<div dir="auto">Great! Thank you.<br><br><div data-smartmail="gmail_signature">Sent from a phone</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den mån 1 apr. 2019 15:13Scott Kitterman <<a href="mailto:debian@kitterman.com">debian@kitterman.com</a>> skrev:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I believe you've misunderstood.<br>
<br>
The version in stable is 0.100.3 and does not have a soname bump (nor does it <br>
need one). You should be able to update the LTS with that package with little <br>
more (maybe no more) than an updated changelog.<br>
<br>
Scott K<br>
<br>
On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:<br>
> Hi Scott and LTS team<br>
> <br>
> Thank you. I'll see if I can backport the required fixes. That may solve<br>
> the library issue.<br>
> <br>
> Alternatively we state that clamav is not supported. Maybe someone in the<br>
> LTS team can advice on that.<br>
> <br>
> Best regards<br>
> <br>
> // Ola<br>
> <br>
> On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <<a href="mailto:debian@kitterman.com" target="_blank" rel="noreferrer">debian@kitterman.com</a>> wrote:<br>
> > Comments inline.<br>
> > <br>
> > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:<br>
> > > Hi<br>
> > > <br>
> > > I missed to include the clamav maintainers. Sorry about that.<br>
> > > <br>
> > > // Ola<br>
> > > <br>
> > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <<a href="mailto:ola@inguza.com" target="_blank" rel="noreferrer">ola@inguza.com</a>> wrote:<br>
> > > > Dear maintainers, LTS team and Debian Secutiry team<br>
> > > > <br>
> > > > I have started to look at the clamav package update due to<br>
> > > > CVE-2019-1787<br>
> > > > CVE-2019-1788<br>
> > > > CVE-2019-1789<br>
> > > > (the other three vulnerabilities are not affecting jessie or stretch<br>
> > <br>
> > as I<br>
> > <br>
> > > > understand it)<br>
> > <br>
> > That's correct.<br>
> > <br>
> > > > I have understood that the clamav package is typically updated to the<br>
> > > > latest version also in stable and oldstable. However when doing so I<br>
> > > > encountered quite a few things that I would like to ask your advice<br>
> > > > on.<br>
> > > > <br>
> > > > First of all to the maintainers. Do you want to handle also LTS<br>
> > > > (oldstable) and regular security (stable) upload of clamav?<br>
> > <br>
> > Stable is already done through stable proposed updates (which is the<br>
> > normal<br>
> > path for clamav). We leave the LTS releases to the LTS team. Base your<br>
> > work<br>
> > on what's in stable.<br>
> > <br>
> > > > Question to maintainers and Security team. Should we synchronize the<br>
> > > > efforts here and have you already started on the stable update?<br>
> > > > <br>
> > > > If not I have a few questions:<br>
> > > > 1) Do you know the binary compatibility between libclamav7 and<br>
> > <br>
> > libclamav9?<br>
> > <br>
> > > > I have noticed that the package in sid produces libclamav9 while the<br>
> > <br>
> > one<br>
> > <br>
> > > > in jessie provides libclamav7. Do you think this can be an issue?<br>
> > <br>
> > Yes. It's guaranteed to be an issue. We have a stable transition<br>
> > prepared<br>
> > and will do it (once the srm blesses) after the next point release in<br>
> > April.<br>
> > Note that the security team doesn't support clamav.<br>
> > <br>
> > > > 2) Do you think backporting the package in sid is better than simply<br>
> > > > updating to the latest upstream while keeping most scripts in<br>
> > <br>
> > oldstable? I<br>
> > <br>
> > > > had to copy over the split-archive.sh to be able to generate a proper<br>
> > <br>
> > orig<br>
> > <br>
> > > > tarball.<br>
> > <br>
> > No. Use what's in stable proposed updates.<br>
> > <br>
> > > > - I personally think the package in sid have a little too much updates<br>
> > <br>
> > to<br>
> > <br>
> > > > make that safe, especially since it produces new library packages.<br>
> > <br>
> > Agreed. That would definitely be a bad idea.<br>
> > <br>
> > > > - On the other hand, I had to do some modifications already to make<br>
> > <br>
> > allow<br>
> > <br>
> > > > the package to be generated and I have not even started building yet.<br>
> > > > There<br>
> > > > may be many fixes needed to make this package work in oldstable...<br>
> > <br>
> > I suspect that what's in stable will work in oldstable, but I haven't<br>
> > tried<br>
> > it. It'll certainly take less work than what's in sid.<br>
> > <br>
> > > > I guess we cannot generate new library package version, or?<br>
> > <br>
> > Generally one does not, but for clamav you kind of have to at some point.<br>
> > Note that for libclamav7 -> libclamav9 there are also API changes, so<br>
> > libclamav-dev reverse builld-depends need patching in addition to<br>
> > rebuilding.<br>
> > Once we've done that in stable, it should be easy enough to adapt for<br>
> > oldstable when the time comes. Don't worry about it now.<br>
> > <br>
> > Scott K<br>
<br>
</blockquote></div>