date:20221101

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Sérgio Basto

On Tue, 2022-11-01 at 10:50 +, Nick Howitt via epel-devel wrote:
>  Yesterday, ClamAV announced CVE-2022-37434 as critical
> (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.
> html). Redhat only seem to classify the issue as Moderate in EL7 -
> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> that, unless Redhat classify it as Critical, zlib and zlib-devel
> won't get updated so ClamAV can't be rebuilt against the updated
> zlib-devel. What is the EPEL take on the issue?


we build clamav from the sources , no bundles evolved , we use system
zlib and libxml2 




-- 
Sérgio M. B.
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Nick Howitt via epel-devel




On 01/11/2022 18:36, Stephen Smoogen wrote:



On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel 
> wrote:




On 01/11/2022 15:46, Tuomo Soini wrote:
 > On Tue, 1 Nov 2022 10:50:02 +
 > Nick Howitt via epel-devel mailto:epel-devel@lists.fedoraproject.org>> wrote:
 >
 >> Yesterday, ClamAV announced CVE-2022-37434 as critical
 >>
(https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html 
).
 >> Redhat only seem to classify the issue as Moderate in EL7 -
 >> https://access.redhat.com/security/cve/cve-2022-37434
. It looks like
 >> that, unless Redhat classify it as Critical, zlib and zlib-devel
 >> won't get updated so ClamAV can't be rebuilt against the updated
 >> zlib-devel. What is the EPEL take on the issue?
 > Question was about update of bundled libraries which are not used by
 > epel package.
 >
Sorry but the spec file has "BuildRequires:  zlib-devel" so it is used
for building and, if I understand correctly, the CVE effectively means
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please
let
me know if I have misunderstood.


That means it is using the OS zlib to build things. If RHEL does not 
ship any update, then rebuilding it won't fix anything.


If you backport the fix to the shipped zlib source code and build it 
yourself, then if all goes well everything which was built against the 
original ABI will continue to work without recompiling


If you compile a new zlib then you may need to recompile it but also 
every other spec that requires zlib-devel.
That is going too far for me. I guess I am stuck on RedHat. I have 
compiled 0.103.7-2 but with the current zlib/zlib-devel.

___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Stephen Smoogen

On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel <
epel-devel@lists.fedoraproject.org> wrote:

>
>
> On 01/11/2022 15:46, Tuomo Soini wrote:
> > On Tue, 1 Nov 2022 10:50:02 +
> > Nick Howitt via epel-devel  wrote:
> >
> >> Yesterday, ClamAV announced CVE-2022-37434 as critical
> >> (
> https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
> >> Redhat only seem to classify the issue as Moderate in EL7 -
> >> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> >> that, unless Redhat classify it as Critical, zlib and zlib-devel
> >> won't get updated so ClamAV can't be rebuilt against the updated
> >> zlib-devel. What is the EPEL take on the issue?
> > Question was about update of bundled libraries which are not used by
> > epel package.
> >
> Sorry but the spec file has "BuildRequires:  zlib-devel" so it is used
> for building and, if I understand correctly, the CVE effectively means
> ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let
> me know if I have misunderstood.
>
>
That means it is using the OS zlib to build things. If RHEL does not ship
any update, then rebuilding it won't fix anything.

If you backport the fix to the shipped zlib source code and build it
yourself, then if all goes well everything which was built against the
original ABI will continue to work without recompiling

If you compile a new zlib then you may need to recompile it but also every
other spec that requires zlib-devel.

-- 
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Nick Howitt via epel-devel




On 01/11/2022 15:46, Tuomo Soini wrote:

On Tue, 1 Nov 2022 10:50:02 +
Nick Howitt via epel-devel  wrote:


Yesterday, ClamAV announced CVE-2022-37434 as critical
(https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
Redhat only seem to classify the issue as Moderate in EL7 -
https://access.redhat.com/security/cve/cve-2022-37434. It looks like
that, unless Redhat classify it as Critical, zlib and zlib-devel
won't get updated so ClamAV can't be rebuilt against the updated
zlib-devel. What is the EPEL take on the issue?

Question was about update of bundled libraries which are not used by
epel package.

Sorry but the spec file has "BuildRequires:  zlib-devel" so it is used 
for building and, if I understand correctly, the CVE effectively means 
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let 
me know if I have misunderstood.

