Ubuntu
clamav package

Sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main)

Bug #1923831 reported by Utkarsh Gupta
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Critical
Utkarsh Gupta

Bug Description

Please sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main).
The update fixes 3 new vulnerabilities and some other misc fixes.
IOW: it's probably important to update the package and hence the sync request

Changelog entries since current hirsute version 0.103.0+dfsg-3.1:

clamav (0.103.2+dfsg-1) unstable; urgency=medium

  * Import 0.103.2
    - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
    - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
    - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
    - Update symbol file.
   (Closes: #986622).

 -- Sebastian Andrzej Siewior <email address hidden> Mon, 12 Apr 2021 21:31:08 +0200

CVE References

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

If it helps, upstream release blog:
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

Changed in clamav (Ubuntu):
importance: Undecided → Wishlist
importance: Wishlist → Critical
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I agree that the CVEs will be needed.

But 103.2 also includes the next step in disabling safe browsing
=> https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
That might be ok as upstream can't provide the data anyway, but still worth to think.

Also a bunch of other changes, but all fixes.

But we shouldn't miss that this also includes all of
https://blog.clamav.net/search/label/0.103.1

That added a few features (none dropped gladly), and much more fixes.

Now on a normal package I'd say "that seems too much for a late sync".
But we have to take into account that clamav isn't normal.
Security does regularly full version sync/backports to the former Ubuntu versions.

So if it is ok to push all these post-release, then I see no blocker in fetching all these good changes now - even if it is late. If it fails to complete/build/migrate it will still be pushed to all supported releases a bit later.

I hope you all can follow my agrumentation ... syncing it now.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Source clamav -> hirsute/Proposed: current version 0.103.0+dfsg-3.1, new version 0.103.2+dfsg-1
New changes:
clamav (0.103.2+dfsg-1) unstable; urgency=medium

  * Import 0.103.2
    - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
    - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
    - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
    - Update symbol file.
   (Closes: #986622).

 -- Sebastian Andrzej Siewior <email address hidden> Mon, 12 Apr 2021 21:31:08 +0200
Sync this package [y|N]? y

@utkarsh if you colud watch and if needed help package build&migration please?

Changed in clamav (Ubuntu):
status: New → Fix Committed
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Christian,

Thanks for syncing.

> @utkarsh if you colud watch and if needed help package
> build&migration please?

Absolutely; shall do.

Changed in clamav (Ubuntu):
assignee: nobody → Utkarsh Gupta (utkarsh)
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Nothing at https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html. So closing this. Thanks, Christian.

Changed in clamav (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.