Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 May 2022 05:49:47 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        Florian Smeets <flo@smeets.xyz>
Cc:        Andrea Venturoli <ml@netfence.it>, yasu@FreeBSD.org, ports@freebsd.org
Subject:   Re: ClamAV security update
Message-ID:  <q8s211p9-61o0-9o62-738p-3460sp22970@mx.roble.com>
In-Reply-To: <f1a5a3f1-3c48-584a-86e3-deddef2e4ce6@smeets.xyz>
References:  <9fafaa47-0695-389f-11a9-940ab26364fc@netfence.it> <f1a5a3f1-3c48-584a-86e3-deddef2e4ce6@smeets.xyz>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Florian!  If there are any policy changes that can be made to
prevent this sort of issue (critical vulnerabilities not getting patches
or not showing up in vuln.xml for days or weeks after a CVE and/or
update) please do recommend them to, well, who does set ports/security
management policies?

Roger Marquis


> On 19.05.22 09:30, Andrea Venturoli wrote:
>> 
>> Hello.
>> 
>> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, the 
>> latter two closing "several CVE fixes".
>> 
>> However, the port was not updated and not even portaudit entries were 
>> added.
>> 
>> Was this overlooked?
>> Are the FreeBSD ports somehow not affected?
>> 
>
> I created a patch and PR a week ago. I was waiting for the maintainer 
> timeout. After discussing with bapt I went ahead and committed the update 
> without approval of the maintainer.
>
> IMHO, security fixes should be specifically mentioned in the blanket section.
>
> Florian
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?q8s211p9-61o0-9o62-738p-3460sp22970>