On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison <andrew@xxxxxxxxxxxxxxx> wrote:
On Tue, 1 Nov 2022, Stephen Smoogen wrote:
> On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
> epel-devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Yesterday, ClamAV announced CVE-2022-37434 as critical (
>> https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
>> Redhat only seem to classify the issue as Moderate in EL7 -
>> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
>> that, unless Redhat classify it as Critical, zlib and zlib-devel won't get
>> updated so ClamAV can't be rebuilt against the updated zlib-devel. What is
>> the EPEL take on the issue?
>>
>
> Well if the EL7 in the base operating system is not getting updated, then
> any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
> zlib-devel which would need to be fixed but the zlib libraries that clamav
> needs to link to on a system.
This particular case is more "interesting", as the ClamAV RPM and
Docker image both bundle updated versions of zlib and libxml.
My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't see a separate libz tar ball hat most bundled packages come with.
```
$ rpm -qlp clamav-0.103.7-1.el7.src.rpm
README.fedora
bytecode-333.cvd
clamav-0.103.7-norar.tar.xz
clamav-0.99-private.patch
clamav-clamonacc-service.patch
clamav-default_confs.patch
clamav-freshclam.service.patch
clamav-milter.systemd
clamav-stats-deprecation.patch
clamav-update.crond
clamav-update.logrotate
clamav.spec
clamd-README
clamd.logrotate
clamd@.service
daily-26614.cvd
freshclam-sleep
freshclam.sysconfig
main-62.cvd
bytecode-333.cvd
clamav-0.103.7-norar.tar.xz
clamav-0.99-private.patch
clamav-clamonacc-service.patch
clamav-default_confs.patch
clamav-freshclam.service.patch
clamav-milter.systemd
clamav-stats-deprecation.patch
clamav-update.crond
clamav-update.logrotate
clamav.spec
clamd-README
clamd.logrotate
clamd@.service
daily-26614.cvd
freshclam-sleep
freshclam.sysconfig
main-62.cvd
```
If clamav has it in its own source code and an updated version of clamav is downloadable then it will be the maintainer who can do a new build.
Nick, are you in a position to test either the ClamAV RPM or Docker packages
on EL7 ? If the Docker works, you could run clamdscan on the main machine
connecting to the Docker clamd server.
--
Andrew C. Aitchison Kendal, UK
andrew@xxxxxxxxxxxxxxx
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren_______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue