @@ usr/sbin/clamd
>>> #usr/share/doc/ClamAV/html/manual/Installing/Add-clamav-user.html
>>> #usr/share/doc/ClamAV/html/manual/Installing/Community-projects.html
>>> #usr/share/doc/ClamAV/html/manual/Installing/Docker.html
>>> -#usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix-old.html
>>> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Unix.html
>>> #usr/share/doc/ClamAV/html/manual/Installing/Installing-from-source-Windows.html
>>> #usr/share/doc/ClamAV/html/manual/Installing/Packages.html
>>> @@ -168,7 +170,6 @@ usr/sbin/clamd
>>> #usr/share/doc/ClamAV/html/print.html
>>> #usr/share/doc/ClamAV/html/searcher.js
>>> #usr/share/doc/ClamAV/html/searchindex.js
>>> -#usr/share/doc/ClamAV/html/searchindex.json
>>> #usr/share/doc/ClamAV/html/sitemap.xml
>>> #usr/share/doc/ClamAV/html/theme-dawn.js
>>> #usr/share/doc/ClamAV/html/theme-tomorrow_night.js
>>> diff --git a/lfs/clamav b/lfs/clamav
>>> index 254da1281..1d4d0ba8b 100644
>>> --- a/lfs/clamav
>>> +++ b/lfs/clamav
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>> +# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -26,7 +26,7 @@ include Config
>>> 
>>> SUMMARY    = Antivirus Toolkit
>>> 
>>> -VER        = 1.4.3
>>> +VER        = 1.5.1
>>> 
>>> THISAPP    = clamav-$(VER)
>>> DL_FILE    = $(THISAPP).tar.gz
>>> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>>> DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>> TARGET     = $(DIR_INFO)/$(THISAPP)
>>> PROG       = clamav
>>> -PAK_VER    = 80
>>> +PAK_VER    = 81
>>> 
>>> DEPS       =
>>> 
>>> @@ -50,7 +50,7 @@ objects = $(DL_FILE)
>>> 
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>> 
>>> -$(DL_FILE)_BLAKE2 = 144be77e7104ebf78482c9efc411a4a168bb4ea3ad18abb237e7bcc1f5cf3e2c10d5478a54d9dc0d82b028c923065bc614cd535fd4f67fb1e73f5fe1c6425861
>>> +$(DL_FILE)_BLAKE2 = d6fd0885ea2864b0fecf040d6b0a088b8d9ad05a555697eab6c999b4a8b3d14bc2ee0968ef4dcb3f3b56d8361faecb98afa5ff4ffbb843cf1bf221a4e27a4496
>>> 
>>> 
>>> install : $(TARGET)
>>> @@ -87,21 +87,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> 
>>> cd $(DIR_APP) && mkdir -pv build
>>> cd $(DIR_APP)/build && cmake .. -G Ninja \
>>> - -DCMAKE_BUILD_TYPE=Release \
>>> - -DCMAKE_INSTALL_PREFIX=/usr \
>>> - -DCMAKE_INSTALL_LIBDIR=/usr/lib \
>>> - -DOPTIMIZE=ON \
>>> - -DBYTECODE_RUNTIME="interpreter" \
>>> - -DENABLE_TESTS=OFF \
>>> - -DENABLE_CLAMONACC=OFF \
>>> - -DENABLE_MILTER=OFF \
>>> - -DENABLE_MAN_PAGES=OFF \
>>> - -DENABLE_EXTERNAL_MSPACK=OFF \
>>> - -DENABLE_FRESHCLAM_DNS_FIX=ON \
>>> - -DENABLE_SYSTEMD=OFF \
>>> - -DAPP_CONFIG_DIRECTORY=/var/ipfire/clamav \
>>> - -DCURSES_LIBRARY=/usr/lib/libncurses.so \
>>> - -DDATABASE_DIRECTORY=$(DATABASE_DIR)
>>> + -D CMAKE_BUILD_TYPE=Release \
>>> + -D CMAKE_INSTALL_PREFIX=/usr \
>>> + -D CMAKE_INSTALL_LIBDIR=/usr/lib \
>>> + -D CVD_CERTS_DIRECTORY=/etc/clamav/certs \
>>> + -D OPTIMIZE=ON \
>>> + -D BYTECODE_RUNTIME="interpreter" \
>>> + -D ENABLE_TESTS=OFF \
>>> + -D ENABLE_CLAMONACC=OFF \
>>> + -D ENABLE_MILTER=OFF \
>>> + -D ENABLE_MAN_PAGES=OFF \
>>> + -D ENABLE_EXTERNAL_MSPACK=OFF \
>>> + -D ENABLE_FRESHCLAM_DNS_FIX=ON \
>>> + -D ENABLE_SYSTEMD=OFF \
>>> + -D APP_CONFIG_DIRECTORY=/var/ipfire/clamav \
>>> + -D CURSES_LIBRARY=/usr/lib/libncurses.so \
>>> + -D DATABASE_DIRECTORY=$(DATABASE_DIR)
>>> cd $(DIR_APP)/build && ninja $(MAKETUNING) && ninja install
>>> 
>>> mkdir -pv $(DATABASE_DIR)
>>> -- 
>>> 2.52.0
>>> 
>>> 
>