[Pkg-clamav-devel] Debian ClamAV and bug report #1080962

Reid, Andrew C.E. (Fed) andrew.reid at chips.gov
Mon Sep 30 14:52:39 BST 2024 

  Hi all --

  I'm curious about what expectations I should have for a 
resolution to Debian bug report #1080962.

  My situation is, I operate a number of Debian-based systems
at a US Federal Government facility, and their ClamAV systems
have been flagged as vulnerable by a third-party vulnerability
asessment tool, which means that the situation has high 
visibility, and that there is considerable pressure on me to 
remediate this quickly, one way or another.

  Historically, the Debian package maintainers have been 
amazing about getting patches out, and if this is in the works,
then I am happy to wait.

  I have seen the relevant info on the security tracker hits:

> https://security-tracker.debian.org/tracker/source-package/clamav

> https://security-tracker.debian.org/tracker/CVE-2024-20506

> https://security-tracker.debian.org/tracker/CVE-2024-20505

  ... where it's listed as a "minor issue" for Bullseye, 
and "No DSA" for Bookworm, with a deferral to -updates.

  This suggests the situation is that I should not expect a 
Debian-packaged resolution for Bullseye, but could perhaps 
expect one for Bookworm, with the caveat that as far as I can
tell, there is currently not a resolved package in the 
bookworm-updates channel.

  Please don't misunderstand, it's not my intention to tell you 
what your priorities should be, I'm just trying to identify a 
path forward for my own administratively-constrained environment. 

  In the absence of a Debian-packaged solution, I can change to
a different AV provider, build a resolved version of ClamAV
from source, or pursue other higher-effort solutions, but if 
a Debian-packaged solution is in the offing, then that info 
would inform the choice.

  Thanks, not only for reading, but for all the amazing work
you and all Debian maintainers do!

				-- A.
-- 
Dr. Andrew C. E. Reid
Physical Scientist, Computer Operations Administrator
Center for Theoretical and Computational Materials Science
National Institute of Standards and Technology, Mail Stop 8555
Gaithersburg MD 20899 USA
andrew.reid at nist.gov

More information about the Pkg-clamav-devel mailing list