On Sun, Mar 27, 2016 at 11:05:53PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-03-25 10:18:53 [+0100], har...@a-little-linux-box.at wrote: > > Dear clamav maintainers, > > Hi Harald,
Hello Sebastian > > > I just wanted to ask if it would be possible to adapt clamav to llvm 3.7 > > as 3.6 (at least the Debian package) contains a vulnerability which > > seems to impair (at least according to the security tracker) the > > security of clamav. As it is often used in a network context (mail and > > Are you talking about CVE-2015-2305 / Henry Spencer BSD regex library? It > looks hard to trigger (it was the case in clamav usage of the library). It > would be probably best if you ping the llvm maintainer to get it fixed. > According to the tracker 3.5 for instance has the same problem and this is > part of stable. So the best thing to do seems to get llvm fixed. > I am not even sure whether clamav compiles against 3.7. But I was not > aware (until now) that 3.7 is part of testing. It wasn't the last time I > looked at it. Did some testing to compile clamav with llvm 3.7 but there are going to be many code changes which need intimate knowledge of llvm I guess. Hope that the llvm package from experimental which pulls in llvm 3.7 as default llvm version won't reach unstable soon ;-). > > BTW: llvm is only used for the bytecode interreter which becomes jit. If you > disable bytecode thingy then it should be not used. The bytecode data comes > from clamav. > > > web proxy scanning) this seems to be a not very desirable situation. > > When answering please keep me cc as I'm not subscribed to your list. > > > > Thanks for your time > > Kind regards > > Harald Jenny > > Sebastian Wish you a nice weekend Harald _______________________________________________ Pkg-clamav-devel mailing list Pkg-clamav-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
