Hi Ged, Jiayi, > I don't know what will happen > if a serious vulnerability is found before the stated end of support > for 0.104.x in the support matrix and I doubt that Talos does either. > My guess is that support would be withdrawn immediately rather than as > stated in the support matrix.
As per the EOL policy (https://docs.clamav.net/faq/faq-eol.html) the ClamAV 0.104 release would continue to get security patch versions until 4 months after 0.105 is released, or until the next feature release (1.0) is published. We're getting close to 3 months since 0.105.0 was published. Vulnerability reports generally have a 90 day non-disclosure window from the moment they're reported, and we often use all that time to craft/review/test fixes before publishing a release. Unless a critical vulnerability is publicly disclosed without giving us a non-disclosure window in which to fix the issue, it is highly unlikely that we'll have to publish security fixes before 0.104 exceeds that end-of-life. For this reason, the release announcement includes a notice to prepare users still on 0.104 for a move to 0.105. > > I guess that's the reason why we release new major version 105 and > > patch release versions for 103 and 104 together? > > Your guess is as good as mine. :) We published patch versions for 0.103 and 0.104 at the same time as 0.105.0 was published because we had critical security fixes for all supported versions. We could have published 0.105.0 a few weeks before, and then published 0.105.1 with the patch versions for 0.103/0.104 for the security fixes almost immediate afterwards, but that would have been more work for everyone. So, we delayed 0.105.0 to align it with the security patch release. Sorry about the "0.104.1" in the blog (and copy-pasted announcement) title. The typo was missed by me and by the reviewer. I've corrected the typo in the blog. Best regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> Sent: Thursday, July 28, 2022 12:29 AM To: Yang, Jiayi via clamav-users <clamav-users@lists.clamav.net> Cc: G.W. Haywood <cla...@jubileegroup.co.uk> Subject: Re: [clamav-users] Inquire about clamav latest stable version - Hi Jiayi, Thanks for the extra information. To answer your questions: On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote: > 1. If we use a relatively older version, for example, 0.103.6, which > is supported by "RedHat & Fedora" and "Fedora & EPEL" package > distribution currently. I will expect some new features and changes > added to version 105 don't exist in version 103. You are correct that new developments will take place in versions which began their lives later in time, but supported versions are kept patched for security vulnerabilities. ClamAV versions are made up entirely of digits and dots but they aren't really numbers because they have two dots. The digit after the second dot can be considered the 'patch level'. At the moment three versions are officially supported by Cisco's Talos, the authors of the software. The latest patch versions are 0.103.7, 0.104.4 and 0.105.1, as you can see at https://blog.clamav.net/ Unfortunately headlines in the announcements to the mailing list and in the blog are wrong, stating that version 0.104.1 was released on July 26th, but as you can see from the text it is really 0.104.4 which was actually released. At the time I write the version support matrix https://docs.clamav.net/faq/faq-eol.html#version-support-matrix is out of date - it does not show the latest released versions. The quality control at Talos leaves something to be desired which I have mentioned on more than one occasion on this list. Version 0.103.x source code uses the 'autotools' build system. It is the last version which will use autotools. Versions 0.104.x, 0.105.x and later use 'cmake'. Support for 0.104.x will probably end soon, as in the release announcements it's stated that 0.104.4 will be the last patch version for the 0.104.x series. I don't know what will happen if a serious vulnerability is found before the stated end of support for 0.104.x in the support matrix and I doubt that Talos does either. My guess is that support would be withdrawn immediately rather than as stated in the support matrix. > While could I still assume version 103 is still supported (new > patches will be added) The version is 0.103 not 103 but yes, that is the 'Long Term Support' version which will be supported until September 2023 according to the version support matrix. > and could still give decent malware scanning results? I would never recommend that anyone rely on one single defence. Every installation has particular sensitivities and will reside in a different threat landscape, you'll need to make your own assessments of the performance based on your own experience. Mine are on record in the archives of this mailing list, but bear in mind that we do not scan machines for viruses, we only scan mail. Primarily we scan for spam, and incidentally for threats like viruses which are of little concern to us here because of the very defensive way that we operate. > 2. If we already use older versions (like version 103), upgrading it > to a minor version with patch release(like 103.6) will install the > bug fixes and give us a better using experience. While upgrading it > to a new major version(like 105) may require more extra work, such > as rust toolchain setup which is mentioned in the release note. Correct, but (1) the toolchain setup is a once-only thing, and (2) if you use a major Linux distribution and a reasonably well-supported architecture you should have little difficulty installing the tools. I did it on a Raspberry Pi just to see if it could be done. It could, but it took four hours to build it the first time. > I guess that's the reason why we release new major version 105 and > patch release versions for 103 and 104 together? Your guess is as good as mine. :) > Sorry I may have some misunderstanding before. ... No need for apologies. :) -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
