Re: [Pkg-clamav-devel] Bug#1031509: ETA on Patch for Buster
+LTS On 2023-02-20 12:22:48 [+0200], Andries Malan wrote: > Hi There Hi, > Would you be so kind as to provide an ETA for the above mentioned bug that > was reported. > This would be greatly appreciated. I Cced the LTS team because Buster is LTS territory. > Regards Sebastian
Re: [Pkg-clamav-devel] Clamav Package
On 2022-10-29 18:05:32 [+0530], Utkarsh Gupta wrote: > In general, we have certain packages that we want to keep up-to-date > in LTS and ELTS releases and ClamAV being one of them. It wasn't a > pressing issue since there are no security issues in this release but > I'll look into this and prepare backports for buster, stretch, and > jessie. as per: https://docs.clamav.net/faq/faq-eol.html Their definition of "supported" includes access to CVD updates. The LTS definition contains this | Users must stay up-to-date with the latest patch versions for | continued support. My understanding is that they reserve the right to reject old version but haven't done yet. Currently they ban only 102 and earlier. > - u Sebastian
Re: [Pkg-clamav-devel] Clamav Package
On 2022-10-28 16:20:03 [+0300], Klaipedaville Mail wrote: > Hello, Hi, > It looks like updating packages is running for about 5 months late > again if I am not mistaken. This is what my logs tell me.. and my > eyes.. any news on updates, please? Many thanks! > > "Clamav is outdated, don't panic" (I've been reading this daily in my > logs for the past 5 months). > > Appreciate. unstable/stable has 0.103.7 which is up-to-date. oldstable is earlier is LTS. > Regards, > Dennis Sebastian
Re: [Pkg-clamav-devel] Clamav Package
On 31 December 2021 06:21:57 UTC, Klaipedaville Mail wrote: >Hello, > >Is clamav abandoned by Debian forever? That's the only reason I can come up >with as to why it takes more than 6 months to create / update the clamav >package as per my email down-below. Is it good-bye for good clamav? Does >anyone know? The latest 103 version is in stable/ oldstable: https://tracker.debian.org/pkg/clamav You need to enable proposed updates: https://www.debian.org/releases/proposed-updates.html > >Happy Holidays! > >Regards, >Dennis -- Sebastian
ClamAV LTS.
OldOldStable has 0.102.4+dfsg-0+deb9u2. This should be updated to the 103 series. I want to upload 103.4 to old-stable/stable but didn't find the time yet. The problem with the 102 series that it is getting EOL soon. See https://docs.clamav.net/faq/faq-eol.html#version-support-matrix Older (non-supported) version are already blocked from db-updates. There will be probably an announcement on upstream side. Sebastian
Re: [Pkg-clamav-devel] Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.
On 2019-10-14 14:32:54 [+0200], Marco Gaiarin wrote: > I canconfirm that now the bug is solved. closing. > Thanks! Sebastian
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On 2019-04-15 22:36:31 [+0200], Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). you need to update the symbol file as we have in Stretch. The reason is that clamav-daemon (among other clamav packages) _have_ to pull in libclamav from this version. The clamav-* packages use internal symbols from that library and would complain otherwise. > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola Sebastian
Re: Bug#906724: clamav-daemon: uninstalable on jessie i386 due to dependencies on clamav-base
On 2018-08-20 10:07:43 [+0200], Kiko Piris wrote: > Package: clamav-daemon > Version: 0.100.1+dfsg-0+deb8u1 > Severity: important > > The following packages have unmet dependencies: > clamav-daemon : Depends: clamav-base (= 0.100.0+dfsg-0+deb8u1) but > 0.100.1+dfsg-0+deb8u1 is installed. I am closing this as a non-bug. The upload [0] provided the clamav-base and clamav-daemon should depend on it. I see it on security mirror [1] so I *think* something has been configured wrongly. I Cc the uploader/lts in case something went wrong for !amd64 users. [0] https://tracker.debian.org/news/981072/accepted-clamav-01001dfsg-0deb8u1-source-all-amd64-into-oldstable-oldstable/ [1] http://cdn-fastly.deb.debian.org/debian-security/pool/updates/main/c/clamav/?C=M;O=A > Thanks. Sebastian
Re: Jessie update of clamav?
On 2018-07-19 17:06:30 [+0200], Mike Gabriel wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of clamav: > https://security-tracker.debian.org/tracker/CVE-2018-0360 > https://security-tracker.debian.org/tracker/CVE-2018-0361 > > Would you like to take care of this yourself? I will look after the Stretch update. I won't do it for Jessie. I *strongly* recommend that you take the Stretch version and and push it into Jessie. That means you end up with 0.100.1 and not 0.100.0 plus those two CVEs. One thing that did not receive a CVE was the fix in the libmspack library which in bundled in clamav and libmspack upstream fixed it differently (hint: the debian version uses the library). The same goes for the unrar parts. > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt As I said, I strongly recommend to not only fix the CVEs mentioned. Upstream is not very good at it. Sebastian
Re: Bug#902290: Too abrupt removal of configuration option in stable update
control: tags -1 patch On 2018-07-04 14:06:54 [+0200], To Hans van Kranenburg wrote: > On 2018-06-24 17:12:19 [+0200], Hans van Kranenburg wrote: > > My mailserver logs now contain 'ERROR: Parse error at line 74: Unknown > > option StatsHostID', and when that's removed, it reports the next option > > that is removed, 'StatsPEDisabled', and so on. > … > > Or, alternatively when throwing newer versions in stable, they have to > > be closely inspected to detect options that are removed and get patches > > like you did for #826406. > > I'm sorry. I've seen the removal of options and I didn't think about > this. If handle the config file with debconf then the option should > vanish automaticaly. However if you edit the file manually then user's > input is required and if nothing happens then clamav will abort. > > I intend to address this to for deb9 and document this behaviour so I > will remember it next time. I have to figure out who is in charge of > deb8 and I *think* it is LTS by now. so I added a fix [0] to the Stretch branch for this. It would be nice if you could have a look on the Stretch package in case something else is missing :) With this change you should see something like | Jul 04 22:14:08 deb9amd64 clamd[8720]: WARNING: Ignoring deprecated option StatsTimeout at line 88 | Jul 04 22:14:08 deb9amd64 clamd[8720]: WARNING: Ignoring deprecated option StatsPEDisabled at line 89 and move on. Now Jessie. It would be nice if the LTS team could pick it up. On the other hand the point-release exposed the problem and everyone had to deal with it… [0] https://salsa.debian.org/clamav-team/clamav/blob/stretch/debian/patches/Deprecate-unused-options-instead-of-removing-it.patch > > Thanks, Sebastian
Re: [Pkg-clamav-devel] Wheezy update of clamav?
On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote: > Hi, > > El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió: > > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote: > > > Conveniently, upstream just released 0.99.4 that addresses this and some > > > other issues. I'd suggest you let us get that into stable/oldstable > > > first. > > > > I will try to get to this around SA/SO for Stretch/Jessie. There are 5 > > CVEs in total (not just the one you (the LTS team) mentioned). > > Just to be sure, the new upstream release should be used to fix the > issues in wheezy too? We do this (update to current ClamAV version) for the supported Debian releases. I recommend to do this for the LTS version, too. Besides clamav you should have a look at libclamunrar which is non-free. Upstream is historically seen bad at documenting security related fixes. This may have improved now but I wouldn't take it for granted. In the past the reporter had to ask for CVE numbers and do the process of documenting. It was possible that the "fix" contained a follow-up fix (or multiple) which were not documented in the bugzilla entry. There were fixes of the same importance (found by a fuzzer and the fuzzed file crashed clamav) but didn't get a CVE number assigned and would have otherwise been ignored by your security upload. I could give you examples of each kind (and I don't need to go far behind in history, 0.99.3 has a few examples already). The part that the engine may ignore signatures because they require a newer engine is just the tip of the ice berg :) > Should I include a file in security-tracker's packages/ directory to > describe that the way to address issues is by updating complete upstream > releases? > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80 Clamav was updated via volatile in the past. This moved to stable/updates now. The security team is not comfortable with security related changes and new features all-in-one release. Since I am involved, the updates were always via stable which included a full upstream release. There was one or two exceptions where we first picked up a few security related fixes and then pushed the complete release. > Cheers, > > S Sebastian
Re: [Pkg-clamav-devel] Wheezy update of clamav?
On 2018-03-02 02:19:04 [+], Scott Kitterman wrote: > Conveniently, upstream just released 0.99.4 that addresses this and some > other issues. I'd suggest you let us get that into stable/oldstable first. I will try to get to this around SA/SO for Stretch/Jessie. There are 5 CVEs in total (not just the one you (the LTS team) mentioned). > Scott K Sebastian
Re: Wheezy update of clamav?
On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote: > Dear maintainer(s), Hi, > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of clamav: > > https://security-tracker.debian.org/tracker/CVE-2018-185 interresting. So that one is fixed in the beta but not in the stable release including Stretch/Jessie. > Would you like to take care of this yourself? No but thank your for letting us know that this one is still missing. I will try to take care of this Stretch/Jessie. Is this the only one missing? Sebastian
Re: libmspack / clamav issue in Wheezy
On 2017-08-05 09:29:50 [-0400], Markus Koschany wrote: > this yourself? I have just added clamav to dla-needed.txt, so a team member > might start to work on it anytime if you are busy. Yes, please. > Regards, > > Markus Sebastian
libmspack / clamav issue in Wheezy
Hi, CVE-2017-11423 has been reported against libmspack. Clamav in Wheezy is affected because it bundles the libmspack library. Clamav upstream fixed it via https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13 https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96 and I just updated the security-tracker to reflect this. Jessie+ is using the libmspack in the archive so it will be fixed once libmspack is updated. Sebastian
Re: Wheezy update of libclamunrar?
On 2017-07-05 08:36:28 [+0100], Chris Lamb wrote: > Dear maintainer(s), Hi, > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libclamunrar: > https://security-tracker.debian.org/tracker/source-package/libclamunrar > > Would you like to take care of this yourself? No, sorry. > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. This https://anonscm.debian.org/cgit/pkg-clamav/libclamunrar.git/tree/debian/patches?h=jessie points to patches folder I intend to push for Jessie. Wheezy should be the same thing. The thing in the tracker is unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch however I also recommend that you add the other four patches as well (they are part of Jessie+). This fixes an out-of-band memory access and upstream did not make a fuss about it. > Chris Lamb, > on behalf of the Debian LTS team. Sebastian
Re: [Pkg-clamav-devel] ClamAV Package on Wheezy
On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote: > Hello there, Hi, > It’s been almost half a year since I’ve been getting this "Clamav is > outdated, don't panic" message in my logs and patiently waiting for updates. > I was wondering is it not available / coming any more in packages and we are > on our own now to compile it from sources? Could anybody advise, please? Many > thanks! Wheezy is now in the hands of the Debian-LTS team. I won't do an upload but according to my IRC backlog someone from LTS team is looking into this. I CCed the LTS team to ACK/NACK my statement :) > Regards, > Dennis. Sebastian
