Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On 2023-09-14 21:52:25 [+0100], Adam D. Barratt wrote: > > That's now out, as SUA-240-1. Thank you Adam. > Regards, > > Adam Sebastian
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Thu, 2023-09-14 at 17:00 +0100, Adam D. Barratt wrote: > On Thu, 2023-09-14 at 08:31 +0200, Sebastian Andrzej Siewior wrote: > > On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > > > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior > > > wrote: > > > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > > > How does this sound for an SUA? > > > [...] [...] > Great, we agree. :) I'll try and get this sorted this evening, worst > case it should be tomorrow. > That's now out, as SUA-240-1. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Thu, 2023-09-14 at 08:31 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > > How does this sound for an SUA? > > [...] > > > This sounds entirely fine to me. I don't think that it is needed > > > to > > > point out that bullseye is not affected by the second issue. > > > > > > > Great, thanks. > > > > > There is also this thing regarding libclamunrar and the update to > > > v6.2.10 of the bundled libbrary. I *think* it is related to > > > CVE-2023-40477. Since unrar itself is only in -pu I think it is > > > okay > > > for libclamunar to follow the same fate. > > > > > > > Just to be completely sure, "follow the same fate" here means > > leaving > > libclamunrar in (o-)p-u until the point releases? > > I mean there is no reason to push libclamunrar via d/updates if the > unrar package isn't. Therefore I don't mind keeping libclamunrar in > o-)p-u until the point release. It is non-free after all. Great, we agree. :) I'll try and get this sorted this evening, worst case it should be tomorrow. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > How does this sound for an SUA? > [...] > > This sounds entirely fine to me. I don't think that it is needed to > > point out that bullseye is not affected by the second issue. > > > > Great, thanks. > > > There is also this thing regarding libclamunrar and the update to > > v6.2.10 of the bundled libbrary. I *think* it is related to > > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay > > for libclamunar to follow the same fate. > > > > Just to be completely sure, "follow the same fate" here means leaving > libclamunrar in (o-)p-u until the point releases? I mean there is no reason to push libclamunrar via d/updates if the unrar package isn't. Therefore I don't mind keeping libclamunrar in o-)p-u until the point release. It is non-free after all. > I assume the bundled library isn't used as-is in the Debian packaging, > that being why libclamunrar exists. The last time I looked the src:unrar package either didn't provide the library or something else was different. So I tried to replace it with libarchive but upstream wasn't pleased because it did not support some "newer" rar formats. But now (as of the recent CVE) I was looking again, noticed the library and noticed that clamav upstream already fiddled with their in-tree copy. However I will spent some cycles to see if the in-tree library can be used. If it works then it will lower the amount of swearing needed during packaging of a new version. > Regards, > > Adam Sebastian
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > How does this sound for an SUA? [...] > This sounds entirely fine to me. I don't think that it is needed to > point out that bullseye is not affected by the second issue. > Great, thanks. > There is also this thing regarding libclamunrar and the update to > v6.2.10 of the bundled libbrary. I *think* it is related to > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay > for libclamunar to follow the same fate. > Just to be completely sure, "follow the same fate" here means leaving libclamunrar in (o-)p-u until the point releases? I assume the bundled library isn't used as-is in the Debian packaging, that being why libclamunrar exists. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > How does this sound for an SUA? > > === > Package : clamav > Version : 1.0.3+dfsg-1~deb12u1 [bookworm] >0.103.10+dfsg-0+deb11u1 [bullseye] > Importance : medium > > ClamAV is an AntiVirus toolkit for Unix. > > Upstream published versions 1.0.3 and 0.103.10. > > This is a bug-fix release and an upstream LTS release. The changes are not > currently required for operation, but upstream strongly recommends that users > update. > > Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include > fixes for a security issue: > > CVE-2023-20197: Possible denial of service vulnerability in the HFS+ > file parser. > > The update for bookworm also includes a fix for a second security issue: > > CVE-2023-20212: Possible denial of service vulnerability in the AutoIt > module. > > If you use clamav, we recommend that you install this update. > === > > I'm not entirely happy with the CVE section, but not sure how else to > present it, given that both updates fix one issue but aiui the second > only applies to bookworm. This sounds entirely fine to me. I don't think that it is needed to point out that bullseye is not affected by the second issue. There is also this thing regarding libclamunrar and the update to v6.2.10 of the bundled libbrary. I *think* it is related to CVE-2023-40477. Since unrar itself is only in -pu I think it is okay for libclamunar to follow the same fate. > Regards, > > Adam Sebastian
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Sat, 2023-09-09 at 23:22 +0200, Sebastian Andrzej Siewior wrote: > > This is a quick update that I updated to 1.0.3+dfsg-1~deb12u1 as of > today. The diff mostly a version update. I additionally removed a log > line from freshclam which logged harmless 304 "not modified" > requests. > This line was added in 1.0.0 and people complained, it got in as of > 1.0.0 and is already removed in 1.1.x and later. > > The main reason for 1.0.3 was the unrar update and I updated so > clamav > does not complain about the lower version. > > It would be nice if this could be made available via d/updates. How does this sound for an SUA? === Package : clamav Version : 1.0.3+dfsg-1~deb12u1 [bookworm] 0.103.10+dfsg-0+deb11u1 [bullseye] Importance : medium ClamAV is an AntiVirus toolkit for Unix. Upstream published versions 1.0.3 and 0.103.10. This is a bug-fix release and an upstream LTS release. The changes are not currently required for operation, but upstream strongly recommends that users update. Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include fixes for a security issue: CVE-2023-20197: Possible denial of service vulnerability in the HFS+ file parser. The update for bookworm also includes a fix for a second security issue: CVE-2023-20212: Possible denial of service vulnerability in the AutoIt module. If you use clamav, we recommend that you install this update. === I'm not entirely happy with the CVE section, but not sure how else to present it, given that both updates fix one issue but aiui the second only applies to bookworm. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On 2023-08-27 13:20:01 [+0200], To sub...@bugs.debian.org wrote: > Package: release.debian.org > Control: affects -1 + src:clamav > User: release.debian@packages.debian.org > Usertags: pu > Tags: bookworm > Severity: normal This is a quick update that I updated to 1.0.3+dfsg-1~deb12u1 as of today. The diff mostly a version update. I additionally removed a log line from freshclam which logged harmless 304 "not modified" requests. This line was added in 1.0.0 and people complained, it got in as of 1.0.0 and is already removed in 1.1.x and later. The main reason for 1.0.3 was the unrar update and I updated so clamav does not complain about the lower version. It would be nice if this could be made available via d/updates. Sebastian diff -Nru clamav-1.0.2+dfsg/CMakeLists.txt clamav-1.0.3+dfsg/CMakeLists.txt --- clamav-1.0.2+dfsg/CMakeLists.txt 2023-08-16 00:24:07.0 +0200 +++ clamav-1.0.3+dfsg/CMakeLists.txt 2023-08-25 23:18:34.0 +0200 @@ -22,7 +22,7 @@ set(VERSION_SUFFIX "") project( ClamAV - VERSION "1.0.2" + VERSION "1.0.3" DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." ) set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH}) diff -Nru clamav-1.0.2+dfsg/debian/changelog clamav-1.0.3+dfsg/debian/changelog --- clamav-1.0.2+dfsg/debian/changelog 2023-08-27 11:35:11.0 +0200 +++ clamav-1.0.3+dfsg/debian/changelog 2023-09-09 16:36:13.0 +0200 @@ -1,3 +1,10 @@ +clamav (1.0.3+dfsg-1~deb12u1) bookworm; urgency=medium + + * Import 1.0.3 + * Remove unnecessary warning messages in freshclam during update. + + -- Sebastian Andrzej Siewior Sat, 09 Sep 2023 16:36:13 +0200 + clamav (1.0.2+dfsg-1~deb12u1) bookworm; urgency=medium * Import 1.0.2 (Closes: #1050057) diff -Nru clamav-1.0.2+dfsg/debian/.git-dpm clamav-1.0.3+dfsg/debian/.git-dpm --- clamav-1.0.2+dfsg/debian/.git-dpm 2023-08-27 11:35:11.0 +0200 +++ clamav-1.0.3+dfsg/debian/.git-dpm 2023-09-09 16:35:33.0 +0200 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -de9cef7ab6e5a57247f9598340a0e64869429870 -de9cef7ab6e5a57247f9598340a0e64869429870 -7b4b490a9f8c93c9ef66c8d34be648796dd9f7bd -7b4b490a9f8c93c9ef66c8d34be648796dd9f7bd -clamav_1.0.2+dfsg.orig.tar.xz -c845d2c777adda943e7421c601924e1bee1864a8 -14134372 +b6798c1c1c1bd4e43f1ffbc36748adb5cf07787a +b6798c1c1c1bd4e43f1ffbc36748adb5cf07787a +6aeff1ef1ff425a1a201d8e3f2c5b8b1f8a60fdb +6aeff1ef1ff425a1a201d8e3f2c5b8b1f8a60fdb +clamav_1.0.3+dfsg.orig.tar.xz +329456b2e5930a422859b00ed0e08cc8ab53e2b3 +14191252 diff -Nru clamav-1.0.2+dfsg/debian/libclamav11.symbols clamav-1.0.3+dfsg/debian/libclamav11.symbols --- clamav-1.0.2+dfsg/debian/libclamav11.symbols 2023-08-27 11:35:11.0 +0200 +++ clamav-1.0.3+dfsg/debian/libclamav11.symbols 2023-09-09 16:36:13.0 +0200 @@ -1,25 +1,25 @@ libclamav.so.11 libclamav11 #MINVER# * Build-Depends-Package: libclamav-dev - CLAMAV_PRIVATE@CLAMAV_PRIVATE 1.0.2 + CLAMAV_PRIVATE@CLAMAV_PRIVATE 1.0.3 CLAMAV_PUBLIC@CLAMAV_PUBLIC 1.0.0 - __cli_strcasestr@CLAMAV_PRIVATE 1.0.2 - __cli_strndup@CLAMAV_PRIVATE 1.0.2 - __cli_strnlen@CLAMAV_PRIVATE 1.0.2 - __cli_strnstr@CLAMAV_PRIVATE 1.0.2 - base64Flush@CLAMAV_PRIVATE 1.0.2 - blobAddData@CLAMAV_PRIVATE 1.0.2 - blobCreate@CLAMAV_PRIVATE 1.0.2 - blobDestroy@CLAMAV_PRIVATE 1.0.2 - cl_ASN1_GetTimeT@CLAMAV_PRIVATE 1.0.2 + __cli_strcasestr@CLAMAV_PRIVATE 1.0.3 + __cli_strndup@CLAMAV_PRIVATE 1.0.3 + __cli_strnlen@CLAMAV_PRIVATE 1.0.3 + __cli_strnstr@CLAMAV_PRIVATE 1.0.3 + base64Flush@CLAMAV_PRIVATE 1.0.3 + blobAddData@CLAMAV_PRIVATE 1.0.3 + blobCreate@CLAMAV_PRIVATE 1.0.3 + blobDestroy@CLAMAV_PRIVATE 1.0.3 + cl_ASN1_GetTimeT@CLAMAV_PRIVATE 1.0.3 cl_always_gen_section_hash@CLAMAV_PUBLIC 1.0.0 - cl_base64_decode@CLAMAV_PRIVATE 1.0.2 - cl_base64_encode@CLAMAV_PRIVATE 1.0.2 - cl_cleanup_crypto@CLAMAV_PRIVATE 1.0.2 + cl_base64_decode@CLAMAV_PRIVATE 1.0.3 + cl_base64_encode@CLAMAV_PRIVATE 1.0.3 + cl_cleanup_crypto@CLAMAV_PRIVATE 1.0.3 cl_countsigs@CLAMAV_PUBLIC 1.0.0 cl_cvdfree@CLAMAV_PUBLIC 1.0.0 cl_cvdhead@CLAMAV_PUBLIC 1.0.0 cl_cvdparse@CLAMAV_PUBLIC 1.0.0 - cl_cvdunpack@CLAMAV_PRIVATE 1.0.2 + cl_cvdunpack@CLAMAV_PRIVATE 1.0.3 cl_cvdverify@CLAMAV_PUBLIC 1.0.0 cl_debug@CLAMAV_PUBLIC 1.0.0 cl_engine_addref@CLAMAV_PUBLIC 1.0.0 @@ -28,7 +28,7 @@ cl_engine_get_num@CLAMAV_PUBLIC 1.0.0 cl_engine_get_str@CLAMAV_PUBLIC 1.0.0 cl_engine_new@CLAMAV_PUBLIC 1.0.0 - cl_engine_set_clcb_engine_compile_progress@CLAMAV_PRIVATE 1.0.2 + cl_engine_set_clcb_engine_compile_progress@CLAMAV_PRIVATE 1.0.3 cl_engine_set_clcb_file_inspection@CLAMAV_PUBLIC 1.0.0 cl_engine_set_clcb_file_props@CLAMAV_PUBLIC 1.0.0 cl_engine_set_clcb_hash@CLAMAV_PUBLIC 1.0.0 @@ -37,7 +37,7 @@ cl_engine_set_clcb_pre_cache@CLAMAV_PUBLIC 1.0.0 cl_engine_set_clcb_pre_scan@CLAMAV_PUBLIC 1.0.0 cl_engine_set_clcb_sigload@CLAMAV_PUBLIC 1.0.0 - cl_engine_set_clcb_sigload_progress@CLAMAV_PRIVATE 1.0.2 +