[Pkg-clamav-devel] Bug#888484: Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 27 15:28:14 UTC 2018
Scott,
Thank you.
On Sat, Jan 27, 2018 at 03:12:31PM +0000, Scott Kitterman wrote:
>
>
> On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso <carnil at debian.org> wrote:
> >Hi Scott,
> >
> >On Sat, Jan 27, 2018 at 02:05:59PM +0000, Scott Kitterman wrote:
> >> fixed 888484 0.99.3~beta2+dfsg-1
> >>
> >> Everyone:
> >>
> >> Please leave the status of this bug to the package maintainers.
> >> We've checked and all the security issues in the new 0.99.3 release
> >> were previously addressed in the beta that's in testing/unstable.
> >>
> >> If you think this is incorrect, provide specific information about
> >> why (i.e. point to the code). Don't change the status of the bug.
> >> You aren't helping.
> >
> >This though was not clear at all from
> >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
> >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:
> >
> >> I *think* the crashes you obsereved might be due to FD desc issue.
> >This
> >> was fixed in Stretch by chance but not in Jessie. However the
> >remaining
> >> CVEs were not addressed yet and I'm looking into it…
> >>
> >> [0]
> >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
> >
> >So "the remaining CVEs were not address yet" part.
> >
> >I take your last email as confirmation that they indeed *are* fixed in
> >0.99.3~beta2+dfsg-1 and have updated the security-tracker information
> >as such.
>
> Thanks. This is a bit of a confusing mess (thanks upstream). My
> understanding is that the remaining ones are ones that are addressed
> in the beta in unstable/testing, but not the new release. If I find
> out different, I'll be sure to update the tracker.
Btw, I did expand the tracker CVE entries now with the respective
upstream bugs (they are now open) and the respective commits. And it
looks indeed that all of those are present in the "Import
clamav_0.99.3~beta2+dfsg.orig.tar.xz" of Sebastian Andrzej Siewior, in
the packaging repo done back in december 2017.
Thanks for your work!
Salvatore
More information about the Pkg-clamav-devel
mailing list