[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [volatile] Updated clamav-related packages available fortesting

This one time, at band camp, Jan Lühr said:
> The imho more interesting point is: What does it mean in the long term?
> The current situation is: 
> Volatile has clamav 0.95, while upstream has 0.96.  There are security related 
> issues in 0.95 (DoS etc.?) [1] that might affect(?) volatile - futhermore the 
> clamav-people are suggesting to use the latest version [2] - that is 0.96.
> Volatile itself is not supported by the security team [3] and the security 
> team refuses the support the current stable version [4].
> As a sysop running lenny/clamav on a few hosts, I started building clamav from 
> source and reading clamav's announce list.
> But I wonder, what does it mean in the long run:
> - Will volatile be updated to 0.96 soon?

Yes - we always test bugs in the upgrade path in unstable first, and we
found some, so we are fixing them there first.  Once that is complete,
we'll upload to volatile.

> - Will clamav (in volatile) receive official security support?

So far it has been handled by the Debian clamav team.

> - Are there any (better supported) alternatives to clamav in lenny?

Not to my knowledge.

> - Afair there is no specific EOL-/Kill-Switch in clamav: ClamAV <= 0.94 is 
> unable to handle "big" incremental updates and a "too" big update was 
> shipped. Is it - from a naive point of view - just a bug that can be fixed in 
> debian [5]? Just apply the given patch [6] in lenny's clamav and be 
> happy? ;-)

That patch does not address the issue.  That is a sigtool problem, not a
clamd one.  The clamd one is harder to get right and the change set is
much larger.

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: