Re: ClamAV update in jessie
Hi Salvatore, > I would say it depends a bit, I would say. It might be clear, but just > to be on safe side stating it here: the CVEs fixed for clamav are not > to be associated with those rebuild packages as well. > > I was thinking if I remember similar cases for DSAs. Let me see, on > top of the head I do not recall actually much such special cases. Only > two I remembered and looked up, there might be more! > > DSA-3433-1 was a case where we needed an update for ldb first, and > then a rebuild of samba as well with that version in place. So not > really exactly what you have here. > > CVE-2013-7439 was another case, more similar to the one which is to be > handled by you. As the list there was too long, we decided back then > to put the list in the tracker, this is not very optimal though. If > you have only those couple of rebuilds, then you simply can state this > in the DLA for clamav, that package x, y and z are to be rebuild for > the ABI changes. > > Of course you can decide to release single DLAs for the 'package > update due to the need of rebuild', but I guess it should be made > clear then in the text of the DLA that they are just needed due to the > ABI change in clamav. Thanks for these advices. Indeed, releasing security advisories for rebuilds (which are, in the end, non-security related issues) doesn't sound right. Releasing a single DLA similar to dsa-3224 is probably the best option, and instead of pointing to the tracker I would just explain the situation and list the four reverse dependencies. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: ClamAV update in jessie
Hi Hugo, On Fri, Oct 04, 2019 at 11:37:29AM +0200, Hugo Lefeuvre wrote: > Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav > and one for each reverse dependency). Announcing all five uploads under a > single DLA seems a bit messy to me. I would say it depends a bit, I would say. It might be clear, but just to be on safe side stating it here: the CVEs fixed for clamav are not to be associated with those rebuild packages as well. I was thinking if I remember similar cases for DSAs. Let me see, on top of the head I do not recall actually much such special cases. Only two I remembered and looked up, there might be more! DSA-3433-1 was a case where we needed an update for ldb first, and then a rebuild of samba as well with that version in place. So not really exactly what you have here. CVE-2013-7439 was another case, more similar to the one which is to be handled by you. As the list there was too long, we decided back then to put the list in the tracker, this is not very optimal though. If you have only those couple of rebuilds, then you simply can state this in the DLA for clamav, that package x, y and z are to be rebuild for the ABI changes. Of course you can decide to release single DLAs for the 'package update due to the need of rebuild', but I guess it should be made clear then in the text of the DLA that they are just needed due to the ABI change in clamav. Regards, Salvatore
Re: ClamAV update in jessie
On Fri, Oct 04, 2019 at 11:37:29AM +0200, Hugo Lefeuvre wrote: > Ack, I have prepared updates for clamav and the four reverse dependencies, > currently testing them. yay! > I plan to upload reverse dependencies as soon as all clamav builds > succeeded and clamav binary packages are available in the archive. I don't > think they would build if I uploaded them earlier. sounds good to me. (or maybe rather the best we can do right now. thinking further I do think we should have staging areas for these kinds of uploads. we (debian) also have a similar problem regularily with linux uploads.) > Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav > and one for each reverse dependency). Announcing all five uploads under a > single DLA seems a bit messy to me. sounds good to me. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: ClamAV update in jessie
Hi, > thanks, something in that order of magnitude is ok... Ack, I have prepared updates for clamav and the four reverse dependencies, currently testing them. This is going to be my first time organizing a transition in jessie-security, so a few things are still unclear to me. Obviously clamav should be uploaded first. This will, however, break the reverse dependencies, i.e. they should be uploaded as soon as possible after clamav. I plan to upload reverse dependencies as soon as all clamav builds succeeded and clamav binary packages are available in the archive. I don't think they would build if I uploaded them earlier. Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav and one for each reverse dependency). Announcing all five uploads under a single DLA seems a bit messy to me. Any comment? regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: ClamAV update in jessie
Hi Hugo, On Wed, Oct 02, 2019 at 10:25:19PM +0200, Hugo Lefeuvre wrote: > The debdiffs are fairly simple, and the versions are close. Probably six > hours altogether, but this is a rough estimation. thanks, something in that order of magnitude is ok... -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: ClamAV update in jessie
Hi Holger, > > This work has already been done for stretch, so we should be able to > > backport it to jessie. Still, I'm going to spend quite some time on it... > > what does 'some time' mean? in general, this seems reasonable to me. The debdiffs are fairly simple, and the versions are close. Probably six hours altogether, but this is a rough estimation. FTR, the transition in stretch was tracked as #924278[0]. cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924278 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: ClamAV update in jessie
On Wed, Oct 02, 2019 at 07:16:10PM +0200, Hugo Lefeuvre wrote: > This work has already been done for stretch, so we should be able to > backport it to jessie. Still, I'm going to spend quite some time on it... what does 'some time' mean? in general, this seems reasonable to me. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
ClamAV update in jessie
Hi, I've spent a couple of hours working on ClamAV since yesterday. I have backported Sebastian Andrzej Siewior's work to jessie, and tested it. Fine so far, this fixes a couple of issues including the Zip bomb ones. Problem: we're backporting 0.101.4 to jessie. This implies an ABI bump and unless I am mistaken requires uploads for a few reverse dependencies: - python-pyclamav - havp - dansguardian - libc-icap-mod-virus-scan This work has already been done for stretch, so we should be able to backport it to jessie. Still, I'm going to spend quite some time on it... I'd like to know what you think about this, and if you can think of any alternative/less time consuming solution. (cherry picking changes does not seem reasonable to me) regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature