[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987038: marked as done (buster-pu: package clamav/0.103.2+dfsg-0+deb10u1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #987038,
regarding buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987038
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

This is an update from ClamAV from 0.102.4 to 0.103.2. The 103 release
was in unstable since the beginning. I skipped it for Buster back then
because the 102 based release recevied a security update and it appeared
to contain the important bits.

Now, with the 103.2 release there is no update for the 102 based
release. At least one CVE was identified as also affecting Buster. There
is also another change regarding "memory leak in PNG parser" which has
no attribution and a memory leak in clamav, which is often in an email
setup scanning incomming mail, could be exploited and brining the system
to an OOM condition and hopefully killing only the clamav daemon.
Looking further, I identified two changes 

  https://github.com/Cisco-Talos/clamav-devel/commit/ba6467a6a6f7d749f3011c38e76573c75676e37f
  https://github.com/Cisco-Talos/clamav-devel/commit/1a8b164b4f513460c8334521f0797aaf81d15699

which fix two leaks which also apply to the version currently in Buster.
I didn't look further…
The 103.2 release also received updates regarding freshclam including
improved error codes handling. Probably related to CDN, they are using.
The "safebrowsing" has been disabled in clamav. It has been announced
half a year ago [0] and they are asking [1] now to finally disable it as
the file is now no longer served. The current release disables it and
removes it from the config file (and debconf templates).

Testing wise the 103.0 release landed last October in unstable and we
managed to fix various apparmor related issue since. I'm not aware of
any issues so far. I upload recently 103.2 to unstable and uploaded an
update yesterday after noticing that the postinst script still enables
the safebrowsing option (my clunky eyes didn't see it earler). This
change is also part of the propsed Buster version. I had it deployed on
a server for two+ days now.

One last disclosure: The clamav daemon now supports reloading the
database without blocking. The advantage is that email scanning isn't
blocked while the database is reloaded. The disadvantage is that it
consumes more memory as it prepares the new database in memory and after
it is done, it switches over and releases the old one.

[0] https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
[1] https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html

Sebastian

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: