[Pkg-clamav-devel] LTS update of clamav and call for advice

Ola Lundqvist ola at inguza.com
Sun Mar 31 20:37:46 BST 2019 

Hi

I missed to include the clamav maintainers. Sorry about that.

// Ola

On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola at inguza.com> wrote:

> Dear maintainers, LTS team and Debian Secutiry team
>
> I have started to look at the clamav package update due to
> CVE-2019-1787
> CVE-2019-1788
> CVE-2019-1789
> (the other three vulnerabilities are not affecting jessie or stretch as I
> understand it)
>
> I have understood that the clamav package is typically updated to the
> latest version also in stable and oldstable. However when doing so I
> encountered quite a few things that I would like to ask your advice on.
>
> First of all to the maintainers. Do you want to handle also LTS
> (oldstable) and regular security (stable) upload of clamav?
>
> Question to maintainers and Security team. Should we synchronize the
> efforts here and have you already started on the stable update?
>
> If not I have a few questions:
> 1) Do you know the binary compatibility between libclamav7 and libclamav9?
>  I have noticed that the package in sid produces libclamav9 while the one
> in jessie provides libclamav7. Do you think this can be an issue?
> 2) Do you think backporting the package in sid is better than simply
> updating to the latest upstream while keeping most scripts in oldstable? I
> had to copy over the split-archive.sh to be able to generate a proper orig
> tarball.
> - I personally think the package in sid have a little too much updates to
> make that safe, especially since it produces new library packages.
> - On the other hand, I had to do some modifications already to make allow
> the package to be generated and I have not even started building yet. There
> may be many fixes needed to make this package work in oldstable...
>
> I guess we cannot generate new library package version, or?
>
> Best regards
>
> // Ola
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola at inguza.com                    opal at debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola at inguza.com                    opal at debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20190331/0d3911d1/attachment.html>

More information about the Pkg-clamav-devel mailing list