What I have sometimes done, if faced with the need for a newer version of some libxyz.so, is to copy the newer version from a compatible newer system to the older system and then update the symlink. For example, if I have:
libxyz.so.3 libxyz.so -> libxyx.so.3 but need libxyz.so.5, I copy in libxyz.so.5 and re-symlink, giving: libxyz.so.3 libxyz.so.5 libxyx.so -> libxyz.so.5 Since it's rare that the new version *removes* a function, this usually works. And if it doesn't, I just restore the symlink, since I still have the previous version. This is *very* risky with basic things like libc.so however, as you can end up unable to execute any commands whatsoever. On Sun, 04 Aug 2019 23:50:07 +0000 Scott Kitterman via clamav-users <clamav-users@lists.clamav.net> wrote: > > > On August 4, 2019 11:32:09 PM UTC, "Micah Snyder (micasnyd) via > clamav-users" <clamav-users@lists.clamav.net> wrote: > >Every product is different as to whether or not they provide security > >patches for older versions or how far back they patch. > > > >For ClamAV, our development team is very small and we have a lot on > >our plates so we typically only provide security patches for the > >current feature release. > > > >Right now, our current feature release is 0.101, published Dec 2018. > >0.101 introduced some library API changes that made it harder to > >adopt than usual. For this reason, we made the decision to backport > >the security fixes found in 0.101.2 and released these for 0.100 > >users in the 0.100.3 patch release. > > > >Next week, if all goes to plan, we will publish the 0.101.3 security > >patch and the 0.102-beta. We have *no plans* to publish any more > >security patches for 0.100. If you depend on your Linux distro to > >provide ClamAV, please help them create & test the 0.101.3 package so > >it gets into distribution faster. Otherwise, we encourage you to > >build & install ClamAV from source. > > > >In the future, we'd love to provide Linux users with the option to > >install ClamAV from Snapcraft, but unfortunately we still have some > >more release engineering improvements to do before that will be a > >reality. > > > >On the topic of "newer is always better": > > > >The next feature release (0.102) will require libcurl version 7.45 or > >newer in order to compile/use the new on-access scanning client > >(`clamonacc`) because 7.45+ provides a required feature. In testing > >we've found that in most cases only the latest Linux distro major > >versions provide a new enough libcurl version. For context, the > >libcurl version we require was released on 7 Oct 2015, nearly 4 years > >ago and libcurl has seen some 50-odd CVE fixes since then*. I'm > >under the impression that in most cases, package maintainers > >cherry-pick the security fixes to older versions for their > >distributions though I'm not tuned in enough to know if that's true > >for every Linux distribution or every package. In any case, 4 years > >is a long time to go without an update in the software world - so > >we're not feeling too bad about this new requirement. Users who > >build ClamAV from source on older Linux distributions may have to > >build libcurl from source first -- which is a relatively > >straightforward process. > > > >*Libcurl security fix reference: > >https://curl.haxx.se/docs/security.html. > > That's the practice in Debian (patches post-release) for almost all > packages, clamav is an exception for us. > > Both Debian's current stable release and the previous release have a > new enough curl to support this. There's one older release that does > not. As long as we can disable the feature along with the > requirement for the newer curl, it should be fine for us. > > Scott K _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
