ClamAV Update Issue on Proxmox Mail Gateway 8.2.0 (Stuck at 1.0.7)

[ozgur.kutur]

Hello,


I am using Proxmox Mail Gateway 8.2.0. However, ClamAV has not been updated for about 2.5 months and remains at version 1.0.7. When I try to update, I get the following warning:


ClamAV update process started at Wed May 28 11:21:46 2025
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 1.0.7 Recommended version: 1.0.8
DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
daily.cld database is up-to-date (version: 27650, sigs: 2075689, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cld database is up-to-date (version: 336, sigs: 83, f-level: 90, builder: nrandolp)
TASK OK


Even though I run apt update && apt upgrade, the system shows that it is up to date. From my research, I found that manual updates are possible, but they may cause compatibility issues with Proxmox Mail Gateway.


Do you know when the official ClamAV repository will be updated to version 1.0.8? Should I wait for the official update? Or does anyone have experience with manual installation that works without problems? I would appreciate your advice and any experiences you can share.

 

[l.leahu-vladucu]

Hello ozgur.kutur! clamav is a package that we do not package and release ourselves, but get directly from Debian. As far as I can see, the new version 1.0.8 fixes CVE-2025-20128 - see NIST, Debian Security Tracker and their blog announcement. As far as I can see on the Debian Tracker, version 1.0.8 is also not being tested yet. There's already a bug related to this CVE, but the fix is only included in Debian 13 Trixie, but not in Debian 12 Bookworm. Feel free to to reply to that bug report and ask whether Bookworm will also be updated to version 1.0.8.

 

[York]

Hello ozgur.kutur! clamav is a package that we do not package and release ourselves, but get directly from Debian. As far as I can see, the new version 1.0.8 fixes CVE-2025-20128 - see NIST, Debian Security Tracker and their blog announcement. As far as I can see on the Debian Tracker, version 1.0.8 is also not being tested yet. There's already a bug related to this CVE, but the fix is only included in Debian 13 Trixie, but not in Debian 12 Bookworm. Feel free to to reply to that bug report and ask whether Bookworm will also be updated to version 1.0.8.

You did a grate research!!! Thank you for sharing that info!!!

 

[Pcom]

Hello,
We’ve noticed that version 1.0.9 of ClamAV is now available.
Every time ClamAV updates on our system, we see the following warning:

ClamAV update process started at Sat Jun 21 23:36:34 2025
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 1.0.7
Recommended version: 1.0.9
DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html

Is there anything we should do to address this, or do we simply have to wait for it to be updated via the official Proxmox repositories?
Thanks in advance.

 

[Amodin]

I noticed this very same issue on PMG, now two revisions behind. I think Debian is just holding back the update because of the CVE bug. I think we'll be fine as long as the definitions themselves are staying updated which appears they are.

 

[l.leahu-vladucu]

You did a grate research!!! Thank you for sharing that info!!!

You're welcome!

Is there anything we should do to address this, or do we simply have to wait for it to be updated via the official Proxmox repositories?

ClamAV is not updated via the Proxmox repository, but by Debian. You'll thus need to ask them directly.


As a short recap, since the version in Debian is 2 versions behind upstream, this now means the following security vulnerabilities have been patched upstream, but not yet by Debian:

1. In version 1.0.8: CVE-2025-20128 (5.3 MEDIUM severity), also see Debian bug tracker
2. In version 1.0.9: CVE-2025-20260 (9.8 CRITICAL severity), also see Debian bug tracker

It seems there is currently an open bug on the Debian bug tracker to release version 1.0.9 to Debian 12 Bookworm, opened on June 29. Especially due to the fact that the vulnerability fixed in version 1.0.9 has 9.8 CRITICAL severity, I would expect them to release the new version soon.