Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
On Wed, 2021-04-21 at 21:35 +0200, Sebastian Andrzej Siewior wrote:
> On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote:
> > Please feel free to upload. I assume that, given there are security
> > fixes involved, you'd prefer an early release via stable-updates as
> > we've done with a number of updates in the past?
>
> Thank you, uploaded. Yes, please. In the past we had it stable-pu for
> a day or two and then enabled it via stable/updates if I remember
> correctly.
I think that's more a function of the time it takes to notice that
everything built, prepare the SUA text and then have an SRM be
available near enough to a dinstall to release the announcement mail,
rather than a deliberate choice.
I drafted some text for an SUA; comments / complete rewriting welcome:
=========================================================
ClamAV is an AntiVirus toolkit for Unix.
Upstream published version 0.103.2.
This is a bug-fix release.
Changes since 0.102.3 currently in buster include the removal of the
"safe browsing" signature database, and fixes for security issues.
CVE-2021-1405
A vulnerability in the email parsing module could allow an
unauthenticated, remote attacker to cause a denial of service
condition on an affected device
If you use clamav, we recommend that you install this update.
=========================================================
I realise that there are fixes for more CVEs in 0.103.2, but did not
mention them as they're not changes relative to the current buster
package AIUI.
I also removed our usual "[t]he changes are not strictly
required for operation" text, as I wasn't sure if that's actually
accurate in this case.
Regards,
Adam
Reply to: