I believe you've misunderstood. The version in stable is 0.100.3 and does not have a soname bump (nor does it need one). You should be able to update the LTS with that package with little more (maybe no more) than an updated changelog.
Scott K On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > Hi Scott and LTS team > > Thank you. I'll see if I can backport the required fixes. That may solve > the library issue. > > Alternatively we state that clamav is not supported. Maybe someone in the > LTS team can advice on that. > > Best regards > > // Ola > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <deb...@kitterman.com> wrote: > > Comments inline. > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > Hi > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > // Ola > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <o...@inguza.com> wrote: > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > I have started to look at the clamav package update due to > > > > CVE-2019-1787 > > > > CVE-2019-1788 > > > > CVE-2019-1789 > > > > (the other three vulnerabilities are not affecting jessie or stretch > > > > as I > > > > > > understand it) > > > > That's correct. > > > > > > I have understood that the clamav package is typically updated to the > > > > latest version also in stable and oldstable. However when doing so I > > > > encountered quite a few things that I would like to ask your advice > > > > on. > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > (oldstable) and regular security (stable) upload of clamav? > > > > Stable is already done through stable proposed updates (which is the > > normal > > path for clamav). We leave the LTS releases to the LTS team. Base your > > work > > on what's in stable. > > > > > > Question to maintainers and Security team. Should we synchronize the > > > > efforts here and have you already started on the stable update? > > > > > > > > If not I have a few questions: > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > libclamav9? > > > > > > I have noticed that the package in sid produces libclamav9 while the > > > > one > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > prepared > > and will do it (once the srm blesses) after the next point release in > > April. > > Note that the security team doesn't support clamav. > > > > > > 2) Do you think backporting the package in sid is better than simply > > > > updating to the latest upstream while keeping most scripts in > > > > oldstable? I > > > > > > had to copy over the split-archive.sh to be able to generate a proper > > > > orig > > > > > > tarball. > > > > No. Use what's in stable proposed updates. > > > > > > - I personally think the package in sid have a little too much updates > > > > to > > > > > > make that safe, especially since it produces new library packages. > > > > Agreed. That would definitely be a bad idea. > > > > > > - On the other hand, I had to do some modifications already to make > > > > allow > > > > > > the package to be generated and I have not even started building yet. > > > > There > > > > may be many fixes needed to make this package work in oldstable... > > > > I suspect that what's in stable will work in oldstable, but I haven't > > tried > > it. It'll certainly take less work than what's in sid. > > > > > > I guess we cannot generate new library package version, or? > > > > Generally one does not, but for clamav you kind of have to at some point. > > Note that for libclamav7 -> libclamav9 there are also API changes, so > > libclamav-dev reverse builld-depends need patching in addition to > > rebuilding. > > Once we've done that in stable, it should be easy enough to adapt for > > oldstable when the time comes. Don't worry about it now. > > > > Scott K
