On Wed, 2021-04-21 at 21:35 +0200, Sebastian Andrzej Siewior wrote: > On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote: > > Please feel free to upload. I assume that, given there are security > > fixes involved, you'd prefer an early release via stable-updates as > > we've done with a number of updates in the past? > > Thank you, uploaded. Yes, please. In the past we had it stable-pu for > a day or two and then enabled it via stable/updates if I remember > correctly.
I think that's more a function of the time it takes to notice that everything built, prepare the SUA text and then have an SRM be available near enough to a dinstall to release the announcement mail, rather than a deliberate choice. I drafted some text for an SUA; comments / complete rewriting welcome: ========================================================= ClamAV is an AntiVirus toolkit for Unix. Upstream published version 0.103.2. This is a bug-fix release. Changes since 0.102.3 currently in buster include the removal of the "safe browsing" signature database, and fixes for security issues. CVE-2021-1405 A vulnerability in the email parsing module could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device If you use clamav, we recommend that you install this update. ========================================================= I realise that there are fixes for more CVEs in 0.103.2, but did not mention them as they're not changes relative to the current buster package AIUI. I also removed our usual "[t]he changes are not strictly required for operation" text, as I wasn't sure if that's actually accurate in this case. Regards, Adam