On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote: > Hi, > > El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió: > > On 2018-03-02 02:19:04 [+0000], Scott Kitterman wrote: > > > Conveniently, upstream just released 0.99.4 that addresses this and some > > > other issues. I'd suggest you let us get that into stable/oldstable > > > first. > > > > I will try to get to this around SA/SO for Stretch/Jessie. There are 5 > > CVEs in total (not just the one you (the LTS team) mentioned). > > Just to be sure, the new upstream release should be used to fix the > issues in wheezy too?
We do this (update to current ClamAV version) for the supported Debian releases. I recommend to do this for the LTS version, too. Besides clamav you should have a look at libclamunrar which is non-free. Upstream is historically seen bad at documenting security related fixes. This may have improved now but I wouldn't take it for granted. In the past the reporter had to ask for CVE numbers and do the process of documenting. It was possible that the "fix" contained a follow-up fix (or multiple) which were not documented in the bugzilla entry. There were fixes of the same importance (found by a fuzzer and the fuzzed file crashed clamav) but didn't get a CVE number assigned and would have otherwise been ignored by your security upload. I could give you examples of each kind (and I don't need to go far behind in history, 0.99.3 has a few examples already). The part that the engine may ignore signatures because they require a newer engine is just the tip of the ice berg :) > Should I include a file in security-tracker's packages/ directory to > describe that the way to address issues is by updating complete upstream > releases? > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80 Clamav was updated via volatile in the past. This moved to stable/updates now. The security team is not comfortable with security related changes and new features all-in-one release. Since I am involved, the updates were always via stable which included a full upstream release. There was one or two exceptions where we first picked up a few security related fixes and then pushed the complete release. > Cheers, > > S Sebastian
