ClamAV 0.94.1 fixes security problem

Attached debdif for Hardy

Applies, builds fine with pbuilder , installs fine

Attached debdif for gutsy

Applies, builds fine with pbuilder , installs fine

Did you check 0.94 too? I believe there are a couple of minor issues there
that are worth dealing with.

Attached debdif for dapper

Applies, builds fine with pbuilder , installs fine

Here's the plan:

Intrepid and Jaunty both have 0.94.1 release candidate. Once 0.94.1 is uploaded to Debian, I'll work on getting those updated.

Dapper/Gutsy/Hardy need this and some other patches too. I'm working on gathering those up.

0.94.1 just hit incoming, so shortly ....

> 0.94.1 just hit incoming, so shortly ....
>
> --
> ClamAV 0.94.1 fixes security problem
> https://bugs.launchpad.net/bugs/296704
> You received this bug notification because you are subscribed to clamav
> in ubuntu.
>

So no more bug hunting for 94.0 ?? even I didn't found any cve or
public data just memory leaks

Leonel

Please look at 0.94. I'm working my way through the clamav svn looking for
changes to cherrypick. Hopefully between the two of us we'll get all the
stuff we need for 0.92.1.

Scott K

This bug was fixed in the package clamav - 0.94.dfsg.1-1ubuntu1

---------------
clamav (0.94.dfsg.1-1ubuntu1) jaunty; urgency=low

  * Merge from Debian Unstable (LP: #296704). Remaining Ubuntu changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
  * Update apparmor profile for clamd to work with TCP sockets (LP: #288942)

clamav (0.94.dfsg.1-1) unstable; urgency=low

  [ Stephen Gran ]
  * New upstream version (closes: #505134, #502165, #501298)
  * Handle new option SubmitDetectionStats in freshclam.conf
  * Remove RAR from the description, since we really don't handle it anymore
  * Skip 'sleep until -e socket' logic if socket is of type inet (LP #296086)

  [ Michael Meskes ]
  * Added myself as uploader.
  * Changed watch file to account for dfsg extension.
  * Do not configure temporary directory in clamd.conf anymore unless it is
    already configured there.
  * Added Basque debconf translation (closes: #500007)

  [ Michael Tautschnig ]
  * Use lsb's status_of_proc function to determine the status of the process
    and return with according exit codes (closes: #486076)
  * Updated Dutch debconf translation (thanks Paul Gevers <email address hidden>)
    (closes: #501627)
  * Changed versioned dependency of clamav-daemon to clamav-base to equals
    (closes: #500416)
  * Handle new option DetectionStatsCountry in freshclam.conf
  * Don't trust the multilib guessing stuff, always use libdir=$prefix/lib
  * Removed nowadays unused lintian overrides
  * Create md5sums control file for clamav-dbg as well (thanks, lintian)

 -- Scott Kitterman <email address hidden> Tue, 11 Nov 2008 22:24:38 -0500

Debdiff to update Intrepid to 0.94.1. If you close your eyes and ignore the build related stuff it's not too bad.

dapper, gutsy, hardy building in security queue.

Revised diff with the exim stuff added in again.

 Some clamav packages in ppa for Hardy have unmet dependencies:
he following packages have unmet dependencies:
  clamav-daemon: Depends: lsb-base (>= 3.2-13) but 3.2-4ubuntu1 is to be installed
  clamav-freshclam: Depends: lsb-base (>= 3.2-13) but 3.2-4ubuntu1 is to be installed
E: Broken packages
clamav-base is OK
 Do they really require lsb-base 3.2-13? Do your PPA packages depend on other PPAs?
 Could you please fix it?
 Thank you!

Thanks. We'll need to drop some of the lsb status stuff then.

I just checked build-depends, not installability yet. Also, clamav bugs
aren't really appropriate for discussing the PPA packages (not part of
Ubuntu). Please feel free to mail me directly.

 Sorry about that - I was not sure where PPA really fits.

 Thank you.

> I just checked build-depends, not installability yet. Also, clamav bugs
> aren't really appropriate for discussing the PPA packages (not part of
> Ubuntu). Please feel free to mail me directly.

Test suite running added to the Intrepid package. Updated debdiff attached. The full package can get gotten from http://kitterman.com/clamav/clamav_0.94.dfsg.1-1ubuntu0.1.dsc (for now, I'll pull it down after it's uploaded).

Published as: http://www.ubuntu.com/usn/USN-672-1