Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Solved: Why are there no updates for clam av 0.99.3?
Solved: Why are there no updates for clam av 0.99.3?
There are reports about several vulnerabilities of clamav. There are version 0.99.3 and 0.99.4 ready.
I am looking for some explanations why Debian doesnt seem to care about this.
https://security-tracker.debian.org/tra ... age/clamav
Any ideas?
I am looking for some explanations why Debian doesnt seem to care about this.
https://security-tracker.debian.org/tra ... age/clamav
Any ideas?
Last edited by hbauer on 2018-03-06 03:22, edited 1 time in total.
Re: Why are there no updates for clam av?
It was updated, but it looks like there was some confusion over version numbers. Also some people mistakenly believe clamav is updated thru the security team, when it actually goes thru release-updates for whatever reason.
What exactly is your problem?
https://bugs.debian.org/cgi-bin/bugrepo ... bug=888484
What exactly is your problem?
https://bugs.debian.org/cgi-bin/bugrepo ... bug=888484
resigned by AI ChatGPT
Re: Why are there no updates for clam av?
My problem is that I am not sure if I am running a piece of software that is vulnerable to DOS and RCE.bw123 wrote: What exactly is your problem?
Normally Debian is very good and fast i providing patched versions if this type of error is present in a piece of software
May be there is no vulnerability or the fix has been back ported.
Re: Why are there no updates for clam av?
Well, you can't just depend on version number, debian does not do things that way. Maybe try reading the bug report fully, it looks like if you use stretch-updates in sources.list then you will have the fixed ver, but double check and make sure. The explanation for why it isn't listed as fixed on security-tracker seems reasonable.hbauer wrote:My problem is that I am not sure if I am running a piece of software that is vulnerable to DOS and RCE.bw123 wrote: What exactly is your problem?
Normally Debian is very good and fast i providing patched versions if this type of error is present in a piece of software
May be there is no vulnerability or the fix has been back ported.
https://packages.debian.org/search?keywords=clamav
resigned by AI ChatGPT
Re: Why are there no updates for clam av?
I am not looking at the version number. If you look here https://security-tracker.debian.org/tra ... age/clamav it explicitly says " vulnerable"
Re: Why are there no updates for clam av?
If you read the bug report as I suggested you will see the reason it says "vulnerable" might be because security team doesn't consider issues fixed until proposed-updates are rolled into a point release. I think you should do some research and read the bugreport, which shows a lot of work on this package from people you say, "don't care" about it.hbauer wrote:I am not looking at the version number. If you look here https://security-tracker.debian.org/tra ... age/clamav it explicitly says " vulnerable"
Do the research. Read, learn, don't spread FUD, thanks.
If you find the two vulnerabilities are not fixed yet, then post back. I can't tell from a quick read, I don't use clamav so don;t really care to spend a lot of time on it..
resigned by AI ChatGPT
Re: Why are there no updates for clam av?
hey, calm down. I have not made any statement but have just asked.
> I am looking for some explanations why Debian doesnt seem to care about this.
I am doing research. Normally asking question is forums is part of research.
> I can't tell from a quick read, I don't use clamav so don;t really care to spend a lot of time on it..
If you cant tell something and you dont use it and you dont care then why do you waste your and my time?
> I am looking for some explanations why Debian doesnt seem to care about this.
I am doing research. Normally asking question is forums is part of research.
> I can't tell from a quick read, I don't use clamav so don;t really care to spend a lot of time on it..
If you cant tell something and you dont use it and you dont care then why do you waste your and my time?
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Why are there no updates for clam av?
Although I also don't use clamav, following bw123's bug tracker link, I ran across this post (#115). According to this user's output, there is a slightly higher version of clamav than the one in the CVE page. I'm trying to figure out if it means that you need jessie-updates/stretch-updates in order to use a clamav version that is higher than the one tested on the CVE page.
Posts #120 and #125 might be fruitful to read as well.
Tbh, I've always been a bit in the dark about how debian rolls out updates like these, so I'll check in to see the results later.
If you replicated these steps, using whatever version of Debian you run (in place of "jessie"), I wonder if you would also find a higher clamav version there, too.# apt-cache policy clamav
clamav:
Installed: 0.99.2+dfsg-0+deb8u2
Candidate: 0.99.2+dfsg-0+deb8u2
Version table:
0.99.2+dfsg-0+deb8u3 0
500 http://ftp2.de.debian.org/debian/ jessie-updates/main amd64 Packages
*** 0.99.2+dfsg-0+deb8u2 0
990 http://ftp2.de.debian.org/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
Posts #120 and #125 might be fruitful to read as well.
Tbh, I've always been a bit in the dark about how debian rolls out updates like these, so I'll check in to see the results later.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Why are there no updates for clam av?
That hint probably helped me to get into the right directions.
Currently I believe
- clamav 0.99.3 is "hidden" in 0.99.2+dfsg-0+deb8u3
- you can get this version if you add the repository "jessie-updates" to your sources list. (I have never heard of this before. Something to research later)
After that you get
and then freshclam tells you
Currently I believe
- clamav 0.99.3 is "hidden" in 0.99.2+dfsg-0+deb8u3
- you can get this version if you add the repository "jessie-updates" to your sources list. (I have never heard of this before. Something to research later)
After that you get
Code: Select all
Holen: 1 http://http.debian.net/debian/ jessie-updates/main clamdscan amd64 0.99.2+dfsg-0+deb8u3 [313 kB]
Holen: 2 http://http.debian.net/debian/ jessie-updates/main libclamav7 amd64 0.99.2+dfsg-0+deb8u3 [996 kB]
Holen: 3 http://http.debian.net/debian/ jessie-updates/main clamav-daemon amd64 0.99.2+dfsg-0+deb8u3 [457 kB]
Holen: 4 http://http.debian.net/debian/ jessie-updates/main clamav-base all 0.99.2+dfsg-0+deb8u3 [294 kB]
Holen: 5 http://http.debian.net/debian/ jessie-updates/main clamav-freshclam amd64 0.99.2+dfsg-0+deb8u3 [365 kB]
Holen: 6 http://http.debian.net/debian/ jessie-updates/main clamav amd64 0.99.2+dfsg-0+deb8u3 [351 kB]
Update: here is a link for "stable-updates" https://wiki.debian.org/StableUpdatesClamAV update process started at Mon Mar 5 19:11:33 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.99.4
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Why are there no updates for clam av?
Sounds like some thanks were in order for bw123, since he already implied this:hbauer wrote:Currently I believe
- clamav 0.99.3 is "hidden" in 0.99.2+dfsg-0+deb8u3
- you can get this version if you add the repository "jessie-updates" to your sources list. (I have never heard of this before. Something to research later)
A lot of users will use "stretch" because it is the current stable release, and since jessie is oldstable, now you know a best practice for diagnosing issues like these. Also, a quick skim of the bugtracker (the snippet of apt-cache I posted) would have verified the trivial change to "jessie".bw123 wrote:Well, you can't just depend on version number, debian does not do things that way. Maybe try reading the bug report fully, it looks like if you use stretch-updates in sources.list then you will have the fixed ver, but double check and make sure.
Other highlights...
CVE Tracker Information:
Version nomenclature:#115 wrote:nor does debian security tracker list the updates as available for jessie/stretch
"I am looking for some explanations why Debian doesnt seem to care about this." Fortunately, Debian does care -- the truth was hidden in plain sight.#125 wrote:By design, the security tracker doesn't consider things 'fixed' in stable via updates until after it's included in a Debian point release. I agree it's not totally clear, but the way it's working is what the security team intends.
I would be prudent before assuming that Debian neglects security.#130 wrote:We believe that keeping clamav up to date so that, as a package that provides a security service, it is always kept as capable as possible is of overriding importance for clamav.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Why are there no updates for clam av?
I would have never thought that a security fix for a component in Debian that is in the stable repository of a release would not end up in that repository. The fact that I have to include a "-updates" repo to get a security fix distresses me a little bit.
Even if I would have red the description of stable-updates
I have the strong feeling that I am not the only one with this misconception.
Thank you both for your help that led to my learnings.
Even if I would have red the description of stable-updates
I would have not assumed that this also includes security updates since I thought thatThis path will be used for updates which many users may wish to install on their systems before the next point release is made, such as updates to virus scanners and timezone data. All packages from stable-updates will be included in point releases.
would include ALL security updates.You can use apt to easily get the latest security updates. This requires a line such as
deb http://security.debian.org/debian-security stretch/updates ...
I have the strong feeling that I am not the only one with this misconception.
Thank you both for your help that led to my learnings.