[Pkg-clamav-devel] Wheezy update of clamav?

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Fri Mar 9 21:17:05 UTC 2018

On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote:
> Hi,
> El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> > On 2018-03-02 02:19:04 [+0000], Scott Kitterman wrote:
> > > Conveniently, upstream just released 0.99.4 that addresses this and some other issues.  I'd suggest you let us get that into stable/oldstable first.
> > 
> > I will try to get to this around SA/SO for Stretch/Jessie. There are 5
> > CVEs in total (not just the one you (the LTS team) mentioned).
> Just to be sure, the new upstream release should be used to fix the
> issues in wheezy too?

We do this (update to current ClamAV version) for the supported Debian
releases. I recommend to do this for the LTS version, too. Besides clamav
you should have a look at libclamunrar which is non-free.
Upstream is historically seen bad at documenting security related fixes.
This may have improved now but I wouldn't take it for granted. In the
past the reporter had to ask for CVE numbers and do the process of
documenting. It was possible that the "fix" contained a follow-up fix
(or multiple) which were not documented in the bugzilla entry.
There were fixes of the same importance (found by a fuzzer and the
fuzzed file crashed clamav) but didn't get a CVE number assigned and
would have otherwise been ignored by your security upload. I could give
you examples of each kind (and I don't need to go far behind in history,
0.99.3 has a few examples already).
The part that the engine may ignore signatures because they require a
newer engine is just the tip of the ice berg :)

> Should I include a file in security-tracker's packages/ directory to
> describe that the way to address issues is by updating complete upstream
> releases?
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80

Clamav was updated via volatile in the past. This moved to
stable/updates now. The security team is not comfortable with
security related changes and new features all-in-one release. Since I
am involved, the updates were always via stable which included a full
upstream release. There was one or two exceptions where we first picked
up a few security related fixes and then pushed the complete release.

> Cheers,
> S


More information about the Pkg-clamav-devel mailing list