Hi all, On Do 19 Jul 2018 21:18:13 CEST, Sebastian Andrzej Siewior wrote:
On 2018-07-19 17:06:30 [+0200], Mike Gabriel wrote:The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of clamav: https://security-tracker.debian.org/tracker/CVE-2018-0360 https://security-tracker.debian.org/tracker/CVE-2018-0361 Would you like to take care of this yourself?I will look after the Stretch update. I won't do it for Jessie. I *strongly* recommend that you take the Stretch version and and push it into Jessie. That means you end up with 0.100.1 and not 0.100.0 plus those two CVEs. One thing that did not receive a CVE was the fix in the libmspack library which in bundled in clamav and libmspack upstream fixed it differently (hint: the debian version uses the library). The same goes for the unrar parts.PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txtAs I said, I strongly recommend to not only fix the CVEs mentioned. Upstream is not very good at it. Sebastian
Thanks for the quick response and the feedback. Much appreciated. We will discuss your proposal and someone will pick up the task soon.
Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
pgpHZBiw4C6Sp.pgp
Description: Digitale PGP-Signatur