[Pkg-clamav-devel] Bug#888484: clamav: Security release 0.99.3 available

[Bernhard Schmidt]

Control: unfixed 888484 0.99.3~beta2+dfsg-1
Control: fixed 888511 0.99.3~beta2+dfsg-1

Hi 

>> 
>> We've have started seeing unexpected clamd crashes on a high-traffic mail
>> system today, though I've been unable to isolate a test case. It's seems like
>> too much of a coincidence that these crashes start happening the day after a
>> security release was announced. We've implemented mitigations but an updated
>> package would be even better.
> 
> I *think* the crashes you obsereved might be due to FD desc issue. This
> was fixed in Stretch by chance but not in Jessie. However the remaining
> CVEs were not addressed yet and I'm looking into it…
> 
> [0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

Indeed. There is a separate Bug#888511 for that, I have migrated the fixed Version above to avoid confusion.

Are you sure about the Stretch thing? Stretch contains 0.99.2 which should be affected by this bug. But I’m not 100% sure, as all my high traffic mail gateways are still running Jessie.

According to reports 0.99.3~beta2 was indeed not affected by the signature bug, so Buster/Sid where fine. What makes things even more confusing is that 0.99.3 does not contain this fix, because 0.99.3 is 0.99.2+security fixes, while 0.99.3~beta was a development tree that is now called 0.100 :-(

http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html

Upstream announcement suggests you cannot do a clean switch from 0.99.3~beta to 0.99.3

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, you will need to completely uninstall it and do a fresh install with the production version of 0.99.3 as there are significant code differences


Bernhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20180127/ce1142c4/attachment.html>