[clamav-users] ClamAV(R) blog: ClamAV 0.102.0 Release Candidate is now available

Micah Snyder (micasnyd) micasnyd at cisco.com
Mon Oct 7 10:17:15 EDT 2019


Ged, all,

My apologies.  We should have done a second release candidate after the configure changes. 

Fortunately, and very intentionally, 0.102 doesn’t include any security related bug fixes in case there were users who wouldn't be able to update due to some unforeseen issue.  The next time we publish a patch release, we will also backport the security-related patches to 0.101 (i.e. simultaneously publish 0.101.5).  

I think it should be no surprise that distributions that wish to support new versions of some software, but not new versions of libraries, will have issues such as this.  I think static linking is the natural solution for this kind of policy mix.  Yes it's harder to maintain, because a vuln-fix in the statically linked library requires an update to the application.  I don't know of a better solution though.

-Micah


On 10/5/19, 12:11 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    Hi there,
    
    On Sat, 5 Oct 2019, Dennis Peterson wrote:
    
    > This particular hard requirement (libcurl) affects the communication channel 
    > which is different than causing the code to fail to run at all. So the 
    > question is do the new libcurl requirements immediately break existing 
    > systems that are not yet updated with new libcurl functionality. ...
    
    Sorry, I thought I'd explained in an earlier post.  I'm using libcurl v7.38.
    So that I didn't need to update libcurl to v7.45 for clamonacc, I disabled it:
    
    8<----------------------------------------------------------------------
    $ curl -V
    curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL[...snip,snip...]
    8<----------------------------------------------------------------------
    $ head -7 ~/src/net/mail/clamav-devel-dev-0.102/config.log
    This file contains any messages produced by compilers while
    running configure, to aid debugging if configure makes a mistake.
    
    It was created by ClamAV configure 0.102.0-rc, which was
    generated by GNU Autoconf 2.69.  Invocation command line was
    
       $ ./configure --disable-clamonacc
    8<----------------------------------------------------------------------
    $ ps axufwww | grep freshclam | grep -v grep
    clamav   14105  0.5  0.0 193092 13080 ?        Ss   Oct04   7:24 \
    /usr/local/bin/freshclam -d --config-file=/etc/mail/clamav/freshclam.conf
    8<----------------------------------------------------------------------
    $ freshclam -V --config-file /etc/mail/freshclam.conf
    ClamAV 0.102.0-rc/25593/Sat Oct  5 09:30:21 2019
    8<----------------------------------------------------------------------
    $ ls -l /var/lib/clamav/daily.cld
    -rw-r--r-- 1 clamav clamav 147439104 Oct  5 10:44 /var/lib/clamav/daily.cld
    8<----------------------------------------------------------------------
    
    > It is kind of a big deal to update a widely used library and creates
    > knock-on problems from ripple effect for production systems subject
    > to strong configuration management policies.
    
    Not to mention publishing 0.102 with changes from 0.102rc which break it.
    
    -- 
    
    73,
    Ged.
    
    _______________________________________________
    
    clamav-users mailing list
    clamav-users at lists.clamav.net
    https://lists.clamav.net/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml
    



More information about the clamav-users mailing list