Dropped the security team from the cc. install clamav-daemon and clamav-testfiles and then use clamdscan to scan them:
$ clamdscan /usr/share/clamav-testfiles/clam* The unrar test files will come up as not infected unless you also install libclamunrar7 from non-free. That's normal. Scott K On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote: > Hi > > Great > > Updated packages are now available on > https://apt.inguza.net/jessie-security/clamav > > Testing is much appreciated since I have limited experience of clamav > myself. > > I can test that the package installs properly but I'm not sure I can > regression test it properly myself. > > Anyone who knows how to regression test it properly? > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 23:16, Scott Kitterman <deb...@kitterman.com> wrote: > > That sounds like the right approach. > > > > Scott K > > > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > > Hi again > > > > > > I have now compared the 0.100.2 version in stretch to the version > > > 0.100.3 > > > in stretch updates. > > > I can then see that most of the changes that I'm worried about is not > > > included. > > > > > > This means that I will take the .orig file and include a sub-set of the > > > updates. > > > The remaining updates will be: > > > - Symbol updates (unavoidable I think). > > > - Copyright update (not sure if it is necessary but I'll include it > > > > anyway) > > > > > The rest will not be updated. > > > > > > Best regards > > > > > > // Ola > > > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <o...@inguza.com> wrote: > > > > Hi Scott > > > > > > > > I have now walked through the difference in the debian directories > > > > between > > > > > > the version in jessie and stretch updates. > > > > I think there is more work than just a simple changelog update. > > > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > > > > generally > > > > > > should it. If I backport a package from current stable should I keep > > > > that > > > > > > changelog and just add one entry or should I pretent that the jessie > > > > version still apply and add one entry from that one... Not sure > > > > myself. > > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > > > > a > > > > > > patch introduced to not depend on it > > > > 3) Config file moved > > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > > > > yet. > > > > > > Preliminary not. > > > > 5) Debhelper compat updated. Should be ok. > > > > 6) Build dependency changes. > > > > 7) clamav-dbg package no longer provided > > > > 8) so files moved from /usr/lib/libclamav.so to > > > > /usr/lib/xxx/libclamav.so > > > > > > and pkgconfig moved accordingly. > > > > 9) Support for llvm introduced. Should probably be ok. > > > > 10) A LOT of symbols changed. They are delared private so it should be > > > > ok. > > > > > > But you never know. > > > > > > > > It would be helpful if you can help me judge if any of the above means > > > > backwards incompatibility. > > > > > > > > I'm most worried about the following: > > > > - Socket change > > > > - Config file change > > > > - Postinst change > > > > - clamav-dbg > > > > - Symbol changes > > > > > > > > Thank you in advance > > > > > > > > // Ola > > > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <deb...@kitterman.com> > > > > wrote: > > > >> I believe you've misunderstood. > > > >> > > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > > >> does it > > > >> need one). You should be able to update the LTS with that package > > > > with > > > > > >> little > > > >> more (maybe no more) than an updated changelog. > > > >> > > > >> Scott K > > > >> > > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > > >> > Hi Scott and LTS team > > > >> > > > > >> > Thank you. I'll see if I can backport the required fixes. That may > > > >> > solve > > > >> > the library issue. > > > >> > > > > >> > Alternatively we state that clamav is not supported. Maybe someone > > > > in > > > > > >> the > > > >> > > > >> > LTS team can advice on that. > > > >> > > > > >> > Best regards > > > >> > > > > >> > // Ola > > > >> > > > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <deb...@kitterman.com > > > >> > > > >> wrote: > > > >> > > Comments inline. > > > >> > > > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > >> > > > Hi > > > >> > > > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > > > >> > > > > > > >> > > > // Ola > > > >> > > > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <o...@inguza.com> > > > > wrote: > > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > > > >> > > > > > > > >> > > > > I have started to look at the clamav package update due to > > > >> > > > > CVE-2019-1787 > > > >> > > > > CVE-2019-1788 > > > >> > > > > CVE-2019-1789 > > > >> > > > > (the other three vulnerabilities are not affecting jessie or > > > >> > > > >> stretch > > > >> > > > >> > > as I > > > >> > > > > > >> > > > > understand it) > > > >> > > > > > >> > > That's correct. > > > >> > > > > > >> > > > > I have understood that the clamav package is typically > > > > updated to > > > > > >> the > > > >> > > > >> > > > > latest version also in stable and oldstable. However when > > > > doing > > > > > >> so I > > > >> > > > >> > > > > encountered quite a few things that I would like to ask your > > > >> > > > >> advice > > > >> > > > >> > > > > on. > > > >> > > > > > > > >> > > > > First of all to the maintainers. Do you want to handle also > > > > LTS > > > > > >> > > > > (oldstable) and regular security (stable) upload of clamav? > > > >> > > > > > >> > > Stable is already done through stable proposed updates (which is > > > > the > > > > > >> > > normal > > > >> > > path for clamav). We leave the LTS releases to the LTS team. > > > > Base > > > > > >> your > > > >> > > > >> > > work > > > >> > > on what's in stable. > > > >> > > > > > >> > > > > Question to maintainers and Security team. Should we > > > > synchronize > > > > > >> the > > > >> > > > >> > > > > efforts here and have you already started on the stable > > > > update? > > > > > >> > > > > If not I have a few questions: > > > >> > > > > 1) Do you know the binary compatibility between libclamav7 > > > >> > > > > and > > > >> > > > > > >> > > libclamav9? > > > >> > > > > > >> > > > > I have noticed that the package in sid produces libclamav9 > > > > while > > > > > >> the > > > >> > > > >> > > one > > > >> > > > > > >> > > > > in jessie provides libclamav7. Do you think this can be an > > > > issue? > > > > > >> > > Yes. It's guaranteed to be an issue. We have a stable > > > >> > > transition > > > >> > > prepared > > > >> > > and will do it (once the srm blesses) after the next point > > > > release in > > > > > >> > > April. > > > >> > > Note that the security team doesn't support clamav. > > > >> > > > > > >> > > > > 2) Do you think backporting the package in sid is better than > > > >> > > > >> simply > > > >> > > > >> > > > > updating to the latest upstream while keeping most scripts in > > > >> > > > > > >> > > oldstable? I > > > >> > > > > > >> > > > > had to copy over the split-archive.sh to be able to generate > > > >> > > > > a > > > >> > > > >> proper > > > >> > > > >> > > orig > > > >> > > > > > >> > > > > tarball. > > > >> > > > > > >> > > No. Use what's in stable proposed updates. > > > >> > > > > > >> > > > > - I personally think the package in sid have a little too > > > >> > > > > much > > > >> > > > >> updates > > > >> > > > >> > > to > > > >> > > > > > >> > > > > make that safe, especially since it produces new library > > > >> > > > > packages. > > > >> > > > > > >> > > Agreed. That would definitely be a bad idea. > > > >> > > > > > >> > > > > - On the other hand, I had to do some modifications already > > > >> > > > > to > > > >> > > > >> make > > > >> > > > >> > > allow > > > >> > > > > > >> > > > > the package to be generated and I have not even started > > > > building > > > > > >> yet. > > > >> > > > >> > > > > There > > > >> > > > > may be many fixes needed to make this package work in > > > >> > > > > oldstable... > > > >> > > > > > >> > > I suspect that what's in stable will work in oldstable, but I > > > > haven't > > > > > >> > > tried > > > >> > > it. It'll certainly take less work than what's in sid. > > > >> > > > > > >> > > > > I guess we cannot generate new library package version, or? > > > >> > > > > > >> > > Generally one does not, but for clamav you kind of have to at > > > >> > > some > > > >> > > > >> point. > > > >> > > > >> > > Note that for libclamav7 -> libclamav9 there are also API > > > > changes, so > > > > > >> > > libclamav-dev reverse builld-depends need patching in addition to > > > >> > > rebuilding. > > > >> > > Once we've done that in stable, it should be easy enough to adapt > > > > for > > > > > >> > > oldstable when the time comes. Don't worry about it now. > > > >> > > > > > >> > > Scott K > > > > > > > > -- > > > > > > > > --- Inguza Technology AB --- MSc in Information Technology ---- > > > > > > > > | o...@inguza.com o...@debian.org | > > > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > > > > > > > ---------------------------------------------------------------
