Date: Fri, 20 May 2022 14:53:50 +0200 From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernando.apesteguia@gmail.com> To: Roger Marquis <marquis@roble.com> Cc: Florian Smeets <flo@smeets.xyz>, Andrea Venturoli <ml@netfence.it>, Yasuhiro Kimura <yasu@freebsd.org>, ports FreeBSD <ports@freebsd.org> Subject: Re: ClamAV security update Message-ID: <CAGwOe2YbxhPMm8t-acxZRyyBMFGx59Z=mjTYz79LcEVWBNHTYg@mail.gmail.com> In-Reply-To: <q8s211p9-61o0-9o62-738p-3460sp22970@mx.roble.com> References: <9fafaa47-0695-389f-11a9-940ab26364fc@netfence.it> <f1a5a3f1-3c48-584a-86e3-deddef2e4ce6@smeets.xyz> <q8s211p9-61o0-9o62-738p-3460sp22970@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000027666605df70fce1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable El vie., 20 may. 2022 14:50, Roger Marquis <marquis@roble.com> escribi=C3= =B3: > Thank you Florian! If there are any policy changes that can be made to > prevent this sort of issue (critical vulnerabilities not getting patches > or not showing up in vuln.xml for days or weeks after a CVE and/or > update) please do recommend them to, well, who does set ports/security > management policies? > It helps if the PR contains the "security" keyword and sets "affects many people". That way it is easier for committers to notice which PRs might be critical. > Roger Marquis > > > > On 19.05.22 09:30, Andrea Venturoli wrote: > >> > >> Hello. > >> > >> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, th= e > >> latter two closing "several CVE fixes". > >> > >> However, the port was not updated and not even portaudit entries were > >> added. > >> > >> Was this overlooked? > >> Are the FreeBSD ports somehow not affected? > >> > > > > I created a patch and PR a week ago. I was waiting for the maintainer > > timeout. After discussing with bapt I went ahead and committed the > update > > without approval of the maintainer. > > > > IMHO, security fixes should be specifically mentioned in the blanket > section. > > > > Florian > > > > --00000000000027666605df70fce1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto"><div><br><br><div class=3D"gmail_quote"><div dir=3D"ltr" = class=3D"gmail_attr">El vie., 20 may. 2022 14:50, Roger Marquis <<a href= =3D"mailto:marquis@roble.com">marquis@roble.com</a>> escribi=C3=B3:<br><= /div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-le= ft:1px #ccc solid;padding-left:1ex">Thank you Florian!=C2=A0 If there are a= ny policy changes that can be made to<br> prevent this sort of issue (critical vulnerabilities not getting patches<br= > or not showing up in vuln.xml for days or weeks after a CVE and/or<br> update) please do recommend them to, well, who does set ports/security<br> management policies?<br></blockquote></div></div><div dir=3D"auto"><br></di= v><div dir=3D"auto">It helps if the PR contains the "security" ke= yword and sets "affects many people". That way it is easier for c= ommitters to notice which PRs might be critical.</div><div dir=3D"auto"><br= ></div><div dir=3D"auto"><div class=3D"gmail_quote"><blockquote class=3D"gm= ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le= ft:1ex"> <br> Roger Marquis<br> <br> <br> > On 19.05.22 09:30, Andrea Venturoli wrote:<br> >> <br> >> Hello.<br> >> <br> >> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th= , the <br> >> latter two closing "several CVE fixes".<br> >> <br> >> However, the port was not updated and not even portaudit entries w= ere <br> >> added.<br> >> <br> >> Was this overlooked?<br> >> Are the FreeBSD ports somehow not affected?<br> >> <br> ><br> > I created a patch and PR a week ago. I was waiting for the maintainer = <br> > timeout. After discussing with bapt I went ahead and committed the upd= ate <br> > without approval of the maintainer.<br> ><br> > IMHO, security fixes should be specifically mentioned in the blanket s= ection.<br> ><br> > Florian<br> ><br> <br> </blockquote></div></div></div> --00000000000027666605df70fce1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGwOe2YbxhPMm8t-acxZRyyBMFGx59Z=mjTYz79LcEVWBNHTYg>