57798 – clamav: Multiple issues (5.0)

Bug 57798 - clamav: Multiple issues (5.0)

Summary: clamav: Multiple issues (5.0)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 5.0-9-errata
Assignee:	Quality Assurance
QA Contact:	Arvid Requate

URL:	https://www.freexian.com/lts/extended...
Keywords:

Duplicates (2):	57797 57801 (view as bug list)
Depends on:
Blocks:

Reported:	2024-12-05 16:02 CET by Quality Assurance
Modified:	2024-12-18 14:48 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2024-12-05 16:02:50 CET

New Debian clamav 1.0.7+dfsg-1~deb10u1A~5.0.9.202412051602 fixes:
This update addresses the following issues:
1.0.7+dfsg-1~deb10u1 (Thu, 31 Oct 2024 12:00:46 -0300)
* Non-maintainer upload by the ELTS team.
* Backport version 1.0.7 from bookworm to buster to fix security issues. -  d/control: b-d on binaries provided by rustc-web. - d/control: b-d on  cmake-latest instead of cmake. - d/control: b-d on linux-libc-dev. -  d/p/backports: add patch to skip test failing in ELTS releases due to old  version of ca-certificates. - CVE-2024-20505 - CVE-2024-20506
1.0.7+dfsg-1~deb12u1 (Thu, 03 Oct 2024 11:57:45 +0200)
* Import 1.0.7 - CVE-2024-20506 (Changed the logging module to disable  following symlinks on Linux) - CVE-2024-20505 (Fixed a possible  out-of-bounds read bug in the PDF file parser).
1.0.5+dfsg-1~deb12u1 (Thu, 08 Feb 2024 21:58:26 +0100)
* Import 1.0.5. - Update symbols. - CVE-2024-20290 (Fixed a possible heap  overflow read bug in the OLE2 file parser that could cause a  denial-of-service (DoS) condition.) - CVE-2024-20328 (Fixed a possible  command injection vulnerability in the "VirusEvent" feature of ClamAV's  ClamD service.
1.0.4+dfsg-1~deb12u1 (Sun, 04 Feb 2024 11:45:46 +0100)
* Import 1.0.4 - Update symbols.
1.0.3+dfsg-1~deb12u1 (Sat, 09 Sep 2023 16:36:13 +0200)
* Import 1.0.3
* Remove unnecessary warning messages in freshclam during update.
1.0.2+dfsg-1~deb12u1 (Sun, 27 Aug 2023 11:35:11 +0200)
* Import 1.0.2 - CVE-2023-20197 (Possible DoS in HFS+ file parser). -  CVE-2023-20212 (Possible DoS in AutoIt file parser).
* Use cmake for xml2 detection.
* Replace tomsfastmath with OpenSSL's BN.
* Don't enable clamonacc by default.
* Let the clamav-daemon.socket depend on the service file again
.
1.0.1+dfsg-2 (Sun, 26 Feb 2023 17:39:06 +0100)
* Depend on latest libtfm1, #1027010).
1.0.1+dfsg-1 (Fri, 17 Feb 2023 20:29:05 +0100)
* Import 1.0.1 - CVE-2023-20032 (Possible RCE in the HFS+ file parser). -  CVE-2023-20052 (Possible information leak in the DMG file parser).
1.0.0+dfsg-6 (Sat, 21 Jan 2023 18:02:12 -0500)
[ Sebastian Andrzej Siewior ]
* Add d/p/Add-an-option-to-avoid-setting-RPATH-on-unix-systems.patch to fix  rpath issues
[ Scott Kitterman ]
* Remove obsolete usr/share/doc/*/NEWS.gz links from debian/*.links, no  longer provided in the package (Thanks to Paul Wise for reporting)

* Complete update of d/copyright for upstream file removal/reorganization
* Restore and update clamav-freshclam and libclamav lintian-overrides for  current lintian
* Drop depends on obsolete package lsb-base
1.0.0+dfsg-5 (Fri, 06 Jan 2023 12:33:39 -0500)
* Update paths in d/tests/clamd for new source layout
* Add misc:Pre-Depends to clamav-daemon and clamav-milter for  init-system-helpers
* Remove obsolete debian/NEWS file
* More lintian override corrections
* Start of removing obsolete d/copyright entries
* Fix testsuite on big endian architectures.
1.0.0+dfsg-4 (Wed, 04 Jan 2023 18:32:47 -0500)
* Drop unneeded build-depends on rust-lldb.
1.0.0+dfsg-3 (Wed, 04 Jan 2023 15:06:03 -0500)
* Upload to unstable
* Directly trigger html docs build to fix lack of html docs and update  clamav-docs.install
* Fixup duplicate globs in d/copyright
* Update paths for new source layout in lintian overrides
* Update clean rule for new tests
* Add debian/source/options to ignore changes in Cargo.lock when regenerated  during build
* Remove obsolete overrides from d/rules
1.0.0+dfsg-2 (Mon, 02 Jan 2023 18:38:42 +0100)
* Add libclamav11 replaces libclamav9 since the libfreshclam so name did not  change.
* Use a version-script and limit the exported symbols of libclamav and  libfreshclam.
1.0.0+dfsg-1 (Sat, 31 Dec 2022 13:44:59 +0100)
* Update to 1.0.0.

Comment 1 Arvid Requate

2024-12-05 16:28:08 CET

ucs-patches:
0b8f21c74 | Adjust clamav patch to new upstream

But the package sill doesn't build:

The following packages have unmet dependencies:
pbuilder-satisfydepends-dummy : Depends: cargo-web which is a virtual package and is not provided by any available package
Depends: cmake-latest which is a virtual package and is not provided by any available package
Depends: rustc-web which is a virtual package and is not provided by any available package
Depends: rust-web-gdb which is a virtual package and is not provided by any available package
Depends: rustfmt-web which is a virtual package and is not provided by any available package
Unable to resolve dependencies!  Giving up...

Comment 2 Arvid Requate

2024-12-05 17:37:41 CET

*** Bug 57797 has been marked as a duplicate of this bug. ***

Comment 3 Arvid Requate

2024-12-05 18:23:08 CET

Looks like we need to install the newly added build-dependencies:

* /mnt/build-storage/upstream/freexian/pool/main/c/cmake-latest/cmake-latest_3.18.4-2~deb10u1.dsc
* /mnt/build-storage/upstream/freexian/pool/main/r/rustc-web/rustc-web_1.78.0+dfsg1-2~deb10u1.dsc
* /mnt/build-storage/upstream/freexian/pool/main/l/llvm-toolchain-16/llvm-toolchain-16_16.0.6-15~deb10u1.dsc

Comment 4 Arvid Requate

2024-12-05 21:51:38 CET

The max CVSS base score is 7.5 actually.

The 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) was detected for CVE-2023-20032 but Debian and UCS already fixed that in Feb 2023:
 https://errata.software-univention.de/#/?erratum=5.0x590

Comment 5 Arvid Requate

2024-12-09 14:24:04 CET

After manual test with the new clamav 1.0.7 pacakge (ucs-test-mail) and some consideration
I've simply imported the new build-dependecies from freexian into `errata5.0-9` (following
the example for new linux kernel source packages documented in dev-handbook) and then, to
build the new source package version including the patch from ucs-patches, I've run the command

build-package-ng -p clamav -r 5.0 -s errata5.0-9 -v '1.0.7+dfsg-1~deb10u1A~5.0.9.202412091213'

which was mentioned as failing by the Jenkins job CheckDebianUpdates for 5.0-9.

Successful build
Package: clamav
Version: 1.0.7+dfsg-1~deb10u1A~5.0.9.202412091213
Branch: ucs_5.0-0-errata5.0-9
Scope: errata5.0-9

I've then manually created an advisory, taking
git show 4.4-9:doc/errata/staging/clamav.yaml
as template for reference.

85c4c27a1e2 | Advisory

I've not yet imported updated versions for 5 packages which
depend on clamav, mentioned in https://www.freexian.com/lts/extended/updates/ela-1268-1-clamav/
Let's discuss if/which we need of those.

Comment 6 Quality Assurance

2024-12-09 15:00:08 CET

--- mirror/ftp/pool/main/c/clamav/clamav_0.103.9+dfsg-0+deb10u1A~5.0.4.202308290843.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/clamav_1.0.7+dfsg-1~deb10u1A~5.0.9.202412091213.dsc
@@ -1,31 +1,132 @@
-0.103.9+dfsg-0+deb10u1A~5.0.4.202308290843 [Tue, 29 Aug 2023 08:44:17 +0200] Univention builddaemon <buildd@univention.de>:
+1.0.7+dfsg-1~deb10u1A~5.0.9.202412091213 [Mon, 09 Dec 2024 14:10:30 -0000] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     030-silence-version-msg.quilt
 
-0.103.9+dfsg-0+deb10u1 [Mon, 28 Aug 2023 05:00:07 +0530] Utkarsh Gupta <utkarsh@debian.org>:
-
-  * Non-maintainer upload by the LTS Team.
-  * New upstream version 0.103.9+dfsg.
-    - CVE-2023-20197: possible denial of service vulnerability in the
-      HFS+ file parser.
-  * Update symbols file.
-
-0.103.8+dfsg-0+deb10u1 [Mon, 20 Feb 2023 14:32:21 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
-
-  * Non-maintainer upload by the LTS Team.
-  * New upstream release.
+1.0.7+dfsg-1~deb10u1 [Thu, 31 Oct 2024 12:00:46 -0300] Lucas Kanashiro <lucas@freexian.com>:
+
+  * Non-maintainer upload by the ELTS team.
+  * Backport version 1.0.7 from bookworm to buster to fix security issues.
+    - d/control: b-d on binaries provided by rustc-web.
+    - d/control: b-d on cmake-latest instead of cmake.
+    - d/control: b-d on linux-libc-dev.
+    - d/p/backports: add patch to skip test failing in ELTS releases due to
+      old version of ca-certificates.
+    - CVE-2024-20505
+    - CVE-2024-20506
+
+1.0.7+dfsg-1~deb12u1 [Thu, 03 Oct 2024 11:57:45 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.7 (Closes: #1080962)
+    - CVE-2024-20506 (Changed the logging module to disable following symlinks
+      on Linux)
+    - CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF file
+      parser).
+
+1.0.5+dfsg-1~deb12u1 [Thu, 08 Feb 2024 21:58:26 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.5 (Closes: #1063479).
+    - Update symbols.
+    - CVE-2024-20290 (Fixed a possible heap overflow read bug in the OLE2 file
+      parser that could cause a denial-of-service (DoS) condition.)
+    - CVE-2024-20328 (Fixed a possible command injection vulnerability in the
+      "VirusEvent" feature of ClamAV's ClamD service.
+
+1.0.4+dfsg-1~deb12u1 [Sun, 04 Feb 2024 11:45:46 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.4
+    - Update symbols.
+
+1.0.3+dfsg-1~deb12u1 [Sat, 09 Sep 2023 16:36:13 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.3
+  * Remove unnecessary warning messages in freshclam during update.
+
+1.0.2+dfsg-1~deb12u1 [Sun, 27 Aug 2023 11:35:11 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.2 (Closes: #1050057)
+    - CVE-2023-20197 (Possible DoS in HFS+ file parser).
+    - CVE-2023-20212 (Possible DoS in AutoIt file parser).
+  * Use cmake for xml2 detection (Closes: #949100).
+  * Replace tomsfastmath with OpenSSL's BN.
+  * Don't enable clamonacc by default (Closes: #1030171).
+  * Let the clamav-daemon.socket depend on the service file again
+    (Closes: #1044136).
+
+1.0.1+dfsg-2 [Sun, 26 Feb 2023 17:39:06 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Depend on latest libtfm1 (Closes: #1031896, #1027010).
+
+1.0.1+dfsg-1 [Fri, 17 Feb 2023 20:29:05 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 1.0.1 (Closes: #1031509)
     - CVE-2023-20032 (Possible RCE in the HFS+ file parser).
     - CVE-2023-20052 (Possible information leak in the DMG file parser).
-  * Update symbols and clamav compatibility level.
-
-0.103.7+dfsg-0+deb10u1 [Sun, 04 Dec 2022 22:22:22 +0530] Utkarsh Gupta <utkarsh@debian.org>:
-
-  * Non-maintainer upload by the LTS team.
+
+1.0.0+dfsg-6 [Sat, 21 Jan 2023 18:02:12 -0500] Scott Kitterman <scott@kitterman.com>:
+
+  [ Sebastian Andrzej Siewior ]
+  * Add d/p/Add-an-option-to-avoid-setting-RPATH-on-unix-systems.patch to fix
+    rpath issues
+
+  [ Scott Kitterman ]
+  * Remove obsolete usr/share/doc/*/NEWS.gz links from debian/*.links, no
+    longer provided in the package (Thanks to Paul Wise for reporting)
+    (Closes: #1029173)
+  * Complete update of d/copyright for upstream file removal/reorganization
+  * Restore and update clamav-freshclam and libclamav lintian-overrides for
+    current lintian
+  * Drop depends on obsolete package lsb-base
+
+1.0.0+dfsg-5 [Fri, 06 Jan 2023 12:33:39 -0500] Scott Kitterman <scott@kitterman.com>:
+
+  [ Scott Kitterman ]
+  * Update paths in d/tests/clamd for new source layout
+  * Add misc:Pre-Depends to clamav-daemon and clamav-milter for
+    init-system-helpers
+  * Remove obsolete debian/NEWS file
+  * More lintian override corrections
+  * Start of removing obsolete d/copyright entries
+
+  [ Sebastian Andrzej Siewior ]
+  * Fix testsuite on big endian architectures.
+
+1.0.0+dfsg-4 [Wed, 04 Jan 2023 18:32:47 -0500] Scott Kitterman <scott@kitterman.com>:
+
+  * Drop unneeded build-depends on rust-lldb (Closes: #1027948).
+
+1.0.0+dfsg-3 [Wed, 04 Jan 2023 15:06:03 -0500] Scott Kitterman <scott@kitterman.com>:
+
+  * Upload to unstable
+  * Directly trigger html docs build to fix lack of html docs and update
+    clamav-docs.install
+  * Fixup duplicate globs in d/copyright
+  * Update paths for new source layout in lintian overrides
+  * Update clean rule for new tests
+  * Add debian/source/options to ignore changes in Cargo.lock when regenerated
+    during build
+  * Remove obsolete overrides from d/rules
+
+1.0.0+dfsg-2 [Mon, 02 Jan 2023 18:38:42 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  [ Scott Kitterman ]
+  * Add libclamav11 replaces libclamav9 since the libfreshclam so name did not
+    change (Closes: #1027698).
+
+  [ Sebastian Andrzej Siewior ]
+  * Use a version-script and limit the exported symbols of libclamav and
+    libfreshclam.
+
+1.0.0+dfsg-1 [Sat, 31 Dec 2022 13:44:59 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Update to 1.0.0 (Closes: #1006179).
+
+0.103.7+dfsg-1 [Sun, 14 Aug 2022 21:33:51 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
   * Import 0.103.7
     - Update symbol file.
 
