On 2018-07-19 17:06:30 [+0200], Mike Gabriel wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of clamav: > https://security-tracker.debian.org/tracker/CVE-2018-0360 > https://security-tracker.debian.org/tracker/CVE-2018-0361 > > Would you like to take care of this yourself?
I will look after the Stretch update. I won't do it for Jessie. I *strongly* recommend that you take the Stretch version and and push it into Jessie. That means you end up with 0.100.1 and not 0.100.0 plus those two CVEs. One thing that did not receive a CVE was the fix in the libmspack library which in bundled in clamav and libmspack upstream fixed it differently (hint: the debian version uses the library). The same goes for the unrar parts. > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt As I said, I strongly recommend to not only fix the CVEs mentioned. Upstream is not very good at it. Sebastian
