clamav: 3.16 version 0.104 (CVE-2023-20032, CVE-2023-20052)
So here's two issues apparently;
number one, there are two CVEs that were patched a few days ago. One of them (HFS+ disk image parsing) seems to be a proper, ugly attack vector.
number two, the current version I have seems to be a 0.104.
vfile:~# cat /etc/alpine-release
3.16.4
vfile:~# clamd --version
ClamAV 0.104.3/26817/Sun Feb 19 08:21:03 2023
Their website states will not receive updates for those security issues: "ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version"
Now I can see the timestamp here is today morning, but I didn't see a clamav update being installed when I ran apk upgrade
, so I guess this timestamp refers to the AV signatures and not the scan engine itself.