[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ClamAV update in jessie

Hi Salvatore,

> I would say it depends a bit, I would say. It might be clear, but just
> to be on safe side stating it here: the CVEs fixed for clamav are not
> to be associated with those rebuild packages as well.
> I was thinking if I remember similar cases for DSAs. Let me see, on
> top of the head I do not recall actually much such special cases. Only
> two I remembered and looked up, there might be more!
> DSA-3433-1 was a case where we needed an update for ldb first, and
> then a rebuild of samba as well with that version in place. So not
> really exactly what you have here.
> CVE-2013-7439 was another case, more similar to the one which is to be
> handled by you. As the list there was too long, we decided back then
> to put the list in the tracker, this is not very optimal though. If
> you have only those couple of rebuilds, then you simply can state this
> in the DLA for clamav, that package x, y and z are to be rebuild for
> the ABI changes.
> Of course you can decide to release single DLAs for the 'package
> update due to the need of rebuild', but I guess it should be made
> clear then in the text of the DLA that they are just needed due to the
> ABI change in clamav.

Thanks for these advices. Indeed, releasing security advisories for
rebuilds (which are, in the end, non-security related issues) doesn't sound

Releasing a single DLA similar to dsa-3224 is probably the best option, and
instead of pointing to the tracker I would just explain the situation and
list the four reverse dependencies.


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: