Thank you Florian! If there are any policy changes that can be made to
prevent this sort of issue (critical vulnerabilities not getting patches
or not showing up in vuln.xml for days or weeks after a CVE and/or
update) please do recommend them to, well, who does set ports/security
management policies?
Roger Marquis
On 19.05.22 09:30, Andrea Venturoli wrote:
Hello.
I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, the
latter two closing "several CVE fixes".
However, the port was not updated and not even portaudit entries were
added.
Was this overlooked?
Are the FreeBSD ports somehow not affected?
I created a patch and PR a week ago. I was waiting for the maintainer
timeout. After discussing with bapt I went ahead and committed the update
without approval of the maintainer.
IMHO, security fixes should be specifically mentioned in the blanket section.
Florian