___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Fedora EPEL 7 updates-testing report

2022-11-01 Thread updates

The following builds have been pushed to Fedora EPEL 7 updates-testing

cekit-4.4.0-1.el7
centpkg-0.6.8-1.el7
scitokens-cpp-0.7.3-1.el7

Details about builds:



 cekit-4.4.0-1.el7 (FEDORA-EPEL-2022-0c87c2678e)
 Container image creation tool

Update Information:

CEKit 3.4.0 Release

ChangeLog:

* Mon Oct 31 2022 Nick Cross  - 4.4.0-1
- Release 4.4.0




 centpkg-0.6.8-1.el7 (FEDORA-EPEL-2022-84d1fe6d1f)
 CentOS utility for working with dist-git

Update Information:

Latest upstream

ChangeLog:

* Tue Nov  1 2022 Troy Dawson  - 0.6.8-1
- Latest upstream




 scitokens-cpp-0.7.3-1.el7 (FEDORA-EPEL-2022-69b7104c4c)
 C++ Implementation of the SciTokens Library

Update Information:

Retry failed key renewal every 5 minutes    Add curl timeout of 4 seconds
for update, and 30 for expired keys

ChangeLog:

* Tue Nov  1 2022 Derek Weitzel  - 0.7.3-1
- Retry failed key renewal every 5 minutes
* Mon Oct 31 2022 Derek Weitzel  - 0.7.2-1
- Add curl timeout of 4 seconds for update, and 30 for expired keys
* Sat Jul 23 2022 Fedora Release Engineering  - 
0.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild


___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

2022-11-01 Thread tdawson

Dear all,

You are kindly invited to the meeting:
   EPEL Steering Committee on 2022-11-02 from 16:00:00 to 17:00:00 US/Eastern
   At fedora-meet...@irc.libera.chat

The meeting will be about:
This is the weekly EPEL Steering Committee Meeting.

A general agenda is the following:

#topic aloha

#topic EPEL Issues https://pagure.io/epel/issues
* https://pagure.io/epel/issues?tags=meeting&status=Open

#topic Old Business (if needed)

#topic General Issues / Open Floor




Source: https://calendar.fedoraproject.org//meeting/9854/

___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Tuomo Soini

On Tue, 1 Nov 2022 10:50:02 +
Nick Howitt via epel-devel  wrote:

> Yesterday, ClamAV announced CVE-2022-37434 as critical 
> (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). 
> Redhat only seem to classify the issue as Moderate in EL7 - 
> https://access.redhat.com/security/cve/cve-2022-37434. It looks like 
> that, unless Redhat classify it as Critical, zlib and zlib-devel
> won't get updated so ClamAV can't be rebuilt against the updated
> zlib-devel. What is the EPEL take on the issue?

Question was about update of bundled libraries which are not used by
epel package.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Fedora EPEL 8 updates-testing report

2022-11-01 Thread updates

The following Fedora EPEL 8 Security updates need testing:
 Age  URL
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-fac3491880   
xerces-c-3.2.3-5.el8


The following builds have been pushed to Fedora EPEL 8 updates-testing

arm-none-eabi-gcc-cs-12.2.0-4.el8
arm-none-eabi-newlib-4.1.0-7.el8
cekit-4.4.0-1.el8
centpkg-0.6.8-1.el8
java-latest-openjdk-19.0.1.0.10-1.rolling.el8
scitokens-cpp-0.7.3-1.el8
xournalpp-1.1.2-1.el8

Details about builds:



 arm-none-eabi-gcc-cs-12.2.0-4.el8 (FEDORA-EPEL-2022-2def2696fa)
 GNU GCC for cross-compilation for arm-none-eabi target

Update Information:

Initial epel8 build

ChangeLog:

* Sun Oct 30 2022 Michal Hlavinka  - 1:12.2.0-4
- full build
* Wed Oct 26 2022 Michal Hlavinka  - 1:12.2.0-3
- autogen does not seem to be required anymore
* Tue Oct 25 2022 Michal Hlavinka  - 1:12.2.0-2
- bootstrap build (do not use)
* Tue Aug 23 2022 Michal Hlavinka  - 1:12.2.0-1
- updated to 12.2.0
* Tue Aug  2 2022 Michal Hlavinka  - 1:12.1.0-2
- fix FTBFS (#2113112)
* Wed Jul 27 2022 Michal Hlavinka  - 1:12.1.0-1
- updated to 12.1.0
* Wed Jul 20 2022 Fedora Release Engineering  - 
1:11.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun  1 2022 Michal Hlavinka  - 1:11.3.0-1
- updated to 11.3.0
* Wed Jan 19 2022 Fedora Release Engineering  - 
1:11.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering  - 
1:11.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May  4 2021 Michal Hlavinka  - 1:11.1.0-1
- regular build for 11.1.0
* Tue May  4 2021 Michal Hlavinka  - 1:11.1.0-0
- bootstrap build for 11.1.0
* Sun Apr 11 2021 Michal Hlavinka  - 1:10.2.0-5
- add explicit requirement for autoconf 2.69
* Wed Feb 24 2021 Jeff Law  - 1:10.2.0-4
- Packport fix for libbacktrace's handling of dwarf-5
* Tue Jan 26 2021 Fedora Release Engineering  - 
1:10.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov  4 2020 Michal Hlavinka  - 1:10.2.0-2
- regular build for 10.2.0
* Wed Nov  4 2020 Michal Hlavinka  - 1:10.2.0-1
- bootstrap build for gcc 10.2.0
* Mon Aug 10 2020 Jeff Law  - 1:9.2.0-8
- Disable LTO on s390x for now
* Sat Aug  1 2020 Fedora Release Engineering  - 
1:9.2.0-7
- Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering  - 
1:9.2.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 20 2020 Jeff Law  - 1:9.2.0-5
- Fix broken configured tests compromised by LTO
- Add autoconf to BuildRequires
* Tue Jan 28 2020 Fedora Release Engineering  - 
1:9.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Dec 14 2019 Jeff Law  - 1:9.2.0-3
- Backport change to libbacktrace testsuite so it works with gcc-10
* Wed Oct  9 2019 Jerry James  - 1:9.2.0-2
- Rebuild for mpfr 4
* Wed Aug 21 2019 Michal Hlavinka  - 1:9.2.0-1
- updated to 9.2.0
* Wed Jul 24 2019 Fedora Release Engineering  - 
1:7.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 27 2019 Michal Hlavinka  - 1:7.4.0-1
- updated to 7.4.0
* Thu Jan 31 2019 Fedora Release Engineering  - 
1:7.3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering  - 
1:7.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul  9 2018 Michal Hlavinka  - 1:7.3.0-1
- updated to 7.3.0
* Wed Feb  7 2018 Fedora Release Engineering  - 
1:7.1.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug  2 2017 Fedora Release Engineering  - 
1:7.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering  - 
1:7.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jun 23 2017 Michal Hlavinka  - 1:7.1.0-3
- propper build for 7.1.0, prev one was still bootstrap
* Fri Jun 23 2017 Michal Hlavinka  - 1:7.1.0-2
- propper build for 7.1.0
* Thu Jun 22 2017 Michal Hlavinka  - 1:7.1.0-1
- bootstrap build for 7.1.0
* Fri Feb 10 2017 Fedora Release Engineering  - 
1:6.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Sun Nov 13 2016 Michal Hlavinka  - 1:6.2.0-2
- propper build for 6.2.0
* Sun Nov 13 2016 Michal Hlavinka  - 1:6.2.0-1
- bootstrap build for 6.2.0
* Fri Jul  8 2016 Michal Hlavinka  - 1:6.1.0-2
- proper build of new version
* Tue Jun 28 2016 Michal Hlavinka  - 1:6.1.0-1
- bootstrap build for gcc 6.1.0
* Wed Feb  3 2016 Fedora Release Engineering  - 
1:5.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Nov 12 2015 Michal Hlav

[EPEL-devel] Re: EPEL2RHEL - New Wording? - New Workflow?

2022-11-01 Thread Troy Dawson

On Fri, Sep 2, 2022 at 10:55 AM Davide Cavalca via epel-devel <
epel-devel@lists.fedoraproject.org> wrote:

> On Thu, 2022-09-01 at 12:12 -0500, Maxwell G via epel-devel wrote:
> > I think this whole process should be automated. File bugs that say
> > "Heads up:
> > your package will be automatically retired after the release of RHEL
> > X.X" and
> > provide some explanation.
>
> Agreed. This is a pretty mechanical process: all the maintainer would
> do is run "fedpkg retire" for the appropriate branches, and that looks
> reasonable to automate. If we're concerned about bugs in the automation
> retiring packages that shouldn't be impacted, we can have it file a
> ticket for signoff on the EPEL tracker (or have some other process to
> spot check, at least until we're confiden it'll do the right thing).
>

Sorry for delaying this for so long. Things came up, but now I have some
time.

