[Bug 1923831] Re: Sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main)

Christian Ehrhardt  1923831 at bugs.launchpad.net
Wed Apr 14 11:58:52 UTC 2021

I agree that the CVEs will be needed.

But 103.2 also includes the next step in disabling safe browsing
=> https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
That might be ok as upstream can't provide the data anyway, but still worth to think.

Also a bunch of other changes, but all fixes.

But we shouldn't miss that this also includes all of

That added a few features (none dropped gladly), and much more fixes.

Now on a normal package I'd say "that seems too much for a late sync".
But we have to take into account that clamav isn't normal.
Security does regularly full version sync/backports to the former Ubuntu versions.

So if it is ok to push all these post-release, then I see no blocker in
fetching all these good changes now - even if it is late. If it fails to
complete/build/migrate it will still be pushed to all supported releases
a bit later.

I hope you all can follow my agrumentation ... syncing it now.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1252

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1404

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1405

You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.

  Sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main)

Status in clamav package in Ubuntu:
  Fix Committed

Bug description:
  Please sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main).
  The update fixes 3 new vulnerabilities and some other misc fixes.
  IOW: it's probably important to update the package and hence the sync request

  Changelog entries since current hirsute version 0.103.0+dfsg-3.1:

  clamav (0.103.2+dfsg-1) unstable; urgency=medium

    * Import 0.103.2
      - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
      - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
      - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
      - Update symbol file.
     (Closes: #986622).

   -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc>  Mon, 12 Apr
  2021 21:31:08 +0200

To manage notifications about this bug go to:

More information about the Ubuntu-sponsors mailing list