[clamav-users] Freshclam seems locked and can not be unlocked.

Paul Kosinski clamav-users at iment.com
Sun Aug 4 23:54:04 EDT 2019


What I have sometimes done, if faced with the need for a newer version
of some libxyz.so, is to copy the newer version from a compatible newer
system to the older system and then update the symlink. For example, if
I have:

  libxyz.so.3
  libxyz.so -> libxyx.so.3

but need libxyz.so.5, I copy in libxyz.so.5 and re-symlink, giving:

  libxyz.so.3
  libxyz.so.5
  libxyx.so -> libxyz.so.5

Since it's rare that the new version *removes* a function, this usually
works. And if it doesn't, I just restore the symlink, since I still have
the previous version. 

This is *very* risky with basic things like libc.so however, as you can
end up unable to execute any commands whatsoever.


On Sun, 04 Aug 2019 23:50:07 +0000
Scott Kitterman via clamav-users <clamav-users at lists.clamav.net> wrote:

> 
> 
> On August 4, 2019 11:32:09 PM UTC, "Micah Snyder (micasnyd) via
> clamav-users" <clamav-users at lists.clamav.net> wrote:
> >Every product is different as to whether or not they provide security
> >patches for older versions or how far back they patch.  
> >
> >For ClamAV, our development team is very small and we have a lot on
> >our plates so we typically only provide security patches for the
> >current feature release.
> >
> >Right now, our current feature release is 0.101, published Dec 2018. 
> >0.101 introduced some library API changes that made it harder to
> >adopt than usual. For this reason, we made the decision to backport
> >the security fixes found in 0.101.2 and released these for 0.100
> >users in the 0.100.3 patch release.
> >
> >Next week, if all goes to plan, we will publish the 0.101.3 security
> >patch and the 0.102-beta.  We have *no plans* to publish any more
> >security patches for 0.100.  If you depend on your Linux distro to
> >provide ClamAV, please help them create & test the 0.101.3 package so
> >it gets into distribution faster.  Otherwise, we encourage you to
> >build & install ClamAV from source.  
> >
> >In the future, we'd love to provide Linux users with the option to
> >install ClamAV from Snapcraft, but unfortunately we still have some
> >more release engineering improvements to do before that will be a
> >reality.
> >
> >On the topic of "newer is always better": 
> >
> >The next feature release (0.102) will require libcurl version 7.45 or
> >newer in order to compile/use the new on-access scanning client
> >(`clamonacc`) because 7.45+ provides a required feature.  In testing
> >we've found that in most cases only the latest Linux distro major
> >versions provide a new enough libcurl version.  For context, the
> >libcurl version we require was released on 7 Oct 2015, nearly 4 years
> >ago and libcurl has seen some 50-odd CVE fixes since then*.  I'm
> >under the impression that in most cases, package maintainers
> >cherry-pick the security fixes to older versions for their
> >distributions though I'm not tuned in enough to know if that's true
> >for every Linux distribution or every package.  In any case, 4 years
> >is a long time to go without an update in the software world - so
> >we're not feeling too bad about this new requirement.  Users who
> >build ClamAV from source on older Linux distributions may have to
> >build libcurl from source first -- which is a relatively
> >straightforward process. 
> > 
> >*Libcurl security fix reference:
> >https://curl.haxx.se/docs/security.html.  
> 
> That's the practice in Debian (patches post-release) for almost all
> packages, clamav is an exception for us.
> 
> Both Debian's current stable release and the previous release have a
> new enough curl to support this.  There's one older release that does
> not.  As long as we can disable the feature along with the
> requirement for the newer curl, it should be fine for us.
> 
> Scott K


More information about the clamav-users mailing list