On Sat, 2018-07-28 at 10:48 +0200, Sebastian Andrzej Siewior wrote: > On 2018-07-28 09:24:28 [+0100], Adam D. Barratt wrote: > > Was the intent that the package would be pushed via -updates? > > Yes, please. If you need additinal information I can provide then on > Sunday evening.
My weekend's ended up busier than I expected, so unfortunately I didn't get chance to sort this out yet. How does the below sound as a draft for the relevant part of the SUA? (Based on the style of some previous SUAs - and indeed VUAs - for new clamav upstream versions.) <draft> ClamAV is anĀ AntiVirus toolkit for Unix. Upstream published version 0.100.1. This is a mostly a bug-fix release. The changes are not strictly required for operation, but users of the previous version in stretch may not be able to make use of all current virus signatures and might get warnings. Changes since 0.100.0 currently in stretch include fixes for two security issues. CVE-2018-0360 ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. CVE-2018-0361 ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file. </draft> Apologies if the initial section is incorrect, it wasn't entirely clear to me whether there would be warnings for the bump from 0.100.0 to 0.100.1. Regards, Adam