[clamav-users] Freshclam seems locked and can not be unlocked.

Micah Snyder (micasnyd) micasnyd at cisco.com
Sun Aug 4 19:32:09 EDT 2019


Every product is different as to whether or not they provide security patches for older versions or how far back they patch.  

For ClamAV, our development team is very small and we have a lot on our plates so we typically only provide security patches for the current feature release.

Right now, our current feature release is 0.101, published Dec 2018.  0.101 introduced some library API changes that made it harder to adopt than usual. For this reason, we made the decision to backport the security fixes found in 0.101.2 and released these for 0.100 users in the 0.100.3 patch release.

Next week, if all goes to plan, we will publish the 0.101.3 security patch and the 0.102-beta.  We have *no plans* to publish any more security patches for 0.100.  If you depend on your Linux distro to provide ClamAV, please help them create & test the 0.101.3 package so it gets into distribution faster.  Otherwise, we encourage you to build & install ClamAV from source.  

In the future, we'd love to provide Linux users with the option to install ClamAV from Snapcraft, but unfortunately we still have some more release engineering improvements to do before that will be a reality.

On the topic of "newer is always better": 

The next feature release (0.102) will require libcurl version 7.45 or newer in order to compile/use the new on-access scanning client (`clamonacc`) because 7.45+ provides a required feature.  In testing we've found that in most cases only the latest Linux distro major versions provide a new enough libcurl version.  For context, the libcurl version we require was released on 7 Oct 2015, nearly 4 years ago and libcurl has seen some 50-odd CVE fixes since then*.  I'm under the impression that in most cases, package maintainers cherry-pick the security fixes to older versions for their distributions though I'm not tuned in enough to know if that's true for every Linux distribution or every package.  In any case, 4 years is a long time to go without an update in the software world - so we're not feeling too bad about this new requirement.  Users who build ClamAV from source on older Linux distributions may have to build libcurl from source first -- which is a relatively straightforward process. 
 
*Libcurl security fix reference: https://curl.haxx.se/docs/security.html.  

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
 


On 8/4/19, 3:13 PM, "clamav-users on behalf of Joel Esler (jesler) via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    That’s a pretty broad statement.  As a security minded person, I’d think you’d want software that was the most patched against any possible vulnerabilities.  
    
    Sent from my  iPhone
    
    > On Aug 4, 2019, at 10:15, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
    > 
    > There is no point of havine newest version of any software available.
    



More information about the clamav-users mailing list