-0.103.6+dfsg-0+deb10u1 [Thu, 26 May 2022 10:19:13 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+0.103.6+dfsg-1 [Thu, 12 May 2022 18:55:59 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.103.6
     - CVE-2022-20770 (Possible infinite loop vulnerability in the CHM file
@@ -40,21 +141,23 @@
       vulnerability in the signature database load module.
     - Update symbol file.
 
-0.103.5+dfsg-0+deb10u1 [Thu, 13 Jan 2022 21:51:03 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+0.103.5+dfsg-1 [Wed, 12 Jan 2022 21:31:23 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.103.5
    - CVE-2022-20698 (Fix for invalid pointer read that may cause a crash).
    - Update symbol file.
 
-0.103.4+dfsg-0+deb10u1 [Thu, 16 Dec 2021 21:05:39 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+0.103.4+dfsg-1 [Tue, 16 Nov 2021 22:03:15 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.103.4
    - Update symbol file.
   * Add clamonacc.8.
   * Install clamonacc only on Linux. Patch by Laurent Bigonvill
     (Closes: #992776).
-
-0.103.3+dfsg-0+deb10u1 [Sat, 04 Sep 2021 15:51:26 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+  * Drop unused libidn11-dev dependency, suggested by Simon Josefsson
+    (Closes: #991976).
+
+0.103.3+dfsg-1 [Fri, 02 Jul 2021 00:06:16 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.103.3
     - Update symbol file.
@@ -63,65 +166,97 @@
   * Remove clamav user on purge (Closes: #987861).
   * Remove freshclam.dat on purge.
 
