Hi Salvatore, > I would say it depends a bit, I would say. It might be clear, but just > to be on safe side stating it here: the CVEs fixed for clamav are not > to be associated with those rebuild packages as well. > > I was thinking if I remember similar cases for DSAs. Let me see, on > top of the head I do not recall actually much such special cases. Only > two I remembered and looked up, there might be more! > > DSA-3433-1 was a case where we needed an update for ldb first, and > then a rebuild of samba as well with that version in place. So not > really exactly what you have here. > > CVE-2013-7439 was another case, more similar to the one which is to be > handled by you. As the list there was too long, we decided back then > to put the list in the tracker, this is not very optimal though. If > you have only those couple of rebuilds, then you simply can state this > in the DLA for clamav, that package x, y and z are to be rebuild for > the ABI changes. > > Of course you can decide to release single DLAs for the 'package > update due to the need of rebuild', but I guess it should be made > clear then in the text of the DLA that they are just needed due to the > ABI change in clamav. Thanks for these advices. Indeed, releasing security advisories for rebuilds (which are, in the end, non-security related issues) doesn't sound right. Releasing a single DLA similar to dsa-3224 is probably the best option, and instead of pointing to the tracker I would just explain the situation and list the four reverse dependencies. cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature