On Tue, 1 Nov 2022, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel <
epel-devel(a)lists.fedoraproject.org> wrote:
> Yesterday, ClamAV announced CVE-2022-37434 as critical (
>
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
> Redhat only seem to classify the issue as Moderate in EL7 -
>
https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> that, unless Redhat classify it as Critical, zlib and zlib-devel won't get
> updated so ClamAV can't be rebuilt against the updated zlib-devel. What is
> the EPEL take on the issue?
>
Well if the EL7 in the base operating system is not getting updated, then
any rebuild by EPEL is not going to see a 'fixed' version. It isn't just
zlib-devel which would need to be fixed but the zlib libraries that clamav
needs to link to on a system.
This particular case is more "interesting", as the ClamAV RPM and
Docker image both bundle updated versions of zlib and libxml.
Nick, are you in a position to test either the ClamAV RPM or Docker packages
on EL7 ? If the Docker works, you could run clamdscan on the main machine
connecting to the Docker clamd server.
--
Andrew C. Aitchison Kendal, UK
andrew(a)aitchison.me.uk