Re: clamav needs updating
On Mon, Jul 23, 2007 at 03:37:53PM +0100, Stephen Gran wrote:
<snip>
> If the resolution is going to take more than a short while, I can do a
> targetted fix to resolve the DoS present in 0.91. It is a two line
> patch that fixes a bug that does not allow for code execution, so it is
> hardly a critical update. New upstream versions are not, by their very
> nature, "critical updates" in my mind, sorry. There are some nice
> feature fixes in 0.91.1 over 0.91, but none of them so important as to
> warrant hyperbole. If the security issues addressed in the latest
> release were more severe, I would have already coordinated a volatile
> security point release, as I have already done for stable and testing.
On Mon, Jul 23, 2007 at 05:29:11PM +0100, Stephen Gran wrote:
>
> This one time, at band camp, paddy@panici.net said:
> > On Mon, Jul 23, 2007 at 04:13:18PM +0000, paddy@panici.net wrote:
> > >
> > > Can the new clam packages conflict against an avscan version that
> > > hasn't been released yet but will have the fix in it ?
> >
> > sorry,
> >
> > conflict against versions *prior to* an as-yet-unreleased fixed version
>
> If avscan was for some reason your mission critical app, would that be a
> good solution for you? It's a fallback possibility, yes, but one I'd
> like to use as a last resort.
Stephen,
apologies, I had skimmed parts of the thread.
It is the top passage which I wish I read more slowly: you have considered
this.
Indeed, I am sure avscan users will be very grateful that you took
the time you did to discover this problem in the first place, and the
proof of the pudding is right there.
I recall there being some wish to define volatile as being a place that
would not 'drag in' dependencies. Personally, I never felt confident
to try to make an abstract judgement about that ahead of time (leaning
towards the belief that it might sometimes be the best option), but if
I understand the situation with avscan then perhaps that issue arises
here ?
Regards,
Paddy
Reply to: