Re: [Pkg-clamav-devel] Wheezy update of clamav?
Hi, El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió: > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote: > > Conveniently, upstream just released 0.99.4 that addresses this and some > > other issues. I'd suggest you let us get that into stable/oldstable first. > > I will try to get to this around SA/SO for Stretch/Jessie. There are 5 > CVEs in total (not just the one you (the LTS team) mentioned). Just to be sure, the new upstream release should be used to fix the issues in wheezy too? Should I include a file in security-tracker's packages/ directory to describe that the way to address issues is by updating complete upstream releases? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80 Cheers, S signature.asc Description: PGP signature
Re: [Pkg-clamav-devel] Wheezy update of clamav?
On Fri, Mar 09, 2018 at 11:45:58AM +0100, Santiago R.R. wrote: > Hi, > > El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió: > > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote: > > > Conveniently, upstream just released 0.99.4 that addresses this and some > > > other issues. I'd suggest you let us get that into stable/oldstable > > > first. > > > > I will try to get to this around SA/SO for Stretch/Jessie. There are 5 > > CVEs in total (not just the one you (the LTS team) mentioned). > > Just to be sure, the new upstream release should be used to fix the > issues in wheezy too? Definitely, clamav is only updated via jessie-updates/stretch-updates as it needs a current runtime to be able to parse all malware signatures (independant of vulnerabilities in clamav itself). But you need to make sure that wheezy is not updated ahead of jessie/stretch, otherwise you'll break upgrades. Cheers, Moritz
Re: [Pkg-zsh-devel] Wheezy update of zsh?
On Thursday 08 March 2018 10:35 AM, Chris Lamb wrote: > Hi Abhijith, > >> I prepared an update[1] for zsh. Debdiff attached along with the mail. >> It would be great if you do some testing. > > Works for me... :) > > > Regards, > It will be helpful if some could upload zsh. Once it accepted to the archive I will release DLA. -abhijith
Re: [Pkg-zsh-devel] Wheezy update of zsh?
Hi Abhijith, > >> I prepared an update[1] for zsh. Debdiff attached along with the mail. > >> It would be great if you do some testing. > > > > Works for me... :) > > It will be helpful if some could upload zsh. Once it accepted to the > archive I will release DLA. I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the DLA too. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: [Pkg-zsh-devel] Wheezy update of zsh?
Chris Lamb wrote: > I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the > DLA too. :) Uploaded and announced as DLA-1304-1. Thank you. :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: [Pkg-zsh-devel] Wheezy update of zsh?
Hi, Chris Lamb wrote: > > >> I prepared an update[1] for zsh. Debdiff attached along with the mail. > > >> It would be great if you do some testing. > > > > > > Works for me... :) > > > > It will be helpful if some could upload zsh. Once it accepted to the > > archive I will release DLA. > > I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the > DLA too. :) Thanks Abhijith and Chris! Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
My Debian LTS activities in February 2018
Hi, In the previous month I resumed my activities in the LTS Team, under the Freexian initiative. I got assigned eight hours. I was finally able to work six and I am carrying the rest for this month. * suricata: I checked CVE-2018-6794, but after reproducing it, I chose to follow security-team and tag it as no-dsa. It did not warrant a DLA by itself. * leptonlib: I released DLA-1302-1, that fixed CVE-2018-7186 and CVE-2018-7440. * clamav: I am currently preparing an upload to fix CVE-2018-0202 and CVE-2018-185. Additionally, I checked some issues (in other debian suites) and filed bug reports for a couple of recent security issues (Thanks to the Security Team for their help). Thanks for supporting Debian LTS! Santiago signature.asc Description: PGP signature
Re: [Pkg-clamav-devel] Wheezy update of clamav?
On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote: > Hi, > > El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió: > > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote: > > > Conveniently, upstream just released 0.99.4 that addresses this and some > > > other issues. I'd suggest you let us get that into stable/oldstable > > > first. > > > > I will try to get to this around SA/SO for Stretch/Jessie. There are 5 > > CVEs in total (not just the one you (the LTS team) mentioned). > > Just to be sure, the new upstream release should be used to fix the > issues in wheezy too? We do this (update to current ClamAV version) for the supported Debian releases. I recommend to do this for the LTS version, too. Besides clamav you should have a look at libclamunrar which is non-free. Upstream is historically seen bad at documenting security related fixes. This may have improved now but I wouldn't take it for granted. In the past the reporter had to ask for CVE numbers and do the process of documenting. It was possible that the "fix" contained a follow-up fix (or multiple) which were not documented in the bugzilla entry. There were fixes of the same importance (found by a fuzzer and the fuzzed file crashed clamav) but didn't get a CVE number assigned and would have otherwise been ignored by your security upload. I could give you examples of each kind (and I don't need to go far behind in history, 0.99.3 has a few examples already). The part that the engine may ignore signatures because they require a newer engine is just the tip of the ice berg :) > Should I include a file in security-tracker's packages/ directory to > describe that the way to address issues is by updating complete upstream > releases? > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80 Clamav was updated via volatile in the past. This moved to stable/updates now. The security team is not comfortable with security related changes and new features all-in-one release. Since I am involved, the updates were always via stable which included a full upstream release. There was one or two exceptions where we first picked up a few security related fixes and then pushed the complete release. > Cheers, > > S Sebastian