-0.103.2+dfsg-0+deb10u1 [Wed, 14 Apr 2021 08:38:52 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
-
-  [ Sebastian Andrzej Siewior ]
+0.103.2+dfsg-2 [Thu, 15 Apr 2021 21:59:11 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Remove deprecated option SafeBrowsing from debconf templates.
+
+0.103.2+dfsg-1 [Mon, 12 Apr 2021 21:31:08 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
   * Import 0.103.2
     - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
     - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
     - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
-    - Fix testsuite in an IPv6 only environment (Closes: #963853).
-    - Update symbol file.
+    - Update symbol file.
+   (Closes: #986622).
+
+0.103.0+dfsg-3.1 [Sun, 21 Feb 2021 16:00:07 +0100] Sebastian Ramacher <sramacher@debian.org>:
+
+  * Non-maintainer upload.
+  * debian/patches: Apply upstream patch to fix call of ck_assert_msg (Closes:
+    #980592)
+
+0.103.0+dfsg-3 [Tue, 03 Nov 2020 22:03:19 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Update apparmor profile for clamd. Thanks to Stefano Callegari.
+    (Closes: #973619).
+
+0.103.0+dfsg-2 [Sun, 01 Nov 2020 20:29:46 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Update apparmor profile for freshclam. Thanks to Michael Borgelt.
+    (Closes: #972974)
+  * Fix testsuite in an IPv6 only environment (Closes: #963853).
+
+0.103.0+dfsg-1 [Sat, 24 Oct 2020 18:05:10 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Import 0.103.0
     - Drop CURL_CA_BUNDLE related patch, changes applied upstream.
-   (Closes: #986622).
+    - Update symbol file.
   * Rename NEWS.Debian to NEWS.
   * Update lintian overrides.
-  * Update apparmor profile for freshclam. Thanks to Michael Borgelt.
-    (Closes: #972974)
-  * Update apparmor profile for clamd. Thanks to Stefano Callegari.
-    (Closes: #973619).
-  * Remove deprecated option SafeBrowsing from debconf templates.
+
+0.102.4+dfsg-1 [Fri, 17 Jul 2020 20:30:03 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   [ Helmut Grohne ]
   * Honour DEB_BUILD_OPTIONS=nocheck again. (Closes: #960843)
 
-0.102.4+dfsg-0+deb10u1 [Sat, 18 Jul 2020 00:22:32 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
-
+  [ Scott Kitterman ]
+  * Add Suggests for unversioned libclamunrar package on clamav-daemon and
+    clamav binaries
+
+  [ Sebastian Andrzej Siewior ]
   * Import 0.102.4
     - CVE-2020-3350 (A malicious user trick clamav into moving a different file).
     - CVE-2020-3327 (A vulnerability in the ARJ archive parsing module).
     - CVE-2020-3481 (A vulnerability in the EGG archive module).
   * Update symbol file.
 
-0.102.3+dfsg-0+deb10u1 [Sat, 30 May 2020 00:07:05 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
-
-  [ Sebastian Andrzej Siewior ]
+0.102.3+dfsg-1 [Sat, 16 May 2020 17:12:04 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
   * Import 0.102.3
    - CVE-2020-3327 (A vulnerability in the ARJ archive parsing module)
    - CVE-2020-3341 (A vulnerability in the PDF parsing module)
   * Update symbol file.
 
