Clamav security update (Was: Security fixes in Extras)
Jason L Tibbitts III
tibbs at math.uh.edu
Tue Jan 17 15:38:59 UTC 2006
>>>>> "JB" == Josh Boyer <jwboyer at jdub.homelinux.org> writes:
>> What if the maintainer is out of pocket?
JB> Others with CVS access should make the fix in cases like this.
I believe we may have to test this. clamav in extras has what is
potentially a remotely exploitable hole; an upstream update fixing the
problem was released on January 9. I opened
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177761 on Friday
but it has elicited no response from the maintainer.
The maintainer checked the new version into CVS (on all branches)
immediately upon its upstream release and sent a build request on the
devel branch (but not any of the release branches). I tested the CVS
code on FC-3 over the weekend on my primary MXes and found no issues.
This begs the following questions:
How long should the community wait for the maintainer?
Who should issue the build request?
I'm really trying hard to avoid stepping on toes here. I think clamav
is a fine package, but the maintainer seems to be away, we have what
could be a bad security issue and I'm starting to get private mail
asking about an updated build. (I assume that's because of the bug I
opened or traffic on this list.) I honestly don't want to be the
clamav maintainer; I just happened to see the Gentoo update come across
bugtraq on Friday and became concerned about my own servers.
- J<
More information about the Fedora-maintainers
mailing list