nor does debian security tracker list the updates as available for jessie/stretch: https://security-tracker.debian.org/tracker/source-package/clamav
(security-tracked does say in hover text that jessie "gets updated via -updates", so it should pick that up) it correctly reports wheezy, buster and sid as fixed. for example, see also https://security-tracker.debian.org/tracker/CVE-2017-12376 this looks to me also like something that should be fixed (somewhere)?