clamav considers itself OUTDATED, please provide context why this often is not a problem

Hi Jānis,

Thanks for reporting this bug to help us make Ubuntu better!

Would you mind describing your issue a bit further? e.g.,

> Clamavtk and freshclam installed says new update available

Where are you seeing this? Which program is giving you the information? Could you show us the message? How could I reproduce that behavior locally?

I am marking this bug as incomplete until we can gather more information to better assess the issue. When you provide the information, please, set this bug status back to new.

BTW, this __may__ be a duplicate of LP: #2046582

Clamavtk says that in 2 or 3 places- main menu, updates menu, maybe 3rd place was schedule updates.
NOT A DUPLICATE

When you install things the first time you get the current packages from the archive and they will start updating definitions in the background.

You'd see something like this in the log

Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> ^Your ClamAV installation is OUTDATED!
Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> ^Local version: 0.103.9 Recommended version: 0.103.11
Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html

Two things can be updated:
#1 The program version
This is regularly updated, usually when there is a real problem (SRU) or security issue.
You can see that in [1] and e.g. as this is for focal see how it changed over the years from 0.102.2+dfsg-2ubuntu1 to 0.103.9+dfsg-0ubuntu0.20.04.1.
This will continue to happen, but as I said not just for fun but on real issues (users appreciate stability as well).

#2 the definitions
This is exactly what freshclam does ...
$ systemctl status clamav-freshclam.service ...
Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> daily database available for download (remote version: 27142)
Jan 02 12:01:33 f freshclam[3128]: Tue Jan 2 12:01:33 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-9207ebd076a9f486650f6f56e16e2946.tmp-daily.cvd' ...
Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> Database test passed.
Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> daily.cvd updated (version: 27142, sigs: 2050085, f-level: 90, builder: raynman)
Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> main database available for download (remote version: 62)
Jan 02 12:02:03 f freshclam[3128]: Tue Jan 2 12:02:03 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-1136c9f80d7afd14a1faaf58bea4ac66.tmp-main.cvd' ...
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Database test passed.
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> bytecode database available for download (remote version: 334)
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-5166218e129a54860e985aa9ae7009e1.tmp-bytecode.cvd' ...
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Database test passed.
Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)

And it does so regularly ~24 times a day in the default config.

After this update nothing complains anymore.
I can run e.g. clamscan without any notions of not being up to date.

root@f:~# clamscan /tmp/

----------- SCAN SUMMARY -----------
Known viruses: 8681833
Engine version: 0.103.9
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 18.811 sec (0 m 18 s)
Start Date: 2024:01:02 12:07:13
End Date: 2024:01:02 12:07:32

And as shown in the freshclam log it started with old content as expected and aut...

The remaining message one could discuss is

"^Your ClamAV installation is OUTDATED!"

Which will indeed be always shown except in phases were we released an update until there is yet another one upstream.

The following puts it a bit in context:
""DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html""

But I agree that it only explains the upstream part of it.

There might indeed be a benefit of confusing users less.
Not by removing the message, but by pointing to a better written version of my explanation above?

I thought this exists already and there I found an actual issue
Maybe add a section to to /usr/share/doc/clamav/README.Debian.gz and emit a log line after the pointer to https://docs.clamav.net/manual/Installing.html?

This discussion isn't new at all, the net is full of people asking "Oh I see Outdated" and others telling them "yeah, but it is not ..." - so considering an extra entry might be worth it?
As an example, e.g. in [1] users also asked to make it less panic'y

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986622#59

Subscribing security, given the huge amount of discussions on this I feel this has been decided (many times) already. Maybe you can find it in your logs so no one is trying something here that has been rejected for good reasons.

@Server-Triager: once this comes back with a security POV (or a link to why we do not change it) reconsider if this is something we want to change in Ubuntu (and Debian if they want).

We need to release 0.3.11 and 1.0.4 into the security pocket, like we've done before in similar situations. The upstream releases have been tagged as security updates, even though the issue is in the unrar code which we ship in a separate package called libclamunrar, we still need to update the clamav package to get rid of the warning.

If adjustments to the wording are needed to add context, here are a few places to do so:

./libfreshclam/libfreshclam_internal.c:2454: logg("^Your ClamAV installation is OUTDATED!\n");
./libfreshclam/libfreshclam_internal.c:2664: logg("^Your ClamAV installation is OUTDATED!\n");
./libfreshclam/libfreshclam.c:562: logg("^Your ClamAV installation is OUTDATED!\n");

And from the HTML faq included with the package:

<h2 id="your-clamav-installation-is-outdated"><a class="header" href="#your-clamav-installation-is-outdated">Your ClamAV installation is OUTDATED</a></h2>
<p>This message does NOT indicate that you are unable to download the latest CVD update! You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner.</p>

I suppose it's the all-caps words that catch the eye. The code stanzas that include these logg() calls are testing the version string against what it can query from DNS Update Info. In general this feels redundant with the Ubuntu packaging system, that should already flag to the user if their packages are out of date, and therefore are providing misleading information which could lead them to update to non-Ubuntu versions. On the other hand, clamav specifically needs the version updates in order to validly consume the streamed data, so flagging the discrepancy is not necessarily wrong. So I'm not sure whether the warning should be disabled (e.g. via the 'vwarning' configuration toggle) or to leave it but perhaps refine the wording.

This bug was discussed at today's server team meeting. Having the package do its own version checking outside the packaging system's own checks seems redundant and confusing, although in this case apart from confusion it seems innocuous. It would be interesting to see how this is handled by other distributions, but it seems logical to disable the check for the official Ubuntu (and perhaps Debian) packages.

One thing that needs to be doublechecked before taking action on quelling this error message is if it serves a purpose in ensuring the external data is handled properly. Presumably the data format/schema is kept stable, but if the checks are catching invalid data then it may need more thought than just switching it off.

I believe the upstream servers block outdated versions from obtaining database updates after a grace period has passed. I don't think disabling the warning is a reasonable thing to do because of this.

This bug was fixed in the package clamav - 0.103.11+dfsg-0ubuntu0.22.04.1

---------------
clamav (0.103.11+dfsg-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to version 0.103.11 to fix db compatibility. (LP: #2046581)
    - debian/rules: bump CL_FLEVEL to 132.
    - debian/libclamav9.symbols: updated CLAMAV_PRIVATE symbols to new
      version.

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 07:41:37 -0500

This bug was fixed in the package clamav - 0.103.11+dfsg-0ubuntu0.20.04.1

---------------
clamav (0.103.11+dfsg-0ubuntu0.20.04.1) focal-security; urgency=medium

  * Updated to version 0.103.11 to fix db compatibility. (LP: #2046581)
    - debian/rules: bump CL_FLEVEL to 132.
    - debian/libclamav9.symbols: updated CLAMAV_PRIVATE symbols to new
      version.

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 07:41:37 -0500

This bug was fixed in the package clamav - 1.0.4+dfsg-0ubuntu0.23.10.1

---------------
clamav (1.0.4+dfsg-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * Updated to version 1.0.4 to fix db compatibility. (LP: #2046581)
    - debian/rules: bump CL_FLEVEL to 164.
    - debian/libclamav11.symbols: updated CLAMAV_PRIVATE symbols to new
      version.
    - debian/series/cargo-Remove-windows-referenfes.patch: disabled as
      the mentioned files aren't being removed by the debian/get_orig.sh
      script, so I assume the Debian maintainer is using a different script
      to generate the dfsg tarball.
    - debian/series/Freshclam-remove-curl-result-warning.patch: removed,
      included in new version.
    - Updated patches for new version:
      + libclamav-Sort-libclamav.map-and-libfreshclam.map.patch
      + libclamav-Add-missing-symbols.patch

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 11:04:58 -0500

This bug was fixed in the package clamav - 0.103.11+dfsg-0ubuntu0.23.04.1

---------------
clamav (0.103.11+dfsg-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * Updated to version 0.103.11 to fix db compatibility. (LP: #2046581)
    - debian/rules: bump CL_FLEVEL to 132.
    - debian/libclamav9.symbols: updated CLAMAV_PRIVATE symbols to new
      version.

