Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 987038@bugs.debian.org
Subject: Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Fri, 23 Apr 2021 08:55:58 +0200
Message-id: <[🔎] 20210423065558.24rjl5ck62tgt65x@flow>
Reply-to: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 987038@bugs.debian.org
In-reply-to: <[🔎] 2ee190fa051083cc64c4593dab641de5d31c38c2.camel@adam-barratt.org.uk>
References: <[🔎] 20210416072707.szh3blp55zgxj3sd@flow> <[🔎] 9eb5fa42e658d38ca0b869f19f2588e356bf2692.camel@adam-barratt.org.uk> <[🔎] 20210416072707.szh3blp55zgxj3sd@flow> <[🔎] 20210419200039.ocni56w5yv7ip4tm@flow> <[🔎] 0dca121356aa6052a53b00b9469ce4a4e06eff27.camel@adam-barratt.org.uk> <[🔎] 20210420194242.ietutdsn2oju5hwh@flow> <[🔎] 102b098ac3a6fc26fdec99bc96f819233537fb1d.camel@adam-barratt.org.uk> <[🔎] 20210416072707.szh3blp55zgxj3sd@flow> <[🔎] 20210421193533.iy5rxrticix4rgy4@flow> <[🔎] 2ee190fa051083cc64c4593dab641de5d31c38c2.camel@adam-barratt.org.uk> <[🔎] 20210416072707.szh3blp55zgxj3sd@flow>

On 2021-04-22 16:58:46 [+0100], Adam D. Barratt wrote:
> On Wed, 2021-04-21 at 21:35 +0200, Sebastian Andrzej Siewior wrote:
> > On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote:
> > > Please feel free to upload. I assume that, given there are security
> > > fixes involved, you'd prefer an early release via stable-updates as
> > > we've done with a number of updates in the past?
> > 
> > Thank you, uploaded. Yes, please. In the past we had it stable-pu for
> > a day or two and then enabled it via stable/updates if I remember
> > correctly. 
> 
> I think that's more a function of the time it takes to notice that
> everything built, prepare the SUA text and then have an SRM be
> available near enough to a dinstall to release the announcement mail,
> rather than a deliberate choice.

I see.

> I drafted some text for an SUA; comments / complete rewriting welcome:
> 
> =========================================================
> ClamAV is an AntiVirus toolkit for Unix.
> 
> Upstream published version 0.103.2.
> 
> This is a bug-fix release.
> 
> Changes since 0.102.3 currently in buster include the removal of the
> "safe browsing" signature database, and fixes for security issues.
This version also introduced non-blocking database reloads in which
clamd temporary requires twice as much memory. The behaviour is
controlled by the ConcurrentDatabaseReload option.

> CVE-2021-1405
> 
>     A vulnerability in the email parsing module could allow an
>     unauthenticated, remote attacker to cause a denial of service
>     condition on an affected device
> 
> If you use clamav, we recommend that you install this update.
> =========================================================
> 
> I realise that there are fixes for more CVEs in 0.103.2, but did not
> mention them as they're not changes relative to the current buster
> package AIUI.

This is correct.

> I also removed our usual "[t]he changes are not strictly
> required for operation" text, as I wasn't sure if that's actually
> accurate in this case.

Yes, at least due to the CVEs in here I would consider that this is
required for operation due to security aspect.

Thank you.

> Regards,
> 
> Adam

Sebastian

Reply to:

Follow-Ups:
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#987329: unblock: ceph/14.2.20-2
Next by Date: Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
Previous by thread: Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
Next by thread: Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
Index(es):
- Date
- Thread