[clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

Micah Snyder (micasnyd) micasnyd at cisco.com
Sat Jan 27 16:26:12 UTC 2018


Scott K,

I 100% agree.  ClamAV hasn’t been following dev, testing, or security-release best practices in a number of ways and as you just pointed out - it shows.

The team and I are making a real effort to get things like this up to snuff.  Fixing this exact process is my top priority right now.

For the past couple of weeks, we’ve been talking about the best way to modify how we work with our public and private Git repositories, and for the past few months we’ve been working on strategies to improve our testing and release processes as a whole.  For those who work with the ClamAV code, I’m going to post an announcement in a couple days to the clamav-devel mailing list describing our new Git work-flow.

I appreciate feedback on issues such as this, and welcome any help brainstorming other ways in which we can improve the project.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 5:34 PM, Scott Kitterman <debian at kitterman.com<mailto:debian at kitterman.com>> wrote:

Historically, fixes for such issues would have not been part of a pre-release.  They would have been added to the public VCS on release day.

You may not have been able to announce the CVEs for some reason, but I don't think silently disclosing the fixes was the best thing to have done.

Scott K

On January 26, 2018 9:55:49 PM UTC, "Joel Esler (jesler)" <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:
There are outside issues that prevented us from announcing the CVEs at
that time.  It's not because we were trying to hide something.


--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com><mailto:jesler at cisco.com>






On Jan 26, 2018, at 2:39 PM, Andreas Schulze
<andreas.schulze at datev.de<mailto:andreas.schulze at datev.de><mailto:andreas.schulze at datev.de>> wrote:

Am 26.01.2018 um 16:06 schrieb Tobi:
As far as I understand the release notes of 99.3 its a security fix
which has nothing to do with former 99.3 beta.
The former beta now is 0.100
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta
first to apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in
0.99.3beta2

now, as the links to bugzilla.clamav.net<http://bugzilla.clamav.net><http://bugzilla.clamav.net>
are public, we see, the issues where known to the developers since
October/November 2017!
They published these changes silent as part of "beta2". They discusses
about CVE at this time!
This is *not* amazing.

Andreas


_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net><mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list