Re: clamav triage (updated via -updates)

To: Hugo Lefeuvre <hle@debian.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: clamav triage (updated via -updates)
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sat, 10 Aug 2019 11:27:22 +0200
Message-id: <[🔎] 20190810092722.i2hkmmrhj6cezb65@inutil.org>
In-reply-to: <[🔎] 20190810080338.GC9353@behemoth.owl.eu.com.local>
References: <[🔎] 20190810080338.GC9353@behemoth.owl.eu.com.local>

On Sat, Aug 10, 2019 at 10:03:38AM +0200, Hugo Lefeuvre wrote:
> Hi,
> 
> I am taking a look at clamav's zip bomb issue[0] in jessie. This issue is
> no-dsa in buster/stretch: "ClamAV is updated via -updates".
> 
> What is this -updates mechanism? I might have missed something, does clamav
> have an auto-update mechanism?

It's what used to be volatile some years ago. ClamAV is only getting updated
via -updates as it can't reasonably be part of a regular stable release; new
malware signatures provided via FreshClam sometimes require new engine features
so it needs to be kept up with current upstream. It's still present on the
install media, but the idea is that by means of -updates it's ensured that
always the latest version is present without waiting for the next point release.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: clamav triage (updated via -updates)
  - From: Hugo Lefeuvre <hle@debian.org>

References:
- clamav triage (updated via -updates)
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Re: clamav triage (updated via -updates)
Next by Date: Re: clamav triage (updated via -updates)
Previous by thread: Re: clamav triage (updated via -updates)
Next by thread: Re: clamav triage (updated via -updates)
Index(es):
- Date
- Thread