I think step one in this automation workflow is to not assign the bugs to
the package at all.
Assign the bugs to EPEL / distribution, but keep them as blockers on the
EPEL2RHEL tracker[1].
This gets rid of the busy maintainer problem.  Where they just read the
subject and do what it says.
This also allows the automation to not have to deal with all the different
packages.

I think for the automation to happen, we also have to get the subject line
updated.
If we can get it to have what release is in it, parsing the subject line is
much easier than going through all the bugzilla comments trying to find
what release this is supposed to come out in.
Something like "Remove yara from epel8 when RHEL 8.7 is released"

I think once we get to that point, I should be able to write a script that
can grab all the open tickets on the EPEL2RHEL tracker and check if they
are released, and do appropriate things.

Does this sound good to people?

Troy

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1998160
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Nick Howitt via epel-devel

On 01/11/2022 11:57, Stephen Smoogen wrote:

On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison 
 wrote:

On Tue, 1 Nov 2022, Stephen Smoogen wrote:

> On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
> epel-devel@lists.fedoraproject.org> wrote:
>
>> Yesterday, ClamAV announced CVE-2022-37434 as critical (
>>
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
>> Redhat only seem to classify the issue as Moderate in EL7 -
>> https://access.redhat.com/security/cve/cve-2022-37434. It looks
like
>> that, unless Redhat classify it as Critical, zlib and
zlib-devel won't get
>> updated so ClamAV can't be rebuilt against the updated
zlib-devel. What is
>> the EPEL take on the issue?
>>
>
> Well if the EL7 in the base operating system is not getting
updated, then
> any rebuild by EPEL is not going to see a 'fixed' version. It
isn't just
> zlib-devel which would need to be fixed but the zlib libraries
that clamav
> needs to link to on a system.

This particular case is more "interesting", as the ClamAV RPM and
Docker image both bundle updated versions of zlib and libxml.

My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't 
see a separate libz tar ball hat most bundled packages come with.

```
$ rpm -qlp clamav-0.103.7-1.el7.src.rpm
README.fedora
bytecode-333.cvd
clamav-0.103.7-norar.tar.xz
clamav-0.99-private.patch
clamav-clamonacc-service.patch
clamav-default_confs.patch
clamav-freshclam.service.patch
clamav-milter.systemd
clamav-stats-deprecation.patch
clamav-update.crond
clamav-update.logrotate
clamav.spec
clamd-README
clamd.logrotate
clamd@.service
daily-26614.cvd
freshclam-sleep
freshclam.sysconfig
main-62.cvd
```
If clamav has it in its own source code and an updated version of 
clamav is downloadable then it will be the maintainer who can do a new 
build.

Nick, are you in a position to test either the ClamAV RPM or
Docker packages
on EL7 ? If the Docker works, you could run clamdscan on the main
machine
connecting to the Docker clamd server.

I am unfortunately not really able to do anything to test the rpm or 
docker build. I use ClearOS7 and, in this case, because ClearOS 
(apparently) were compiling ClamAV before EPEL (many, many moons ago), 
they use different file locations and (possibly) a couple of different 
file names. Their build is based on the EPEL sources but the spec file 
is modified slightly before building. I really wish they had changed 
their apps to use the EPEL build directly, but unfortunately they didn't 
and their apps are not compatible with the EPEL build.

I was hoping EPEL could provide guidance about how they could possibly 
solve the issue so I could compile it myself.

