On Sunday, January 28, 2018 12:14:36 AM Ninos Ego wrote: > Hey there, > > I do not want to stress, but does it have any reasons, why it takes so > long to patch clamav with severity "grave"? Can you guys may tell me how > long you still need to fix clamav in current debian stable (stretch)? > ATM clamav is running on our systems for spam mail protection. If you > still need some time (> 12h), I'm forced to disable clamav as long as > it's not fixed. < 0.99.3 is vulnerable for code execution...
We're currently waiting on approval from a stable release manager to upload the fix: https://bugs.debian.org/888552 https://bugs.debian.org/888553 Clamav is not supported through the normal Debian security release process because of the general necessity of updating clamav in complete upstream releases that carry much more than security fixes. As a result, it takes a little longer. If you know how to build a Debian package (and honestly, if you are administering Debian systems, you should), then you can grab the stable source package, apply the patch from the bug, and build a local package for use until we get this approved and uploaded. Scott K
