Michael Tautschnig wrote:
Package: clamav-daemon
Version: 0.94.dfsg.2-1lenny2
Severity: normal
Apparently the ClamAV software contains a remote detonator so the clamav
team can disable the software through an update sequence. This can knock any
mailserver (for example) offline running the version they deem fit to
disable.
Please remove this code in at least the debian package, or replace it by one
that does not run updates but not simply bomb out the daemon.
[...]
This ain't as easy: Upstream can at any time (and this is what they did this
time as well) choose to release "broken" signature files that can't be parsed by
clamav-daemon. What sysadmins could do, of course, is simply disabling
freshclam.
At any rate, if the maintainer wants to act upon this the choice should be
given to the end user whether the "detonator" is active or not.
I would rather choose to get bombed out than getting no more updates.
In the current case, only people with really outdated installations were
affected (all sarge or etch/lenny not using volatile).
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
