ClamAV Update Issue on Proxmox Mail Gateway 8.2.0 (Stuck at 1.0.7)

[ozgur.kutur]

Hello,


I am using Proxmox Mail Gateway 8.2.0. However, ClamAV has not been updated for about 2.5 months and remains at version 1.0.7. When I try to update, I get the following warning:


ClamAV update process started at Wed May 28 11:21:46 2025
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 1.0.7 Recommended version: 1.0.8
DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
daily.cld database is up-to-date (version: 27650, sigs: 2075689, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cld database is up-to-date (version: 336, sigs: 83, f-level: 90, builder: nrandolp)
TASK OK


Even though I run apt update && apt upgrade, the system shows that it is up to date. From my research, I found that manual updates are possible, but they may cause compatibility issues with Proxmox Mail Gateway.


Do you know when the official ClamAV repository will be updated to version 1.0.8? Should I wait for the official update? Or does anyone have experience with manual installation that works without problems? I would appreciate your advice and any experiences you can share.

 

[l.leahu-vladucu]

Hello ozgur.kutur! clamav is a package that we do not package and release ourselves, but get directly from Debian. As far as I can see, the new version 1.0.8 fixes CVE-2025-20128 - see NIST, Debian Security Tracker and their blog announcement. As far as I can see on the Debian Tracker, version 1.0.8 is also not being tested yet. There's already a bug related to this CVE, but the fix is only included in Debian 13 Trixie, but not in Debian 12 Bookworm. Feel free to to reply to that bug report and ask whether Bookworm will also be updated to version 1.0.8.