On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison <[email protected]> wrote:
> On Tue, 1 Nov 2022, Stephen Smoogen wrote: > > > On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel < > > [email protected]> wrote: > > > >> Yesterday, ClamAV announced CVE-2022-37434 as critical ( > >> > https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). > >> Redhat only seem to classify the issue as Moderate in EL7 - > >> https://access.redhat.com/security/cve/cve-2022-37434. It looks like > >> that, unless Redhat classify it as Critical, zlib and zlib-devel won't > get > >> updated so ClamAV can't be rebuilt against the updated zlib-devel. What > is > >> the EPEL take on the issue? > >> > > > > Well if the EL7 in the base operating system is not getting updated, then > > any rebuild by EPEL is not going to see a 'fixed' version. It isn't just > > zlib-devel which would need to be fixed but the zlib libraries that > clamav > > needs to link to on a system. > > This particular case is more "interesting", as the ClamAV RPM and > Docker image both bundle updated versions of zlib and libxml. > > My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't see a separate libz tar ball hat most bundled packages come with. ``` $ rpm -qlp clamav-0.103.7-1.el7.src.rpm README.fedora bytecode-333.cvd clamav-0.103.7-norar.tar.xz clamav-0.99-private.patch clamav-clamonacc-service.patch clamav-default_confs.patch clamav-freshclam.service.patch clamav-milter.systemd clamav-stats-deprecation.patch clamav-update.crond clamav-update.logrotate clamav.spec clamd-README clamd.logrotate [email protected] daily-26614.cvd freshclam-sleep freshclam.sysconfig main-62.cvd ``` If clamav has it in its own source code and an updated version of clamav is downloadable then it will be the maintainer who can do a new build. > Nick, are you in a position to test either the ClamAV RPM or Docker > packages > on EL7 ? If the Docker works, you could run clamdscan on the main machine > connecting to the Docker clamd server. > > -- > Andrew C. Aitchison Kendal, UK > [email protected] > _______________________________________________ > epel-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________ epel-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
