On 2021-04-22 16:58:46 [+0100], Adam D. Barratt wrote: > On Wed, 2021-04-21 at 21:35 +0200, Sebastian Andrzej Siewior wrote: > > On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote: > > > Please feel free to upload. I assume that, given there are security > > > fixes involved, you'd prefer an early release via stable-updates as > > > we've done with a number of updates in the past? > > > > Thank you, uploaded. Yes, please. In the past we had it stable-pu for > > a day or two and then enabled it via stable/updates if I remember > > correctly. > > I think that's more a function of the time it takes to notice that > everything built, prepare the SUA text and then have an SRM be > available near enough to a dinstall to release the announcement mail, > rather than a deliberate choice.
I see. > I drafted some text for an SUA; comments / complete rewriting welcome: > > ========================================================= > ClamAV is an AntiVirus toolkit for Unix. > > Upstream published version 0.103.2. > > This is a bug-fix release. > > Changes since 0.102.3 currently in buster include the removal of the > "safe browsing" signature database, and fixes for security issues. This version also introduced non-blocking database reloads in which clamd temporary requires twice as much memory. The behaviour is controlled by the ConcurrentDatabaseReload option. > CVE-2021-1405 > > A vulnerability in the email parsing module could allow an > unauthenticated, remote attacker to cause a denial of service > condition on an affected device > > If you use clamav, we recommend that you install this update. > ========================================================= > > I realise that there are fixes for more CVEs in 0.103.2, but did not > mention them as they're not changes relative to the current buster > package AIUI. This is correct. > I also removed our usual "[t]he changes are not strictly > required for operation" text, as I wasn't sure if that's actually > accurate in this case. Yes, at least due to the CVEs in here I would consider that this is required for operation due to security aspect. Thank you. > Regards, > > Adam Sebastian