Bug 38629 – Update clamav to 0.98.7 (ES 3.1)

Bug 38629 - Update clamav to 0.98.7 (ES 3.1)


Summary:	Update clamav to 0.98.7 (ES 3.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1-ES
Assigned To:	Philipp Hahn
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Duplicates:	38428 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-06-01 12:06 CEST by Arvid Requate
Modified:	2015-06-19 16:06 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Advisory ClamAV 0.98.7 extsec3.1 (1.67 KB, text/plain) 2015-06-08 12:13 CEST, Philipp Hahn	Details
Advisory ClamAV 0.98.7 extsec3.1 v2 (1.67 KB, text/plain) 2015-06-12 17:51 CEST, Philipp Hahn	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-06-01 12:06:16 CEST

clamav 0.98.7 has been released. We may want to update to this version in ES 3.1 as well to fix security issues with ClamAV itself and to keep up-to-date with handling engine features required for malware scanning. errata2.1-1 shipped 0.97.7+dfsg-1~squeeze1. See Bug 36965 for the list of issues fixed. 



+++ This bug was initially created as a clone of Bug #36965 +++

Comment 1 Arvid Requate

2015-06-01 12:06:34 CEST

*** Bug 38428 has been marked as a duplicate of this bug. ***

Comment 2 Arvid Requate

2015-06-01 12:08:40 CEST

Note the warning of Bug 36965:

When building this the update to the new upstream release needs to be added as a patch, otherwise we have the problem that there might be an erratum update in ES 3.1, which is more recent than in 3.2-0 and/or 4.0-0.

The clamav version in 4.0 uses the system copy of LLVM, but the ClamAV tarball also includes a local copy, so the dependencies must be adapted not to build-depend on libllvm.

Comment 3 Philipp Hahn

2015-06-08 12:10:36 CEST

$ repo_admin.py --cherrypick -r 3.2-0 -s errata3.2-6 --releasedest 3.1-0 --dest extsec3.1 -p clamav

Debian-Version          Scope        UCS-Version
0.97.7+dfsg-1~squeeze1  errata3.1-1  0.97.7+dfsg-1.122.201305101425
0.97.8+dfsg-1~squeeze1  ucs3.2-0     0.97.8+dfsg-1.123.201307301517

r14803 | Bug #38629: ClamAV 0.98.7 for UCS-3.1

Package: clamav
Version: 0.97.7+dfsg-2~really0.98.7+dfsg-0.152.201506081116
Branch: ucs_3.1-0
Scope: extsec3.1

OK: apt-get install clamav
OK: clamscan test/clam*

Comment 4 Philipp Hahn

2015-06-08 12:13:05 CEST

Created attachment 6947 [details]
Advisory ClamAV 0.98.7 extsec3.1

The list of CVEs is incomplete, as neither the upstream ChangeLog nor the Debian-ChangeLog lists all CVEs. The mentioned list of CVEs has been compiled for for Bug #36965, but the update 0.97.7+dfsg-1 to 0.98.7+dfsg-0 contains additional changes.

Comment 5 Janek Walkenhorst

2015-06-12 16:21:57 CEST

Tests (amd64):
 clamav: OK
 freshclam: OK
Advisory: OK
Version number: OK

Comment 6 Janek Walkenhorst

2015-06-12 17:06:15 CEST

Package: clamav-daemon
Version: 0.97.7+dfsg-2~really0.98.7+dfsg-0.152.201506081116
Breaks: clamav-base (<< 0.98.1+dfsg-6)
this makes this package uninstallable.

Replaces: clamav-base (<< 0.98.1+dfsg-6)
Maybe this version must be corrected too?

Comment 7 Philipp Hahn

2015-06-12 17:50:25 CEST

(In reply to Janek Walkenhorst from comment #6)
> > Package: clamav-daemon
> > Version: 0.97.7+dfsg-2~really0.98.7+dfsg-0.152.201506081116
> > Breaks: clamav-base (<< 0.98.1+dfsg-6)
> this makes this package uninstallable.

Changed to "0.97.7+dfsg-2~really0.98.1+dfsg-6"

> > Replaces: clamav-base (<< 0.98.1+dfsg-6)
> Maybe this version must be corrected too?

Yes, also fixed

r14821 | Bug #38629: ClamAV 0.98.7 for UCS-3.1

Package: clamav
Version: 0.97.7+dfsg-2~really0.98.7+dfsg-0.155.201506121728
Branch: ucs_3.1-0
Scope: extsec3.1

OK: apt-get install clamav-daemon
OK: aptitude install '?source-package(^clamav$)'

Comment 8 Philipp Hahn

2015-06-12 17:51:14 CEST

Created attachment 6961 [details]
Advisory ClamAV 0.98.7 extsec3.1 v2

Updated Fixed version to 0.97.7+dfsg-2~really0.98.7+dfsg-0.155.201506121728

Comment 9 Janek Walkenhorst

2015-06-16 18:03:35 CEST

Tests (amd64):
 clamav: OK
 freshclam: OK
Advisory: OK
Version number: OK

Comment 10 Janek Walkenhorst

2015-06-19 16:06:25 CEST

Released