Set version to 1.0.9, FLEVEL to 169; Update NEWS.md

CMakeLists.txt

@@ -22,7 +22,7 @@ string(TIMESTAMP TODAY "%Y%m%d")
 set(VERSION_SUFFIX "")
 
 project( ClamAV
-         VERSION "1.0.8"
+         VERSION "1.0.9"
          DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." )
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})

Jenkinsfile

@@ -10,7 +10,7 @@ properties(
         parameters(
             [
                 string(name: 'VERSION',
-                       defaultValue: '1.0.8',
+                       defaultValue: '1.0.9',
                        description: 'ClamAV version string'),
                 string(name: 'FRAMEWORK_BRANCH',
                        defaultValue: '1.0',

NEWS.md

@@ -3,6 +3,45 @@
 Note: This file refers to the official packages. Things described here may
 differ slightly from third-party binary packages.
 
+## 1.0.9
+
+ClamAV 1.0.9 is a patch release with the following fixes:
+
+- [CVE-2025-20260](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260):
+  Fixed a possible buffer overflow write bug in the PDF file parser that could
+  cause a denial-of-service (DoS) condition or enable remote code execution.
+
+  This issue only affects configurations where both:
+  1. The max file-size scan limit is set greater than or equal to 1024MB.
+  2. The max scan-size scan limit is set greater than or equal to 1025MB.
+
+  The code flaw was present prior to version 1.0.0, but a change in version
+  1.0.0 that enables larger allocations based on untrusted data made it
+  possible to trigger this bug.
+
+  This issue affects all currently supported versions. It will be fixed in:
+  - 1.4.3
+  - 1.0.9
+
+  Thank you to Greg Walkup at Sandia National Labs for identifying this issue.
+
+- Fixed a possible use-after-free bug in the Xz decompression module in the
+  bundled lzma-sdk library.
+
+  This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy
+  of the lzma-sdk with some performance changes specific to libclamav, plus
+  select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk.
+
+  This issue affects all ClamAV versions at least as far back as 0.99.4.
+  It will be fixed in:
+  - 1.4.3
+  - 1.0.9
+
+  Thank you to OSS-Fuzz for identifying this issue.
+
+- Windows: Fixed a build install issue when a DLL dependency such as libcrypto
+  has the exact same name as one provided by the Windows operating system.
+
 ## 1.0.8
 
 ClamAV 1.0.8 is a patch release with the following fixes:

libclamav/bytecode_api.h

@@ -172,6 +172,7 @@ enum FunctionalityLevels {
     FUNC_LEVEL_1_0_6 = 166, /**< LibClamAV release 1.0.6 */
     FUNC_LEVEL_1_0_7 = 167, /**< LibClamAV release 1.0.7 */
     FUNC_LEVEL_1_0_8 = 168, /**< LibClamAV release 1.0.8 */
+    FUNC_LEVEL_1_0_9 = 169, /**< LibClamAV release 1.0.9 */
 };
 
 /**

libclamav/others.h

@@ -73,7 +73,7 @@
  * in re-enabling affected modules.
  */
 
-#define CL_FLEVEL 168
+#define CL_FLEVEL 169
 #define CL_FLEVEL_DCONF CL_FLEVEL
 #define CL_FLEVEL_SIGTOOL CL_FLEVEL