Forum Discussion

Retired_Member

Oct 12, 2018

Solved

ClamAV < 0.100.2 is reported vulnerable against denial-of-service attacks

I want to share an alert with you I got from BSI in Germany, that ClamAV < 0.100.2 is vulnerable against denial-of-service attacks.

Their source is the official ClamAV website https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html

As ClamAv is an integrated part of the ReadyNas OS I wonder how and when Netgear is going to update to the most recent ClamAV release to address this threat.

I don't want to use ssh for a manual update, just for the records.

Other Discussions

OOM-9
Oct 25, 2018
The hotfix option would cause service interruption, and will need a little more work than the smaller fixes that go into hotfixes.

We are investigating getting this package updated in the coming firmware 6.9.5 and 6.10.0 (depending on if you are on the LTS or Stable path).

3 Replies

Replies have been turned off for this discussion

JohnCM_S
NETGEAR Employee Retired
Oct 18, 2018
Hi RolandWausE,

We still have no information on when it will be updated to that version. Debian is only currently hosting 0.100.0. We are on Debian 8. Debian 9 had 0.100.1 available last time it was checked, which was about 2 weeks ago.

We will inform our Engineering regarding this but the update probably won't be until December or January.

Regards,
- Retired_Member
  Oct 19, 2018
  Thanks for the answer. Are you talking about a hotfix or a standard OS update?
  
  If hotfix, December sounds a bit late for calling that fix a hot one.
  
  If not hotfix, could you consider to create one and distribute to the community?
  - OOM-9
    NETGEAR Expert
    Oct 25, 2018
    The hotfix option would cause service interruption, and will need a little more work than the smaller fixes that go into hotfixes.
    
    We are investigating getting this package updated in the coming firmware 6.9.5 and 6.10.0 (depending on if you are on the LTS or Stable path).