Howdy all,
Heads up, if you use ClamAV for virus scanning, you need to be aware of (and do something about) this pretty serious vulnerability. I assume distros will release patched packages soon, if not already available, but in the meantime, you should disable antivirus scanning for all domains. If I understand it, this is a remotely exploitable bug allowing arbitrary code execution as the ClamAV user, but it is easily mitigable by simply not sending mail through ClamAV.
We do not provide ClamAV packages in any of our supported repositories, so we won’t be releasing any updates related to this. ClamAV in a Virtualmin installation comes from either your OS repositories (Debian/Ubuntu) or EPEL (CentOS/RHEL/Alma/Rocky). But, if you have a very old installation on CentOS or RHEL that was installed using the old Virtualmin repos and if you somehow still have our old ClamAV packages (they will have vm
in the package version), you will need to plan to switch to our new repos, but you’ll also need to enable EPEL repos to install ClamAV from a maintained source. You similarly need to disable AV scanning for all domains until a patched package has been installed.
In summary: Don’t use ClamAV until you’ve been able to update to a new version that includes fixes for these security issues.