On 01/11/2022 18:36, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel
<epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:epel-devel@xxxxxxxxxxxxxxxxxxxxxxx>> wrote:
On 01/11/2022 15:46, Tuomo Soini wrote:
> On Tue, 1 Nov 2022 10:50:02 +0000
> Nick Howitt via epel-devel <epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:epel-devel@xxxxxxxxxxxxxxxxxxxxxxx>> wrote:
>
>> Yesterday, ClamAV announced CVE-2022-37434 as critical
>>
(https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html <https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html>).
>> Redhat only seem to classify the issue as Moderate in EL7 -
>> https://access.redhat.com/security/cve/cve-2022-37434
<https://access.redhat.com/security/cve/cve-2022-37434>. It looks like
>> that, unless Redhat classify it as Critical, zlib and zlib-devel
>> won't get updated so ClamAV can't be rebuilt against the updated
>> zlib-devel. What is the EPEL take on the issue?
> Question was about update of bundled libraries which are not used by
> epel package.
>
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used
for building and, if I understand correctly, the CVE effectively means
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please
let
me know if I have misunderstood.
That means it is using the OS zlib to build things. If RHEL does not
ship any update, then rebuilding it won't fix anything.
If you backport the fix to the shipped zlib source code and build it
yourself, then if all goes well everything which was built against the
original ABI will continue to work without recompiling
If you compile a new zlib then you may need to recompile it but also
every other spec that requires zlib-devel.
That is going too far for me. I guess I am stuck on RedHat. I have
compiled 0.103.7-2 but with the current zlib/zlib-devel.
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue