Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On 2022-01-25 18:46:16 [+], Adam D. Barratt wrote:
> For the record, .5 was released via {buster,bullseye}-updates last
> night; see SUA211-1 /
> https://lists.debian.org/debian-stable-announce/2022/01/msg1.html
Thank you.
> Regards,
>
> Adam
Sebastian
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On Sun, 2022-01-16 at 19:09 +, Adam D. Barratt wrote:
> On Fri, 2022-01-14 at 21:51 +0100, Sebastian Andrzej Siewior wrote:
> > > Speaking of latest patch version: Upstream released today .5.
> > > Would
> > > you
> > > prefer to wait with this until I upload .5 to unstable and
> > > stable/oldstable for this (and avoiding a second announcement)?
> >
> > I assume a direct update to .5 is preferred so I attached it here.
> > Regarding the wording: in [0] upstream says that they are going to
> > block 0.102 and earlier from database updates so we should be good.
> > That means they did not mention to block previous 0.103 releases so
> > there is probably no need to add stronger wording as I suggested.
> > The NEWS file mentions a CVE which looks harmless in typical mail
> > server setup since it requires an additional option for scanning.
> >
> > I have it in unstable since the 12th and deployed the Buster
> > version
> > on a server and had the regular testing for Bullseye.
>
> Sorry, things have been a little hectic recently.
>
> Updating to .5 seems to make sense for everyone; thanks.
>
For the record, .5 was released via {buster,bullseye}-updates last
night; see SUA211-1 /
https://lists.debian.org/debian-stable-announce/2022/01/msg1.html
Regards,
Adam
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On Fri, 2022-01-14 at 21:51 +0100, Sebastian Andrzej Siewior wrote: > > Speaking of latest patch version: Upstream released today .5. Would > > you > > prefer to wait with this until I upload .5 to unstable and > > stable/oldstable for this (and avoiding a second announcement)? > > I assume a direct update to .5 is preferred so I attached it here. > Regarding the wording: in [0] upstream says that they are going to > block 0.102 and earlier from database updates so we should be good. > That means they did not mention to block previous 0.103 releases so > there is probably no need to add stronger wording as I suggested. > The NEWS file mentions a CVE which looks harmless in typical mail > server setup since it requires an additional option for scanning. > > I have it in unstable since the 12th and deployed the Buster version > on a server and had the regular testing for Bullseye. Sorry, things have been a little hectic recently. Updating to .5 seems to make sense for everyone; thanks. Regards, Adam
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On 2022-01-12 20:44:46 [+0100], To Adam D. Barratt wrote:
> > I wasn't really sure which of the changes made sense to mention, but
> > had a go at an initial draft for an announcement. Tweaks, updates or
> > complete rewrites welcome:
> >
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > ClamAV is an AntiVirus toolkit for Unix.
> >
> > Upstream published version 0.103.4.
> >
> > This is a bug-fix release and an upstream LTS release. The changes are not
> > currently required for operation, but upstream strongly recommends that
> > users
> > update.
>
> Maybe adding something like
> ", but upstream strongly recommends that users update for continued
> support."
>
> Upstream asks to use latest patch level version for support which
> includes access to the signature database.
>
> Speaking of latest patch version: Upstream released today .5. Would you
> prefer to wait with this until I upload .5 to unstable and
> stable/oldstable for this (and avoiding a second announcement)?
I assume a direct update to .5 is preferred so I attached it here.
Regarding the wording: in [0] upstream says that they are going to
block 0.102 and earlier from database updates so we should be good. That
means they did not mention to block previous 0.103 releases so there is
probably no need to add stronger wording as I suggested.
The NEWS file mentions a CVE which looks harmless in typical mail server
setup since it requires an additional option for scanning.
I have it in unstable since the 12th and deployed the Buster version on
a server and had the regular testing for Bullseye.
[0] https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
> > Regards,
> >
> > Adam
Sebastian
diff -Nru clamav-0.103.4+dfsg/clamav-milter/clamav-milter.c clamav-0.103.5+dfsg/clamav-milter/clamav-milter.c
--- clamav-0.103.4+dfsg/clamav-milter/clamav-milter.c 2021-11-02 16:47:46.0 +0100
+++ clamav-0.103.5+dfsg/clamav-milter/clamav-milter.c 2022-01-11 00:17:45.0 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ * Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2008-2013 Sourcefire, Inc.
*
* Author: aCaB
@@ -96,7 +96,7 @@
sigset_t sigset;
struct sigaction act;
-const char * user_name = NULL;
+const char *user_name = NULL;
cl_initialize_crypto();
@@ -122,7 +122,7 @@
printf("\n");
printf(" Clam AntiVirus: Milter Mail Scanner %s\n", get_version());
printf(" By The ClamAV Team: https://www.clamav.net/about.html#credits\n;);
-printf(" (C) 2021 Cisco Systems, Inc.\n");
+printf(" (C) 2022 Cisco Systems, Inc.\n");
printf("\n");
printf("%s [-c ]\n\n", argv[0]);
printf("\n");
@@ -158,7 +158,7 @@
}
free(pt);
-if ((opt = optget(opts, "User"))->enabled){
+if ((opt = optget(opts, "User"))->enabled) {
user_name = opt->strarg;
}
@@ -419,7 +419,7 @@
if ((opt = optget(opts, "PidFile"))->enabled) {
FILE *fd;
mode_t old_umask = umask(0002);
-int err = 0;
+int err = 0;
if ((fd = fopen(opt->strarg, "w")) == NULL) {
logg("!Can't save PID in file %s\n", opt->strarg);
@@ -434,14 +434,14 @@
umask(old_umask);
#ifndef _WIN32
-if (0 == err){
+if (0 == err) {
/*If the file has already been created by a different user, it will just be
* rewritten by us, but not change the ownership, so do that explicitly.