Nick___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Stephen Smoogen

On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison 
wrote:

> On Tue, 1 Nov 2022, Stephen Smoogen wrote:
>
> > On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
> > epel-devel@lists.fedoraproject.org> wrote:
> >
> >> Yesterday, ClamAV announced CVE-2022-37434 as critical (
> >>
> https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
> >> Redhat only seem to classify the issue as Moderate in EL7 -
> >> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> >> that, unless Redhat classify it as Critical, zlib and zlib-devel won't
> get
> >> updated so ClamAV can't be rebuilt against the updated zlib-devel. What
> is
> >> the EPEL take on the issue?
> >>
> >
> > Well if the EL7 in the base operating system is not getting updated, then
> > any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
> > zlib-devel which would need to be fixed but the zlib libraries that
> clamav
> > needs to link to on a system.
>
> This particular case is more "interesting", as the ClamAV RPM and
> Docker image both bundle updated versions of zlib and libxml.
>
>
My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't see a
separate libz tar ball hat most bundled packages come with.
```
$ rpm -qlp clamav-0.103.7-1.el7.src.rpm
README.fedora
bytecode-333.cvd
clamav-0.103.7-norar.tar.xz
clamav-0.99-private.patch
clamav-clamonacc-service.patch
clamav-default_confs.patch
clamav-freshclam.service.patch
clamav-milter.systemd
clamav-stats-deprecation.patch
clamav-update.crond
clamav-update.logrotate
clamav.spec
clamd-README
clamd.logrotate
clamd@.service
daily-26614.cvd
freshclam-sleep
freshclam.sysconfig
main-62.cvd
```
If clamav has it in its own source code and an updated version of clamav is
downloadable then it will be the maintainer who can do a new build.


> Nick, are you in a position to test either the ClamAV RPM or Docker
> packages
> on EL7 ? If the Docker works, you could run clamdscan on the main machine
> connecting to the Docker clamd server.
>
> --
> Andrew C. Aitchison  Kendal, UK
> and...@aitchison.me.uk
> ___
> epel-devel mailing list -- epel-devel@lists.fedoraproject.org
> To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Andrew C Aitchison


On Tue, 1 Nov 2022, Stephen Smoogen wrote:


On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
epel-devel@lists.fedoraproject.org> wrote:


Yesterday, ClamAV announced CVE-2022-37434 as critical (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
Redhat only seem to classify the issue as Moderate in EL7 -
https://access.redhat.com/security/cve/cve-2022-37434. It looks like
that, unless Redhat classify it as Critical, zlib and zlib-devel won't get
updated so ClamAV can't be rebuilt against the updated zlib-devel. What is
the EPEL take on the issue?



Well if the EL7 in the base operating system is not getting updated, then
any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
zlib-devel which would need to be fixed but the zlib libraries that clamav
needs to link to on a system.


This particular case is more "interesting", as the ClamAV RPM and
Docker image both bundle updated versions of zlib and libxml.

Nick, are you in a position to test either the ClamAV RPM or Docker packages
on EL7 ? If the Docker works, you could run clamdscan on the main machine
connecting to the Docker clamd server.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Stephen Smoogen

On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
epel-devel@lists.fedoraproject.org> wrote:

> Yesterday, ClamAV announced CVE-2022-37434 as critical (
> https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
> Redhat only seem to classify the issue as Moderate in EL7 -
> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> that, unless Redhat classify it as Critical, zlib and zlib-devel won't get
> updated so ClamAV can't be rebuilt against the updated zlib-devel. What is
> the EPEL take on the issue?
>

Well if the EL7 in the base operating system is not getting updated, then
any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
zlib-devel which would need to be fixed but the zlib libraries that clamav
needs to link to on a system.

This problem isn't new and is common when any RHEL reaches its '2 years
until expiration'. We usually see more software where the upstream vendor
believes a problem is critical but the OS vendor does not in the oldest
version. This being a volunteer organization, we generally have to go with
what copious free time allows which is usually nil and nothing.

> ___
> epel-devel mailing list -- epel-devel@lists.fedoraproject.org
> To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

-- 
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

2022-11-01 Thread Nick Howitt via epel-devel

Yesterday, ClamAV announced CVE-2022-37434 as critical 
(https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). 
Redhat only seem to classify the issue as Moderate in EL7 - 
https://access.redhat.com/security/cve/cve-2022-37434. It looks like 
that, unless Redhat classify it as Critical, zlib and zlib-devel won't 
get updated so ClamAV can't be rebuilt against the updated zlib-devel. 
What is the EPEL take on the issue?___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Fedora EPEL 7 updates-testing report

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Fedora EPEL 8 updates-testing report

[EPEL-devel] Re: EPEL2RHEL - New Wording? - New Workflow?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

[EPEL-devel] Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?

14 matches

Site Navigation

Mail list logo

Footer information