[clamav-users] Freshclam seems locked and can not be unlocked.

Scott Kitterman debian at kitterman.com
Sun Aug 4 19:50:07 EDT 2019



On August 4, 2019 11:32:09 PM UTC, "Micah Snyder (micasnyd) via clamav-users" <clamav-users at lists.clamav.net> wrote:
>Every product is different as to whether or not they provide security
>patches for older versions or how far back they patch.  
>
>For ClamAV, our development team is very small and we have a lot on our
>plates so we typically only provide security patches for the current
>feature release.
>
>Right now, our current feature release is 0.101, published Dec 2018. 
>0.101 introduced some library API changes that made it harder to adopt
>than usual. For this reason, we made the decision to backport the
>security fixes found in 0.101.2 and released these for 0.100 users in
>the 0.100.3 patch release.
>
>Next week, if all goes to plan, we will publish the 0.101.3 security
>patch and the 0.102-beta.  We have *no plans* to publish any more
>security patches for 0.100.  If you depend on your Linux distro to
>provide ClamAV, please help them create & test the 0.101.3 package so
>it gets into distribution faster.  Otherwise, we encourage you to build
>& install ClamAV from source.  
>
>In the future, we'd love to provide Linux users with the option to
>install ClamAV from Snapcraft, but unfortunately we still have some
>more release engineering improvements to do before that will be a
>reality.
>
>On the topic of "newer is always better": 
>
>The next feature release (0.102) will require libcurl version 7.45 or
>newer in order to compile/use the new on-access scanning client
>(`clamonacc`) because 7.45+ provides a required feature.  In testing
>we've found that in most cases only the latest Linux distro major
>versions provide a new enough libcurl version.  For context, the
>libcurl version we require was released on 7 Oct 2015, nearly 4 years
>ago and libcurl has seen some 50-odd CVE fixes since then*.  I'm under
>the impression that in most cases, package maintainers cherry-pick the
>security fixes to older versions for their distributions though I'm not
>tuned in enough to know if that's true for every Linux distribution or
>every package.  In any case, 4 years is a long time to go without an
>update in the software world - so we're not feeling too bad about this
>new requirement.  Users who build ClamAV from source on older Linux
>distributions may have to build libcurl from source first -- which is a
>relatively straightforward process. 
> 
>*Libcurl security fix reference:
>https://curl.haxx.se/docs/security.html.  

That's the practice in Debian (patches post-release) for almost all packages, clamav is an exception for us.

Both Debian's current stable release and the previous release have a new enough curl to support this.  There's one older release that does not.  As long as we can disable the feature along with the requirement for the newer curl, it should be fine for us.

Scott K


More information about the clamav-users mailing list