Re: ClamAV security update

In reply to: Roger Marquis : "Re: ClamAV security update"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Fernando_Apesteguía <fernando.apesteguia_at_gmail.com>
Date: Fri, 20 May 2022 12:53:50 UTC

El vie., 20 may. 2022 14:50, Roger Marquis <marquis@roble.com> escribió:

> Thank you Florian!  If there are any policy changes that can be made to
> prevent this sort of issue (critical vulnerabilities not getting patches
> or not showing up in vuln.xml for days or weeks after a CVE and/or
> update) please do recommend them to, well, who does set ports/security
> management policies?
>

It helps if the PR contains the "security" keyword and sets "affects many
people". That way it is easier for committers to notice which PRs might be
critical.


> Roger Marquis
>
>
> > On 19.05.22 09:30, Andrea Venturoli wrote:
> >>
> >> Hello.
> >>
> >> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, the
> >> latter two closing "several CVE fixes".
> >>
> >> However, the port was not updated and not even portaudit entries were
> >> added.
> >>
> >> Was this overlooked?
> >> Are the FreeBSD ports somehow not affected?
> >>
> >
> > I created a patch and PR a week ago. I was waiting for the maintainer
> > timeout. After discussing with bapt I went ahead and committed the
> update
> > without approval of the maintainer.
> >
> > IMHO, security fixes should be specifically mentioned in the blanket
> section.
> >
> > Florian
> >
>
>