[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie update of clamav?



On 2018-07-19 17:06:30 [+0200], Mike Gabriel wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Jessie version of clamav:
> https://security-tracker.debian.org/tracker/CVE-2018-0360
> https://security-tracker.debian.org/tracker/CVE-2018-0361
> 
> Would you like to take care of this yourself?

I will look after the Stretch update. I won't do it for Jessie. I
*strongly* recommend that you take the Stretch version and and push it
into Jessie. That means you end up with 0.100.1 and not 0.100.0 plus
those two CVEs. One thing that did not receive a CVE was the fix in the
libmspack library which in bundled in clamav and libmspack upstream
fixed it differently (hint: the debian version uses the library). The
same goes for the unrar parts.

> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt
As I said, I strongly recommend to not only fix the CVEs mentioned.
Upstream is not very good at it.

Sebastian


Reply to: