From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Vulnerabilities flagged in clamav-0.105.1 Date: Tue, 08 Nov 2022 11:09:48 +0000 Message-ID: <7DDEFA78-4E5B-4F08-A0FA-3CB4A88BD084@ipfire.org> In-Reply-To: <7d43a4e5-817b-06c4-95a0-2e19fe3fa2c5@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2102891161194942069==" List-Id: --===============2102891161194942069== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Great! I suppose a lot of the confusion from the release announcement seems to come = from clamav shipping copies of those libraries (at least I think they still d= o so). So they will have to release another tarball with the bundled libraries even = if they didn=E2=80=99t change anything. I consider this a really bad practise= because that meant that Peter=E2=80=99s update zlib actually didn=E2=80=99t = fix it for clamav. In IPFire 3 we try to track bundled libraries, but it is manual effort which = is not 100% accurate. Ideal would be to always link against the =E2=80=9Csystem version=E2=80=9D. S= ometimes the configure script hast a =E2=80=9C=E2=80=94-with-system-zlib=E2= =80=9D switch, which should ALWAYS be used over the bundled version. Best, -Michael > On 7 Nov 2022, at 20:51, Adolf Belka wrote: >=20 > Hi all, >=20 > I have just checked the change logs for the latest versions of zlib and lib= xml2 that I am building and they include fixes to the vulnerabilities flagged= up in the clamav-0.105.1 announcement. >=20 >=20 > The vulnerability for zlib was already fixed in CU171 with the two patch fi= les that Peter added. This patch set has now been integrated into the latest = zlib. >=20 >=20 > The vulnerabilities for libxml2 have fixes for both CVE's in the latest ver= sion of libxml2 that was released on October 14th. Both of the CVE's are list= ed in the CVE website as reserved but with no details but clearly the info ha= s been circulated to the zlib and libxml2 developers and fixes were made a wh= ile ago. >=20 > Not sure how to find out if CVE's have been raised on packages that IPFire = is using so we can use any fixes developed as soon as possible. I knew about = the issues with zlib and libxml2 because I saw the announcement of the clamav= -0.105.1 release. >=20 >=20 > Anyway good news, the patches I will submit soon will contain the fixes to = the CVE's mentioned in the clamav announcement. >=20 >=20 > Regards, >=20 > Adolf. >=20 --===============2102891161194942069==--