On 01/11/2022 15:46, Tuomo Soini wrote:
On Tue, 1 Nov 2022 10:50:02 +0000
Nick Howitt via epel-devel <epel-devel(a)lists.fedoraproject.org> wrote:
> Yesterday, ClamAV announced CVE-2022-37434 as critical
> (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
> Redhat only seem to classify the issue as Moderate in EL7 -
>
https://access.redhat.com/security/cve/cve-2022-37434. It looks like
> that, unless Redhat classify it as Critical, zlib and zlib-devel
> won't get updated so ClamAV can't be rebuilt against the updated
> zlib-devel. What is the EPEL take on the issue?
Question was about update of bundled libraries which are not used by
epel package.
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used
for building and, if I understand correctly, the CVE effectively means
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let
me know if I have misunderstood.