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 07:41:37 -0500

This bug was fixed in the package libclamunrar - 0.103.11-0ubuntu0.23.04.1

---------------
libclamunrar (0.103.11-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * Updated to version 0.103.11 to fix security issues. (LP: #2046581)
    - debian/patches/0001-Remove-libmspack.m4.patch: remove unneeded
      libmspack.m4 from build. (patch thanks to Sebastian Andrzej Siewior)
    - CVE-2022-30333
    - CVE-2023-40477

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 09:03:04 -0500

This bug was fixed in the package libclamunrar - 0.103.11-0ubuntu0.20.04.1

---------------
libclamunrar (0.103.11-0ubuntu0.20.04.1) focal-security; urgency=medium

  * Updated to version 0.103.11 to fix security issues. (LP: #2046581)
    - debian/patches/0001-Remove-libmspack.m4.patch: remove unneeded
      libmspack.m4 from build. (patch thanks to Sebastian Andrzej Siewior)
    - CVE-2022-30333
    - CVE-2023-40477

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 09:47:08 -0500

This bug was fixed in the package libclamunrar - 1.0.4-0ubuntu0.23.10.1

---------------
libclamunrar (1.0.4-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * Updated to version 1.0.4 to fix security issues. (LP: #2046581)
    - debian/series/cargo-Remove-windows-referenfes.patch: disabled as
      the mentioned files aren't being removed by the debian/get_orig.sh
      script, so I assume the Debian maintainer is using a different script
      to generate the dfsg tarball.
    - debian/Add-a-version-script-for-libclamunrar-and-.patch: updated for
      new version.
    - debian/not-installed: don't install html docs.
    - CVE-2023-40477

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 13:01:55 -0500

This bug was fixed in the package libclamunrar - 0.103.11-0ubuntu0.22.04.1

---------------
libclamunrar (0.103.11-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to version 0.103.11 to fix security issues. (LP: #2046581)
    - debian/patches/0001-Remove-libmspack.m4.patch: remove unneeded
      libmspack.m4 from build. (patch thanks to Sebastian Andrzej Siewior)
    - CVE-2022-30333
    - CVE-2023-40477

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 09:45:07 -0500

This bug was fixed in the package libclamunrar - 1.0.4-0ubuntu1

---------------
libclamunrar (1.0.4-0ubuntu1) noble; urgency=medium

  * Updated to version 1.0.4 to fix security issues. (LP: #2046581)
    - debian/series/cargo-Remove-windows-referenfes.patch: disabled as
      the mentioned files aren't being removed by the debian/get_orig.sh
      script, so I assume the Debian maintainer is using a different script
      to generate the dfsg tarball.
    - debian/not-installed: don't install html docs.
    - CVE-2023-40477

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 13:01:55 -0500

This bug was fixed in the package clamav - 1.0.4+dfsg-0ubuntu1

---------------
clamav (1.0.4+dfsg-0ubuntu1) noble; urgency=medium

  * Updated to version 1.0.4 to fix db compatibility. (LP: #2046581)
    - debian/rules: bump CL_FLEVEL to 164.
    - debian/libclamav11.symbols: updated CLAMAV_PRIVATE symbols to new
      version.
    - debian/series/cargo-Remove-windows-referenfes.patch: disabled as
      the mentioned files aren't being removed by the debian/get_orig.sh
      script, so I assume the Debian maintainer is using a different script
      to generate the dfsg tarball.
    - debian/series/Freshclam-remove-curl-result-warning.patch: removed,
      included in new version.
    - Updated patches for new version:
      + libclamav-Sort-libclamav.map-and-libfreshclam.map.patch
      + libclamav-Add-missing-symbols.patch

 -- Marc Deslauriers <email address hidden> Thu, 04 Jan 2024 11:04:58 -0500