-  [ Scott Kitterman ]
-  * Add Suggests for unversioned libclamunrar package on clamav-daemon and
-    clamav binaries
-
-0.102.2+dfsg-0+deb10u1 [Sat, 22 Feb 2020 14:39:45 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+0.102.2+dfsg-2 [Sat, 22 Feb 2020 13:41:02 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Add a patch to let freshclam consider CURL_CA_BUNDLE environment variable
+    to set the CA bundle (like curl does) (Closes: #951057).
+  * Recommend ca-certificates, new freshclash uses https by default.
+  * Bump standards-version to 4.5.0 without further change
+  * Use dh-compat level 12.
+
+0.102.2+dfsg-1 [Sun, 09 Feb 2020 20:24:46 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.102.2
     - CVE-2020-3123 (DoS may occur in the optional DLP feature)
       (Closes: 950944).
   * Update symbol file.
   * Set ReceiveTimeout to 0 which is upstream default.
-  * Add a patch to let freshclam consider CURL_CA_BUNDLE environment variable
-    to set the CA bundle (like curl does) (Closes: #951057).
-  * Recommend ca-certificates, new freshclash uses https by default.
-
-0.102.1+dfsg-0+deb10u2 [Fri, 31 Jan 2020 16:49:37 -0500] Scott Kitterman <scott@kitterman.com>:
-
+
+0.102.1+dfsg-3 [Fri, 31 Jan 2020 16:49:37 -0500] Scott Kitterman <scott@kitterman.com>:
+
+  * clamav-daemon: Do not cause an error on start if /run/clamav already
+    exists
   * clamav-daemon: Correct error from ScanOnAccess option removal so that
     setting LogFile options via DebConf works again (Closes: #950296)
-
-0.102.1+dfsg-0+deb10u1 [Mon, 23 Dec 2019 21:04:45 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+    (LP: #1861497)
+
+0.102.1+dfsg-2 [Mon, 23 Dec 2019 20:54:21 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Add the clamonacc binary to the clamav-daemon package.
+  * Drop ScanOnAccess option. The clamonacc provides this functionality.
+
+0.102.1+dfsg-1 [Sat, 30 Nov 2019 19:22:15 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.102.1 (Closes: #945265)
    - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan
@@ -129,10 +264,8 @@
    - Let freshclam show progress during download (Closes: #690789).
   * Update symbol file.
   * Add libfreshclam to the libclamav9 package.
-  * Add the clamonacc binary to the clamav-daemon package.
-  * Drop ScanOnAccess option. The clamonacc provides this functionality.
-
-0.101.4+dfsg-0+deb10u1 [Sun, 25 Aug 2019 12:53:19 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+0.101.4+dfsg-1 [Sun, 25 Aug 2019 12:38:25 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Import 0.101.4
    - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs)
@@ -141,10 +274,17 @@
      NSIS bzip)
    - update symbols file (bump to 101.4 and drop unused cli_strnstr).
 
-0.101.2+dfsg-1+deb10u1 [Tue, 06 Aug 2019 22:07:01 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+0.101.2+dfsg-3 [Tue, 06 Aug 2019 21:42:06 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Cherry-pick a fix from 0.101.3 to address a vulnerability to
     non-recursive zip bombs.
+
+0.101.2+dfsg-2 [Fri, 02 Aug 2019 09:20:43 -0400] Scott Kitterman <scott@kitterman.com>:
+
+  * Remove python from build-depends:
+    - Only needed for llvm, which is currently (and probably permanently)
+      disabled
+    - Support python2 removal, if this comes back, it will need to be python3
 
 0.101.2+dfsg-1 [Sat, 30 Mar 2019 16:25:48 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 

<http://piuparts.knut.univention.de/5.0-9/#6701275052536284467>

Comment 7 Arvid Requate

2024-12-11 10:32:47 CET

4ebea85fa63 | Update list of maintained packages
4d54b2d951a | Keep libtfm1 on the list of maintained packages

Comment 8 Jan-Luca Kiok

2024-12-12 10:36:41 CET

*** Bug 57801 has been marked as a duplicate of this bug. ***

Comment 9 Arvid Requate

2024-12-12 10:49:21 CET

None of the packages depending on `libclamav9` have maintained status in UCS 5.0-x:

* https://packages.debian.org/source/buster/c-icap-modules  (binary packages: `libc-icap-*`)
* https://packages.debian.org/source/buster/cyrus-imapd
* https://packages.debian.org/source/buster/pg-snakeoil
* https://packages.debian.org/source/buster/python-clamav
* and also not https://packages.debian.org/buster/libclamunrar9

So I think it's fair to not update them unless we get an explicit business case request.

Comment 10 Arvid Requate

2024-12-12 10:54:59 CET

OK: bug
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
  New package libclamav11, maintained-packages.txt has been updated

[5.0-9] d6e3955011f Bug #57798: clamav 1.0.7+dfsg-1~deb10u1A~5.0.9.202412100051
 doc/errata/staging/clamav.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[5.0-9] 85c4c27a1e2 Bug #57798: Advisory
 doc/errata/staging/clamav.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Comment 11 Iván.Delgado

2024-12-18 14:48:56 CET

<https://errata.software-univention.de/#/?erratum=5.0x1190>