subject:"Re\\\\\\\: \\\\\\\[Pkg\\\\\\\-clamav\\\\\\\-devel\\\\\\\] Wheezy update of clamav\\\\\\\?"

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-09 Thread Moritz Mühlenhoff

On Fri, Mar 09, 2018 at 10:17:05PM +0100, Sebastian Andrzej Siewior wrote:
> Clamav was updated via volatile in the past. This moved to
> stable/updates now. The security team is not comfortable with
> security related changes and new features all-in-one release.

That's not the reason. -updates is for fast-changing packages which
regularly need to be updated outside the stable point relases, like
tzdata. clamav as a package which needs updates of it's scan engine
to pick up new malware signature engine features exactly fits that
definition. And if we update a package a package via -updates it
doesn't make sense to selective ship some via security.debian.org
and some not.

Cheers,
Moritz

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-09 Thread Sebastian Andrzej Siewior

On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote:
> Hi,
> 
> El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > > Conveniently, upstream just released 0.99.4 that addresses this and some 
> > > other issues.  I'd suggest you let us get that into stable/oldstable 
> > > first.
> > 
> > I will try to get to this around SA/SO for Stretch/Jessie. There are 5
> > CVEs in total (not just the one you (the LTS team) mentioned).
> 
> Just to be sure, the new upstream release should be used to fix the
> issues in wheezy too?

We do this (update to current ClamAV version) for the supported Debian
releases. I recommend to do this for the LTS version, too. Besides clamav
you should have a look at libclamunrar which is non-free.
Upstream is historically seen bad at documenting security related fixes.
This may have improved now but I wouldn't take it for granted. In the
past the reporter had to ask for CVE numbers and do the process of
documenting. It was possible that the "fix" contained a follow-up fix
(or multiple) which were not documented in the bugzilla entry.
There were fixes of the same importance (found by a fuzzer and the
fuzzed file crashed clamav) but didn't get a CVE number assigned and
would have otherwise been ignored by your security upload. I could give
you examples of each kind (and I don't need to go far behind in history,
0.99.3 has a few examples already).
The part that the engine may ignore signatures because they require a
newer engine is just the tip of the ice berg :)

> Should I include a file in security-tracker's packages/ directory to
> describe that the way to address issues is by updating complete upstream
> releases?
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80

Clamav was updated via volatile in the past. This moved to
stable/updates now. The security team is not comfortable with
security related changes and new features all-in-one release. Since I
am involved, the updates were always via stable which included a full
upstream release. There was one or two exceptions where we first picked
up a few security related fixes and then pushed the complete release.

> Cheers,
> 
> S

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-09 Thread Moritz Muehlenhoff

On Fri, Mar 09, 2018 at 11:45:58AM +0100, Santiago R.R. wrote:
> Hi,
> 
> El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > > Conveniently, upstream just released 0.99.4 that addresses this and some 
> > > other issues.  I'd suggest you let us get that into stable/oldstable 
> > > first.
> > 
> > I will try to get to this around SA/SO for Stretch/Jessie. There are 5
> > CVEs in total (not just the one you (the LTS team) mentioned).
> 
> Just to be sure, the new upstream release should be used to fix the
> issues in wheezy too?

Definitely, clamav is only updated via jessie-updates/stretch-updates
as it needs a current runtime to be able to parse all malware signatures
(independant of vulnerabilities in clamav itself).

But you need to make sure that wheezy is not updated ahead of jessie/stretch,
otherwise you'll break upgrades.

Cheers,
Moritz

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-09 Thread Santiago R.R.

Hi,

El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > Conveniently, upstream just released 0.99.4 that addresses this and some 
> > other issues.  I'd suggest you let us get that into stable/oldstable first.
> 
> I will try to get to this around SA/SO for Stretch/Jessie. There are 5
> CVEs in total (not just the one you (the LTS team) mentioned).

Just to be sure, the new upstream release should be used to fix the
issues in wheezy too?

Should I include a file in security-tracker's packages/ directory to
describe that the way to address issues is by updating complete upstream
releases?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80

Cheers,

S

signature.asc
Description: PGP signature
___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-01 Thread Scott Kitterman

Conveniently, upstream just released 0.99.4 that addresses this and some other 
issues.  I'd suggest you let us get that into stable/oldstable first.

Scott K

On March 1, 2018 10:07:53 PM UTC, Sebastian Andrzej Siewior 
 wrote:
>On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote:
>> Dear maintainer(s),
>Hi,
>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of clamav:
>> 
>> https://security-tracker.debian.org/tracker/CVE-2018-185
>
>interresting. So that one is fixed in the beta but not in the stable
>release including Stretch/Jessie.
>
>> Would you like to take care of this yourself?
>No but thank your for letting us know that this one is still missing. I
>will try to take care of this Stretch/Jessie. Is this the only one
>missing?
>
>Sebastian
>
>___
>Pkg-clamav-devel mailing list
>Pkg-clamav-devel@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-01 Thread Sebastian Andrzej Siewior

On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote:
> Dear maintainer(s),
Hi,

> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of clamav:
> 
> https://security-tracker.debian.org/tracker/CVE-2018-185

interresting. So that one is fixed in the beta but not in the stable
release including Stretch/Jessie.

> Would you like to take care of this yourself?
No but thank your for letting us know that this one is still missing. I
will try to take care of this Stretch/Jessie. Is this the only one
missing?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

Re: [Pkg-clamav-devel] Wheezy update of clamav?

Re: [Pkg-clamav-devel] Wheezy update of clamav?

Re: [Pkg-clamav-devel] Wheezy update of clamav?

Re: [Pkg-clamav-devel] Wheezy update of clamav?

Re: [Pkg-clamav-devel] Wheezy update of clamav?

6 matches

Site Navigation

Mail list logo

Footer information