*/
-if (0 == geteuid()){
-struct passwd * pw = getpwuid(0);
-int ret = lchown(opt->strarg, pw->pw_uid, pw->pw_gid);
-if (ret){
+if (0 == geteuid()) {
+struct passwd *pw = getpwuid(0);
+int ret = lchown(opt->strarg, pw->pw_uid, pw->pw_gid);
+if (ret) {
logg("!Can't change ownership of PID file %s '%s'\n", opt->strarg, strerror(errno));
err = 1;
}
@@ -449,7 +449,7 @@
}
#endif /*_WIN32*/
-if (err){
+if (err) {
localnets_free();
whitelist_free();
logg_close();
@@ -460,7 +460,7 @@
#ifndef _WIN32
dropPrivRet = drop_privileges(user_name, logg_file);
-if (dropPrivRet){
+if (dropPrivRet) {
optfree(opts);
return dropPrivRet;
}
@@ -468,7 +468,7 @@
/* We have been daemonized, and initialization is done. Signal
* the parent process so that it can exit cleanly.
*/
-if (parentPid != getpid()){ //we have been daemonized
+if (parentPid != getpid()) { //we have been daemonized
daemonize_signal_parent(parentPid);
}
#endif
diff -Nru clamav-0.103.4+dfsg/clamd/clamd.c
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On 2022-01-11 21:17:54 [+], Adam D. Barratt wrote: > Now that the equivalent update made it to stretch, this seems as good a > time as any - I'm assuming that no major issues have ben reported in > unstable in the meantime? correct. > I wasn't really sure which of the changes made sense to mention, but > had a go at an initial draft for an announcement. Tweaks, updates or > complete rewrites welcome: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > ClamAV is an AntiVirus toolkit for Unix. > > Upstream published version 0.103.4. > > This is a bug-fix release and an upstream LTS release. The changes are not > currently required for operation, but upstream strongly recommends that users > update. Maybe adding something like ", but upstream strongly recommends that users update for continued support." Upstream asks to use latest patch level version for support which includes access to the signature database. Speaking of latest patch version: Upstream released today .5. Would you prefer to wait with this until I upload .5 to unstable and stable/oldstable for this (and avoiding a second announcement)? > Changes since 0.103.3 currently in buster and bullseye include fixes for > several possible crashes, corrected handling of 0-byte incremental database > updates and the renaming of several heuristic-based alerts. > > If you use clamav, we recommend that you install this update. > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Regards, > > Adam Sebastian
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On Thu, 2021-12-23 at 21:22 +0100, Sebastian Andrzej Siewior wrote: > On 2021-12-23 15:38:16 [+], Adam D. Barratt wrote: [...] > > Were you anticipating that 0.103.4 would get published via > > -updates, or > > simply with the next point releases? > > it would be good to get it published via -updates. No need to rush. Now that the equivalent update made it to stretch, this seems as good a time as any - I'm assuming that no major issues have ben reported in unstable in the meantime? I wasn't really sure which of the changes made sense to mention, but had a go at an initial draft for an announcement. Tweaks, updates or complete rewrites welcome: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ClamAV is an AntiVirus toolkit for Unix. Upstream published version 0.103.4. This is a bug-fix release and an upstream LTS release. The changes are not currently required for operation, but upstream strongly recommends that users update. Changes since 0.103.3 currently in buster and bullseye include fixes for several possible crashes, corrected handling of 0-byte incremental database updates and the renaming of several heuristic-based alerts. If you use clamav, we recommend that you install this update. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Regards, Adam
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
On 2021-12-23 15:38:16 [+], Adam D. Barratt wrote: > Hi, Hi Adam, > fwiw, even with the reduced diffs, neither request made it to debian- > release. Oh shoot. You're the best Adam. I meant to ping the list in case it didn't make through but forgot to checkā¦ > Were you anticipating that 0.103.4 would get published via -updates, or > simply with the next point releases? it would be good to get it published via -updates. No need to rush. > Regards, > > Adam Sebastian
Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1
Hi, On Tue, 2021-12-21 at 22:01 +0100, Sebastian Andrzej Siewior wrote: > This is an update to clamav package to the current LTS version > 0.103.4. > The update contains various fixes, none of them were classified as > critical however the NEWS.md mentions a few descriptor and memory > leaks. > Freshclam received a few fixes in response to zero-byte CDIFF updates > which was not handled very well and was reported a few times. > > The packag is aligned with unstable upload. > I also added the man-page for clamonacc (which is also in unstable > but > not in the previous stable release). > > Please find attached the debdiff vs the previous release without > doc/html/* changes in the source archive which shrinks the diff down > to > 600KiB from 10MiB. fwiw, even with the reduced diffs, neither request made it to debian- release. Were you anticipating that 0.103.4 would get published via -updates, or simply with the next point releases? Regards, Adam
