Univention Bugzilla – Full Text Bug Listing |
Summary: | clamav: Multiple issues (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Quality Assurance <qa> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P3 | ||
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-4-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) |
Description
Quality Assurance
2018-08-07 23:54:08 CEST
Debian Old-Stabel (Jessie) still only has 0.100.0; I tool clamav-0.100.1 + debian-0.100.0 + debian-0.100.1.diff to create a custom version for UCS. /home/phahn/REPOS/repo-ng/tools/repo_admin.py -F -p clamav -r 4.2-0-0 -s errata4.2-4 --comment 'clamav-0.100.1 + deb8-0.100.0 + deb9-0.100.1.diff' r18254 | Bug #47474: clamav-0.100.1 Update patches to apply to new upstream version r18255 | Bug #47474: clamav-0.100.1 Drop 025-CVE-2017-xxx.patch as they were cherry-picked from 0.99.3, which are included in 0.100.1 Package: clamav Version: 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 Branch: ucs_4.2-0 Scope: errata4.2-4 [4.2-4] 957ceef5ca Bug #47474: clamav 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 doc/errata/staging/clamav.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) The version for errata4.2-4 is newer then the version in ucs4.3-0, but older than for errata4.3-1: <http://xen1.knut.univention.de:8000/packages/source/clamav/?since=4.2> Anybody updating from 4.2-4 to 4.3 should continue to 4.3-1 and will stay with the fixed version from errata4.2-4 until errata4.3-1 is passed. --- mirror/ftp/4.2/unmaintained/4.2-4/source/clamav_0.99.2+dfsg-0.A~4.2.3.201801281200.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/clamav_0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059.dsc @@ -1,10 +1,57 @@ -0.99.2+dfsg-0.A~4.2.3.201801281200 [Sun, 28 Jan 2018 12:04:08 +0100] Univention builddaemon <buildd@univention.de>: +0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 [Mon, 13 Aug 2018 10:59:23 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 010-utilize_ucr_autostart_settings 020-dont_fail_in_postinst_if_start_fails - 025-CVE-2017-xxx 030-silence-version-msg + +0.100.1+dfsg-0+deb8u0 [Mon, 13 Aug 2018 10:02:25 +0200] Philipp Hahn <hahn@univention.de>: + + [ Scott Kitterman ] + * Only create clamav user during clamav-base install if it does not exist + (LP: #121872) + - Thanks to Shane Williams for the patch + + [ Sebastian Andrzej Siewior ] + * Bump symbol version due to new version. + * Add read permission for freshclam on /var/log in the apparmor profile. + Thanks to Robie Basak (Closes: #902601). + + [ Philipp Hahn ] + * NMU. + * New upstrem relase (0.100.1) + - CVE-2018-0360 (HWP integer overflow, infinite loop vulnerabi) + - CVE-2018-0361 (ClamAV PDF object length check, unreasonably long time to + parse relatively small file) + +0.100.0+dfsg-0+deb8u1 [Wed, 25 Apr 2018 21:58:31 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + [ Sebastian Andrzej Siewior ] + * New upstream release. + - remove various documentation files including Changelog from the file + list because they are no longer included in upstream archive. + - update symbol file + * Don't replace config file with sample config after debconf gets disabled + (in milter and daemon (Closes: #870253). + * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch + by Václav Ovsík <vaclav.ovsik@gmail.com> (Closes: #868766). + * Disable the freshclam service if changed to `manual' mode so it does not + start again after system reboot with systemd (Closes: #881780). + * Drop "demime = *" from Debian.README for clamav, this option is deprecated + and will be removed from exim (Closes: #881634). + * Point Vcs-* tags to salsa. + + [ Scott Kitterman ] + * Update README.Debian to describe how to disable apparmor for clamav-daemon + and clamav-freshclam (Closes: #884707) + +0.99.4+dfsg-1+deb8u1 [Sat, 03 Mar 2018 13:54:29 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Update to upstream 0.99.4: + Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. + * Update the gpg signing key (the old DSA expired). + * Update version of private symbols due to version change. + * Bump symbol version of cl_retflevel because CL_FLEVEL changed. 0.99.2+dfsg-0+deb8u3 [Sat, 27 Jan 2018 01:29:24 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: <http://10.200.17.11/4.2-4/#5793810030417095322> @Arvid: As I have manually created the package, please have a short look, too. Verified: * dropped SVN patches 025-CVE-2017-xxx.patch are included (0.99.2+dfsg-0+deb8u3) * Package diffs (debian and upstream): Ok * ucs-test/40_mail/02virus00basic still worked * freshclam works: -------------------------------------- ERROR: Can't save PID to file /var/run/clamav/freshclam.pid: Permission denied freshclam daemon 0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) ClamAV update process started at Mon Aug 13 20:19:04 2018 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-24839.cdiff [100%] daily.cld updated (version: 24839, sigs: 2047282, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Database updated (6613622 signatures) from db.local.clamav.net (IP: 104.16.186.138) Clamd successfully notified about the update. -------------------------------------- * Advisory: Ok (Minor wording fix: 6fd42bfe8e) |