[Pkg-clamav-devel] Bug#578133: clamav-daemon: clamav contains remote detonator
Stefan Hornburg (Racke)
racke at linuxia.de
Sat Apr 17 09:05:56 UTC 2010
Michael Tautschnig wrote:
>> Package: clamav-daemon
>> Version: 0.94.dfsg.2-1lenny2
>> Severity: normal
>>
>> Apparently the ClamAV software contains a remote detonator so the clamav
>> team can disable the software through an update sequence. This can knock any
>> mailserver (for example) offline running the version they deem fit to
>> disable.
>>
>> Please remove this code in at least the debian package, or replace it by one
>> that does not run updates but not simply bomb out the daemon.
>>
>
> [...]
>
> This ain't as easy: Upstream can at any time (and this is what they did this
> time as well) choose to release "broken" signature files that can't be parsed by
> clamav-daemon. What sysadmins could do, of course, is simply disabling
> freshclam.
At any rate, if the maintainer wants to act upon this the choice should be
given to the end user whether the "detonator" is active or not.
I would rather choose to get bombed out than getting no more updates.
In the current case, only people with really outdated installations were
affected (all sarge or etch/lenny not using volatile).
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the Pkg-clamav-devel
mailing list