Solved: Why are there no updates for clam av 0.99.3?

New to Debian (Or Linux in general)? Ask your questions here!

Solved: Why are there no updates for clam av 0.99.3?

Postby hbauer » 2018-03-05 06:33

There are reports about several vulnerabilities of clamav. There are version 0.99.3 and 0.99.4 ready.

I am looking for some explanations why Debian doesnt seem to care about this.

https://security-tracker.debian.org/tra ... age/clamav

Any ideas?
Last edited by hbauer on 2018-03-06 03:22, edited 1 time in total.
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38

Re: Why are there no updates for clam av?

Postby bw123 » 2018-03-05 08:50

It was updated, but it looks like there was some confusion over version numbers. Also some people mistakenly believe clamav is updated thru the security team, when it actually goes thru release-updates for whatever reason.

What exactly is your problem?

https://bugs.debian.org/cgi-bin/bugrepo ... bug=888484
User avatar
bw123
 
Posts: 3270
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Why are there no updates for clam av?

Postby hbauer » 2018-03-05 09:00

bw123 wrote:What exactly is your problem?


My problem is that I am not sure if I am running a piece of software that is vulnerable to DOS and RCE.

Normally Debian is very good and fast i providing patched versions if this type of error is present in a piece of software

May be there is no vulnerability or the fix has been back ported.
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38

Re: Why are there no updates for clam av?

Postby bw123 » 2018-03-05 09:09

hbauer wrote:
bw123 wrote:What exactly is your problem?


My problem is that I am not sure if I am running a piece of software that is vulnerable to DOS and RCE.

Normally Debian is very good and fast i providing patched versions if this type of error is present in a piece of software

May be there is no vulnerability or the fix has been back ported.


Well, you can't just depend on version number, debian does not do things that way. Maybe try reading the bug report fully, it looks like if you use stretch-updates in sources.list then you will have the fixed ver, but double check and make sure. The explanation for why it isn't listed as fixed on security-tracker seems reasonable.

https://packages.debian.org/search?keywords=clamav
User avatar
bw123
 
Posts: 3270
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Why are there no updates for clam av?

Postby hbauer » 2018-03-05 09:15

I am not looking at the version number. If you look here https://security-tracker.debian.org/tra%20...%20age/clamav it explicitly says " vulnerable"
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38

Re: Why are there no updates for clam av?

Postby bw123 » 2018-03-05 09:29

hbauer wrote:I am not looking at the version number. If you look here https://security-tracker.debian.org/tra%20...%20age/clamav it explicitly says " vulnerable"


If you read the bug report as I suggested you will see the reason it says "vulnerable" might be because security team doesn't consider issues fixed until proposed-updates are rolled into a point release. I think you should do some research and read the bugreport, which shows a lot of work on this package from people you say, "don't care" about it.

Do the research. Read, learn, don't spread FUD, thanks.

If you find the two vulnerabilities are not fixed yet, then post back. I can't tell from a quick read, I don't use clamav so don;t really care to spend a lot of time on it..
User avatar
bw123
 
Posts: 3270
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Why are there no updates for clam av?

Postby hbauer » 2018-03-05 10:19

hey, calm down. I have not made any statement but have just asked.

> I am looking for some explanations why Debian doesnt seem to care about this.

I am doing research. Normally asking question is forums is part of research.

> I can't tell from a quick read, I don't use clamav so don;t really care to spend a lot of time on it..

If you cant tell something and you dont use it and you dont care then why do you waste your and my time?
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38

Re: Why are there no updates for clam av?

Postby n_hologram » 2018-03-05 16:58

Although I also don't use clamav, following bw123's bug tracker link, I ran across this post (#115). According to this user's output, there is a slightly higher version of clamav than the one in the CVE page. I'm trying to figure out if it means that you need jessie-updates/stretch-updates in order to use a clamav version that is higher than the one tested on the CVE page.
# apt-cache policy clamav
clamav:
Installed: 0.99.2+dfsg-0+deb8u2
Candidate: 0.99.2+dfsg-0+deb8u2
Version table:
0.99.2+dfsg-0+deb8u3 0
500 http://ftp2.de.debian.org/debian/ jessie-updates/main amd64 Packages
*** 0.99.2+dfsg-0+deb8u2 0
990 http://ftp2.de.debian.org/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status

If you replicated these steps, using whatever version of Debian you run (in place of "jessie"), I wonder if you would also find a higher clamav version there, too.

Posts #120 and #125 might be fruitful to read as well.

Tbh, I've always been a bit in the dark about how debian rolls out updates like these, so I'll check in to see the results later.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 433
Joined: 2013-06-16 00:10

Re: Why are there no updates for clam av?

Postby hbauer » 2018-03-05 17:28

That hint probably helped me to get into the right directions.

Currently I believe
- clamav 0.99.3 is "hidden" in 0.99.2+dfsg-0+deb8u3
- you can get this version if you add the repository "jessie-updates" to your sources list. (I have never heard of this before. Something to research later)

After that you get
Code: Select all
Holen: 1 http://http.debian.net/debian/ jessie-updates/main clamdscan amd64 0.99.2+dfsg-0+deb8u3 [313 kB]
Holen: 2 http://http.debian.net/debian/ jessie-updates/main libclamav7 amd64 0.99.2+dfsg-0+deb8u3 [996 kB]
Holen: 3 http://http.debian.net/debian/ jessie-updates/main clamav-daemon amd64 0.99.2+dfsg-0+deb8u3 [457 kB]
Holen: 4 http://http.debian.net/debian/ jessie-updates/main clamav-base all 0.99.2+dfsg-0+deb8u3 [294 kB]
Holen: 5 http://http.debian.net/debian/ jessie-updates/main clamav-freshclam amd64 0.99.2+dfsg-0+deb8u3 [365 kB]
Holen: 6 http://http.debian.net/debian/ jessie-updates/main clamav amd64 0.99.2+dfsg-0+deb8u3 [351 kB]


and then freshclam tells you

ClamAV update process started at Mon Mar 5 19:11:33 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.99.4


Update: here is a link for "stable-updates" https://wiki.debian.org/StableUpdates
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38

Re: Why are there no updates for clam av?

Postby n_hologram » 2018-03-05 19:03

hbauer wrote:Currently I believe
- clamav 0.99.3 is "hidden" in 0.99.2+dfsg-0+deb8u3
- you can get this version if you add the repository "jessie-updates" to your sources list. (I have never heard of this before. Something to research later)

Sounds like some thanks were in order for bw123, since he already implied this:
bw123 wrote:Well, you can't just depend on version number, debian does not do things that way. Maybe try reading the bug report fully, it looks like if you use stretch-updates in sources.list then you will have the fixed ver, but double check and make sure.

A lot of users will use "stretch" because it is the current stable release, and since jessie is oldstable, now you know a best practice for diagnosing issues like these. Also, a quick skim of the bugtracker (the snippet of apt-cache I posted) would have verified the trivial change to "jessie".

Other highlights...
CVE Tracker Information:
#115 wrote:nor does debian security tracker list the updates as available for jessie/stretch

Version nomenclature:
#125 wrote:By design, the security tracker doesn't consider things 'fixed' in stable via updates until after it's included in a Debian point release. I agree it's not totally clear, but the way it's working is what the security team intends.

"I am looking for some explanations why Debian doesnt seem to care about this." Fortunately, Debian does care -- the truth was hidden in plain sight.
#130 wrote:We believe that keeping clamav up to date so that, as a package that provides a security service, it is always kept as capable as possible is of overriding importance for clamav.

I would be prudent before assuming that Debian neglects security.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 433
Joined: 2013-06-16 00:10

Re: Why are there no updates for clam av?

Postby hbauer » 2018-03-06 03:19

I would have never thought that a security fix for a component in Debian that is in the stable repository of a release would not end up in that repository. The fact that I have to include a "-updates" repo to get a security fix distresses me a little bit.

Even if I would have red the description of stable-updates

This path will be used for updates which many users may wish to install on their systems before the next point release is made, such as updates to virus scanners and timezone data. All packages from stable-updates will be included in point releases.


I would have not assumed that this also includes security updates since I thought that

You can use apt to easily get the latest security updates. This requires a line such as
deb http://security.debian.org/debian-security stretch/updates ...


would include ALL security updates.

I have the strong feeling that I am not the only one with this misconception.

Thank you both for your help that led to my learnings.
hbauer
 
Posts: 18
Joined: 2015-10-26 15:38


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable