Ged, all,
My apologies. We should have done a second release candidate after the
configure changes.
Fortunately, and very intentionally, 0.102 doesn’t include any security related
bug fixes in case there were users who wouldn't be able to update due to some
unforeseen issue. The next time we publish a patch release, we will also
backport the security-related patches to 0.101 (i.e. simultaneously publish
0.101.5).
I think it should be no surprise that distributions that wish to support new
versions of some software, but not new versions of libraries, will have issues
such as this. I think static linking is the natural solution for this kind of
policy mix. Yes it's harder to maintain, because a vuln-fix in the statically
linked library requires an update to the application. I don't know of a better
solution though.
-Micah
On 10/5/19, 12:11 PM, "clamav-users on behalf of G.W. Haywood via
clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
Hi there,
On Sat, 5 Oct 2019, Dennis Peterson wrote:
> This particular hard requirement (libcurl) affects the communication
channel
> which is different than causing the code to fail to run at all. So the
> question is do the new libcurl requirements immediately break existing
> systems that are not yet updated with new libcurl functionality. ...
Sorry, I thought I'd explained in an earlier post. I'm using libcurl v7.38.
So that I didn't need to update libcurl to v7.45 for clamonacc, I disabled
it:
8<----------------------------------------------------------------------
$ curl -V
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL[...snip,snip...]
8<----------------------------------------------------------------------
$ head -7 ~/src/net/mail/clamav-devel-dev-0.102/config.log
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by ClamAV configure 0.102.0-rc, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ ./configure --disable-clamonacc
8<----------------------------------------------------------------------
$ ps axufwww | grep freshclam | grep -v grep
clamav 14105 0.5 0.0 193092 13080 ? Ss Oct04 7:24 \
/usr/local/bin/freshclam -d --config-file=/etc/mail/clamav/freshclam.conf
8<----------------------------------------------------------------------
$ freshclam -V --config-file /etc/mail/freshclam.conf
ClamAV 0.102.0-rc/25593/Sat Oct 5 09:30:21 2019
8<----------------------------------------------------------------------
$ ls -l /var/lib/clamav/daily.cld
-rw-r--r-- 1 clamav clamav 147439104 Oct 5 10:44 /var/lib/clamav/daily.cld
8<----------------------------------------------------------------------
> It is kind of a big deal to update a widely used library and creates
> knock-on problems from ripple effect for production systems subject
> to strong configuration management policies.
Not to mention publishing 0.102 with changes from 0.102rc which break it.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
