[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice



Dropped the security team from the cc.

install clamav-daemon and clamav-testfiles and then use clamdscan to scan 
them:

$ clamdscan /usr/share/clamav-testfiles/clam*

The unrar test files will come up as not infected unless you also install 
libclamunrar7 from non-free.  That's normal.

Scott K

On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote:
> Hi
> 
> Great
> 
> Updated packages are now available on
> https://apt.inguza.net/jessie-security/clamav
> 
> Testing is much appreciated since I have limited experience of clamav
> myself.
> 
> I can test that the package installs properly but I'm not sure I can
> regression test it properly myself.
> 
> Anyone who knows how to regression test it properly?
> 
> Best regards
> 
> // Ola
> 
> On Mon, 15 Apr 2019 at 23:16, Scott Kitterman <debian@kitterman.com> wrote:
> > That sounds like the right approach.
> > 
> > Scott K
> > 
> > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> > > Hi again
> > > 
> > > I have now compared the 0.100.2 version in stretch to the version
> > > 0.100.3
> > > in stretch updates.
> > > I can then see that most of the changes that I'm worried about is not
> > > included.
> > > 
> > > This means that I will take the .orig file and include a sub-set of the
> > > updates.
> > > The remaining updates will be:
> > > - Symbol updates (unavoidable I think).
> > > - Copyright update (not sure if it is necessary but I'll include it
> > 
> > anyway)
> > 
> > > The rest will not be updated.
> > > 
> > > Best regards
> > > 
> > > // Ola
> > > 
> > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <ola@inguza.com> wrote:
> > > > Hi Scott
> > > > 
> > > > I have now walked through the difference in the debian directories
> > 
> > between
> > 
> > > > the version in jessie and stretch updates.
> > > > I think there is more work than just a simple changelog update.
> > > > 
> > > > 1) The changelog file contain a lot of changes. I wonder how we
> > 
> > generally
> > 
> > > > should it. If I backport a package from current stable should I keep
> > 
> > that
> > 
> > > > changelog and just add one entry or should I pretent that the jessie
> > > > version still apply and add one entry from that one... Not sure
> > > > myself.
> > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and
> > 
> > a
> > 
> > > > patch introduced to not depend on it
> > > > 3) Config file moved
> > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > > > 4) Changes in postinst. Not sure if it is backwards compatible or not
> > 
> > yet.
> > 
> > > > Preliminary not.
> > > > 5) Debhelper compat updated. Should be ok.
> > > > 6) Build dependency changes.
> > > > 7) clamav-dbg package no longer provided
> > > > 8) so files moved from /usr/lib/libclamav.so to
> > 
> > /usr/lib/xxx/libclamav.so
> > 
> > > > and pkgconfig moved accordingly.
> > > > 9) Support for llvm introduced. Should probably be ok.
> > > > 10) A LOT of symbols changed. They are delared private so it should be
> > 
> > ok.
> > 
> > > > But you never know.
> > > > 
> > > > It would be helpful if you can help me judge if any of the above means
> > > > backwards incompatibility.
> > > > 
> > > > I'm most worried about the following:
> > > > - Socket change
> > > > - Config file change
> > > > - Postinst change
> > > > - clamav-dbg
> > > > - Symbol changes
> > > > 
> > > > Thank you in advance
> > > > 
> > > > // Ola
> > > > 
> > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <debian@kitterman.com>
> > 
> > wrote:
> > > >> I believe you've misunderstood.
> > > >> 
> > > >> The version in stable is 0.100.3 and does not have a soname bump (nor
> > > >> does it
> > > >> need one).  You should be able to update the LTS with that package
> > 
> > with
> > 
> > > >> little
> > > >> more (maybe no more) than an updated changelog.
> > > >> 
> > > >> Scott K
> > > >> 
> > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> > > >> > Hi Scott and LTS team
> > > >> > 
> > > >> > Thank you. I'll see if I can backport the required fixes. That may
> > > >> > solve
> > > >> > the library issue.
> > > >> > 
> > > >> > Alternatively we state that clamav is not supported. Maybe someone
> > 
> > in
> > 
> > > >> the
> > > >> 
> > > >> > LTS team can advice on that.
> > > >> > 
> > > >> > Best regards
> > > >> > 
> > > >> > // Ola
> > > >> > 
> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian@kitterman.com
> > > >> 
> > > >> wrote:
> > > >> > > Comments inline.
> > > >> > > 
> > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> > > >> > > > Hi
> > > >> > > > 
> > > >> > > > I missed to include the clamav maintainers. Sorry about that.
> > > >> > > > 
> > > >> > > > // Ola
> > > >> > > > 
> > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola@inguza.com>
> > 
> > wrote:
> > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team
> > > >> > > > > 
> > > >> > > > > I have started to look at the clamav package update due to
> > > >> > > > > CVE-2019-1787
> > > >> > > > > CVE-2019-1788
> > > >> > > > > CVE-2019-1789
> > > >> > > > > (the other three vulnerabilities are not affecting jessie or
> > > >> 
> > > >> stretch
> > > >> 
> > > >> > > as I
> > > >> > > 
> > > >> > > > > understand it)
> > > >> > > 
> > > >> > > That's correct.
> > > >> > > 
> > > >> > > > > I have understood that the clamav package is typically
> > 
> > updated to
> > 
> > > >> the
> > > >> 
> > > >> > > > > latest version also in stable and oldstable. However when
> > 
> > doing
> > 
> > > >> so I
> > > >> 
> > > >> > > > > encountered quite a few things that I would like to ask your
> > > >> 
> > > >> advice
> > > >> 
> > > >> > > > > on.
> > > >> > > > > 
> > > >> > > > > First of all to the maintainers. Do you want to handle also
> > 
> > LTS
> > 
> > > >> > > > > (oldstable) and regular security (stable) upload of clamav?
> > > >> > > 
> > > >> > > Stable is already done through stable proposed updates (which is
> > 
> > the
> > 
> > > >> > > normal
> > > >> > > path for clamav).  We leave the LTS releases to the LTS team.
> > 
> > Base
> > 
> > > >> your
> > > >> 
> > > >> > > work
> > > >> > > on what's in stable.
> > > >> > > 
> > > >> > > > > Question to maintainers and Security team. Should we
> > 
> > synchronize
> > 
> > > >> the
> > > >> 
> > > >> > > > > efforts here and have you already started on the stable
> > 
> > update?
> > 
> > > >> > > > > If not I have a few questions:
> > > >> > > > > 1) Do you know the binary compatibility between libclamav7
> > > >> > > > > and
> > > >> > > 
> > > >> > > libclamav9?
> > > >> > > 
> > > >> > > > >  I have noticed that the package in sid produces libclamav9
> > 
> > while
> > 
> > > >> the
> > > >> 
> > > >> > > one
> > > >> > > 
> > > >> > > > > in jessie provides libclamav7. Do you think this can be an
> > 
> > issue?
> > 
> > > >> > > Yes.  It's guaranteed to be an issue.  We have a stable
> > > >> > > transition
> > > >> > > prepared
> > > >> > > and will do it (once the srm blesses) after the next point
> > 
> > release in
> > 
> > > >> > > April.
> > > >> > > Note that the security team doesn't support clamav.
> > > >> > > 
> > > >> > > > > 2) Do you think backporting the package in sid is better than
> > > >> 
> > > >> simply
> > > >> 
> > > >> > > > > updating to the latest upstream while keeping most scripts in
> > > >> > > 
> > > >> > > oldstable? I
> > > >> > > 
> > > >> > > > > had to copy over the split-archive.sh to be able to generate
> > > >> > > > > a
> > > >> 
> > > >> proper
> > > >> 
> > > >> > > orig
> > > >> > > 
> > > >> > > > > tarball.
> > > >> > > 
> > > >> > > No.  Use what's in stable proposed updates.
> > > >> > > 
> > > >> > > > > - I personally think the package in sid have a little too
> > > >> > > > > much
> > > >> 
> > > >> updates
> > > >> 
> > > >> > > to
> > > >> > > 
> > > >> > > > > make that safe, especially since it produces new library
> > > >> > > > > packages.
> > > >> > > 
> > > >> > > Agreed.  That would definitely be a bad idea.
> > > >> > > 
> > > >> > > > > - On the other hand, I had to do some modifications already
> > > >> > > > > to
> > > >> 
> > > >> make
> > > >> 
> > > >> > > allow
> > > >> > > 
> > > >> > > > > the package to be generated and I have not even started
> > 
> > building
> > 
> > > >> yet.
> > > >> 
> > > >> > > > > There
> > > >> > > > > may be many fixes needed to make this package work in
> > > >> > > > > oldstable...
> > > >> > > 
> > > >> > > I suspect that what's in stable will work in oldstable, but I
> > 
> > haven't
> > 
> > > >> > > tried
> > > >> > > it.  It'll certainly take less work than what's in sid.
> > > >> > > 
> > > >> > > > > I guess we cannot generate new library package version, or?
> > > >> > > 
> > > >> > > Generally one does not, but for clamav you kind of have to at
> > > >> > > some
> > > >> 
> > > >> point.
> > > >> 
> > > >> > > Note that for libclamav7 -> libclamav9 there are also API
> > 
> > changes, so
> > 
> > > >> > > libclamav-dev reverse builld-depends need patching in addition to
> > > >> > > rebuilding.
> > > >> > > Once we've done that in stable, it should be easy enough to adapt
> > 
> > for
> > 
> > > >> > > oldstable when the time comes.  Don't worry about it now.
> > > >> > > 
> > > >> > > Scott K
> > > > 
> > > > --
> > > > 
> > > >  --- Inguza Technology AB --- MSc in Information Technology ----
> > > >  
> > > > |  ola@inguza.com                    opal@debian.org            |
> > > > |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> > > >  
> > > >  ---------------------------------------------------------------


Reply to: