Bugzilla – Bug 1040662
clamav-nodb: shipped in Leap but unmaintained in SLE
Last modified: 2018-01-28 15:35:37 UTC
+++ This bug was initially created as a clone of Bug #1040640 +++ openSUSE ships a maintained clamav: openSUSE:Leap:42.2:Update/clamav 0.99.2 via SUSE:SLE-12:GA openSUSE:Leap:42.3:Update/clamav 0.99.2 via SUSE:SLE-12:GA However it also ships clamav-nodb: openSUSE:Leap:42.2:Update/clamav-nodb 0.98.4 via SUSE:SLE-12:GA openSUSE:Leap:42.3:Update/clamav-nodb 0.98.4 via SUSE:SLE-12:GA -nodb is "Antivirus Toolkit like package clamav, but without database". Since it is not in any SLE maintained product, it never receives updates. It is missing the following security fixes: - Improved detection of malicious PE files (bnc#906770, CVE-2014-9050) * Security fix for ClamAV crash when using 'clamscan -a'. * Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files (bnc#906077, CVE-2013-6497). * bsc#916217, CVE-2015-1461: Remote attackers can have unspecified impact via Yoda's crypter or mew packer files. * bsc#916214, CVE-2015-1462: Unspecified impact via acrafted upx packer file. * bsc#916215, CVE-2015-1463: Remote attackers can cause a denial of service via a crafted petite packer file. * bsc#915512, CVE-2014-9328: heap out of bounds condition with crafted upack packer files. - Version 0.98.7 - several security issues (bsc#929192) (CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, CVE-2015-2668, CVE-2015-2305) Also various others that we may have not tracked specifically due to clamav package already having been updated. Findings for the package itself: * Neither clamav nor clamav-nodb currently contain databases. We ship clamav-database with weekly updates built from a separate source package. A change from Jan 2013: > - Remove the clamav-db subpackage. ClamAV installations should > fetch current versions of the virus database directly from > upstream. If there really is need for a packaged database, it > should be in a separate package. So for 42.3 the package is useless and should be dropped. For the next available maintenance update on Leap 42.2/3, the clamav package should be marked as superseeding clamav-nodb to the latter gets removed. Findings for release management: Leap releases should not include packages from the SLE code streams that are maintained in *any* SLE product. If there it no reasonable expectation that there will be any updates it should not be included. They would simply fall through the cracks.
I was never involved in the clamav-nodb package. AFAIK: a) it was purely internal (for virus-checking other packages during build), b) got deprecated and replaced for that purpose by the clamav package after clamav-db had become a separate source package, and c) should of course never have ended up on Leap. Maybe Rudi and/or Marcus can say more about it.
For the next available maintenance update on Leap 42.2/3, the clamav package should be marked as superseeding clamav-nodb to the latter gets removed.
https://build.opensuse.org/request/show/499026
SUSE-SU-2017:1716-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1040662,1045490 CVE References: CVE-2012-6706 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server for SAP 12 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-SP2 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-LTSS (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Desktop 12-SP2 (src): clamav-0.99.2-32.1
This is an autogenerated message for OBS integration: This bug (1040662) was mentioned in https://build.opensuse.org/request/show/547654 15.0 / clamav
SUSE-SU-2018:0255-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1040662,1049423,1052448,1052449,1052466,1077732 CVE References: CVE-2017-11423,CVE-2017-12374,CVE-2017-12375,CVE-2017-12376,CVE-2017-12377,CVE-2017-12378,CVE-2017-12379,CVE-2017-12380,CVE-2017-6418,CVE-2017-6419,CVE-2017-6420 Sources used: SUSE OpenStack Cloud 6 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server for SAP 12 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server 12-SP3 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server 12-SP2 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Server 12-LTSS (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Desktop 12-SP3 (src): clamav-0.99.3-33.5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): clamav-0.99.3-33.5.1
openSUSE-SU-2018:0258-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1040662,1049423,1052448,1052449,1052466,1077732 CVE References: CVE-2017-11423,CVE-2017-12374,CVE-2017-12375,CVE-2017-12376,CVE-2017-12377,CVE-2017-12378,CVE-2017-12379,CVE-2017-12380,CVE-2017-6418,CVE-2017-6419,CVE-2017-6420 Sources used: openSUSE Leap 42.3 (src): clamav-0.99.3-20.1