On Tue, 1 Nov 2022, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
epel-devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
Redhat only seem to classify the issue as Moderate in EL7 -
https://access.redhat.com/security/cve/cve-2022-37434. It looks like
that, unless Redhat classify it as Critical, zlib and zlib-devel won't get
updated so ClamAV can't be rebuilt against the updated zlib-devel. What is
the EPEL take on the issue?
Well if the EL7 in the base operating system is not getting updated, then
any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
zlib-devel which would need to be fixed but the zlib libraries that clamav
needs to link to on a system.
This particular case is more "interesting", as the ClamAV RPM and
Docker image both bundle updated versions of zlib and libxml.
Nick, are you in a position to test either the ClamAV RPM or Docker packages
on EL7 ? If the Docker works, you could run clamdscan on the main machine
connecting to the Docker clamd server.
--
Andrew C. Aitchison Kendal, UK
andrew@xxxxxxxxxxxxxxx
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue