Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable

To: Markus Koschany <apo@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Klaus Zerwes <kzerwes@web.de>
Cc: debian-lts@lists.debian.org
Subject: Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Tue, 14 Nov 2023 09:46:31 +0100
Message-id: <[🔎] e986c875-842f-4173-b192-ef2a2364ce69@debian.org>
In-reply-to: <[🔎] 31ecd254b0752f8f34e875f8830f30283ed70230.camel@debian.org>
References: <3be4168fd6f171f98ce5301ec9205d3d7834cd93.camel@web.de> <[🔎] ZVKBdNeT1BoQXeuW@eldamar.lan> <[🔎] 31ecd254b0752f8f34e875f8830f30283ed70230.camel@debian.org>

On 13/11/2023 21:29, Markus Koschany wrote:

Hi,

Ist there any chance that the patched version (0.103.10) will be back-
ported from bullseye?


Thanks for the heads-up. We will update clamav in Buster to 0.103.10 as well to
include the patches for libclamunrar.

clamav is unaffected in Debian as libclamunrar code is removed and split intosrc:libclamunrar (non-free).


I'll update the package in dla-needed to reflect this.

Cheers,
Emilio

Reply to:

References:
- Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable
  - From: Markus Koschany <apo@debian.org>