On Sun, Mar 27, 2016 at 11:05:53PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-03-25 10:18:53 [+0100], [email protected] wrote: > > Dear clamav maintainers, > > Hi Harald,
Hi Sebastian > > > I just wanted to ask if it would be possible to adapt clamav to llvm 3.7 > > as 3.6 (at least the Debian package) contains a vulnerability which > > seems to impair (at least according to the security tracker) the > > security of clamav. As it is often used in a network context (mail and > > Are you talking about CVE-2015-2305 / Henry Spencer BSD regex > library? Yes that is the one I was referring to, sorry I did not mention it correctly. > It > looks hard to trigger (it was the case in clamav usage of the library). It > would be probably best if you ping the llvm maintainer to get it fixed. Well as far as I saw the case is that llvm 3.6 will eventually not make in into stable as it already superseeded bye newer versions (llvm-3.8 ist already in unstable). > According to the tracker 3.5 for instance has the same problem and this is > part of stable. So the best thing to do seems to get llvm fixed. It seems like the "fix" for 3.5 would be the update to 3.5.2 :-(. > I am not even sure whether clamav compiles against 3.7. But I was not > aware (until now) that 3.7 is part of testing. It wasn't the last time I > looked at it. Hmmm I understand well then maybe I will try to compile it myself and see if it works. > > BTW: llvm is only used for the bytecode interreter which becomes jit. If you > disable bytecode thingy then it should be not used. The bytecode data comes > from clamav. Ok thanks for this workaround. > > > web proxy scanning) this seems to be a not very desirable situation. > > When answering please keep me cc as I'm not subscribed to your list. > > > > Thanks for your time > > Kind regards > > Harald Jenny > > Sebastian Wish you a good night Harald Jenny _______________________________________________ Pkg-clamav-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
