[Pkg-clamav-devel] Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

[Adam D. Barratt]

On Thu, 2011-03-10 at 23:37 +0000, Jonathan Wiltshire wrote:
> On Thu, Mar 10, 2011 at 10:55:08PM +0000, Michael Tautschnig wrote:
> > For clamav, would it also be acceptable to upload the full new upstream release
> > instead of doing some semi-bugfixing by a minimal backport? AFAIK the release
> > team operates a relaxed policy for clamav - would that apply here? If so, we
> > will try to get a new upload targeted at squeeze done in time.
> 
> That's not up to me - please check with the release team on a case-by-case
> basis. Copying them in now to save time.
> 
> If you're not already aware the Squeeze queue will be frozen this weekend,
> so if you can make it that's great, but I realise it's a short turnaround.

Apologies for not replying sooner; I seem to have missed this when it
arrived.

Just to check: as far as I can see the SONAME hasn't changed in the new
upstream version, which is a good start :-) Are there any other API
changes which would mean we would need to rebuild any of the
reverse-dependencies in stable?

If not then please go ahead with the upload as 0.97+dfsg-2~squeeze1 -
assuming that the upload has been tested in that environment of course.
As Jonathan said, the window for acceptance in to 6.0.1 closes tomorrow
so it would be good if the upload could be made before the final
dinstall tomorrow so we can include it in the point release.

Note that the versioning for the lenny-volatile upload originally used
-2~volatile1, which was higher than my request above.  As a result that
version will be adjusted to -2~lenny1 before it is released.

Regards,

Adam