Yesterday, ClamAV announced CVE-2022-37434 as critical (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel < epel-devel@lists.fedoraproject.org> wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical ( https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
Well if the EL7 in the base operating system is not getting updated, then any rebuild by EPEL is not going to see a 'fixed' version. It isn't just zlib-devel which would need to be fixed but the zlib libraries that clamav needs to link to on a system.
This problem isn't new and is common when any RHEL reaches its '2 years until expiration'. We usually see more software where the upstream vendor believes a problem is critical but the OS vendor does not in the oldest version. This being a volunteer organization, we generally have to go with what copious free time allows which is usually nil and nothing.
epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Tue, 1 Nov 2022, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel < epel-devel@lists.fedoraproject.org> wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical ( https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
Well if the EL7 in the base operating system is not getting updated, then any rebuild by EPEL is not going to see a 'fixed' version. It isn't just zlib-devel which would need to be fixed but the zlib libraries that clamav needs to link to on a system.
This particular case is more "interesting", as the ClamAV RPM and Docker image both bundle updated versions of zlib and libxml.
Nick, are you in a position to test either the ClamAV RPM or Docker packages on EL7 ? If the Docker works, you could run clamdscan on the main machine connecting to the Docker clamd server.
On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison andrew@aitchison.me.uk wrote:
On Tue, 1 Nov 2022, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel < epel-devel@lists.fedoraproject.org> wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't
get
updated so ClamAV can't be rebuilt against the updated zlib-devel. What
is
the EPEL take on the issue?
Well if the EL7 in the base operating system is not getting updated, then any rebuild by EPEL is not going to see a 'fixed' version. It isn't just zlib-devel which would need to be fixed but the zlib libraries that
clamav
needs to link to on a system.
This particular case is more "interesting", as the ClamAV RPM and Docker image both bundle updated versions of zlib and libxml.
My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't see a separate libz tar ball hat most bundled packages come with. ``` $ rpm -qlp clamav-0.103.7-1.el7.src.rpm README.fedora bytecode-333.cvd clamav-0.103.7-norar.tar.xz clamav-0.99-private.patch clamav-clamonacc-service.patch clamav-default_confs.patch clamav-freshclam.service.patch clamav-milter.systemd clamav-stats-deprecation.patch clamav-update.crond clamav-update.logrotate clamav.spec clamd-README clamd.logrotate clamd@.service daily-26614.cvd freshclam-sleep freshclam.sysconfig main-62.cvd ``` If clamav has it in its own source code and an updated version of clamav is downloadable then it will be the maintainer who can do a new build.
Nick, are you in a position to test either the ClamAV RPM or Docker packages on EL7 ? If the Docker works, you could run clamdscan on the main machine connecting to the Docker clamd server.
-- Andrew C. Aitchison Kendal, UK andrew@aitchison.me.uk _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 01/11/2022 11:57, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 07:48, Andrew C Aitchison andrew@aitchison.me.uk wrote:
On Tue, 1 Nov 2022, Stephen Smoogen wrote: > On Tue, 1 Nov 2022 at 06:59, Nick Howitt via epel-devel < > epel-devel@lists.fedoraproject.org> wrote: > >> Yesterday, ClamAV announced CVE-2022-37434 as critical ( >> https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). >> Redhat only seem to classify the issue as Moderate in EL7 - >> https://access.redhat.com/security/cve/cve-2022-37434. It looks like >> that, unless Redhat classify it as Critical, zlib and zlib-devel won't get >> updated so ClamAV can't be rebuilt against the updated zlib-devel. What is >> the EPEL take on the issue? >> > > Well if the EL7 in the base operating system is not getting updated, then > any rebuild by EPEL is not going to see a 'fixed' version. It isn't just > zlib-devel which would need to be fixed but the zlib libraries that clamav > needs to link to on a system. This particular case is more "interesting", as the ClamAV RPM and Docker image both bundle updated versions of zlib and libxml.
My apologies. I looked in the clamav-0.103.7-1.el7.src.rpm and didn't see a separate libz tar ball hat most bundled packages come with.
$ rpm -qlp clamav-0.103.7-1.el7.src.rpm README.fedora bytecode-333.cvd clamav-0.103.7-norar.tar.xz clamav-0.99-private.patch clamav-clamonacc-service.patch clamav-default_confs.patch clamav-freshclam.service.patch clamav-milter.systemd clamav-stats-deprecation.patch clamav-update.crond clamav-update.logrotate clamav.spec clamd-README clamd.logrotate clamd@.service daily-26614.cvd freshclam-sleep freshclam.sysconfig main-62.cvd
If clamav has it in its own source code and an updated version of clamav is downloadable then it will be the maintainer who can do a new build.
Nick, are you in a position to test either the ClamAV RPM or Docker packages on EL7 ? If the Docker works, you could run clamdscan on the main machine connecting to the Docker clamd server.
I am unfortunately not really able to do anything to test the rpm or docker build. I use ClearOS7 and, in this case, because ClearOS (apparently) were compiling ClamAV before EPEL (many, many moons ago), they use different file locations and (possibly) a couple of different file names. Their build is based on the EPEL sources but the spec file is modified slightly before building. I really wish they had changed their apps to use the EPEL build directly, but unfortunately they didn't and their apps are not compatible with the EPEL build.
I was hoping EPEL could provide guidance about how they could possibly solve the issue so I could compile it myself.
Nick
On Tue, 1 Nov 2022 10:50:02 +0000 Nick Howitt via epel-devel epel-devel@lists.fedoraproject.org wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
Question was about update of bundled libraries which are not used by epel package.
On 01/11/2022 15:46, Tuomo Soini wrote:
On Tue, 1 Nov 2022 10:50:02 +0000 Nick Howitt via epel-devel epel-devel@lists.fedoraproject.org wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
Question was about update of bundled libraries which are not used by epel package.
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used for building and, if I understand correctly, the CVE effectively means ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let me know if I have misunderstood.
On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel < epel-devel@lists.fedoraproject.org> wrote:
On 01/11/2022 15:46, Tuomo Soini wrote:
On Tue, 1 Nov 2022 10:50:02 +0000 Nick Howitt via epel-devel epel-devel@lists.fedoraproject.org wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
Question was about update of bundled libraries which are not used by epel package.
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used for building and, if I understand correctly, the CVE effectively means ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let me know if I have misunderstood.
That means it is using the OS zlib to build things. If RHEL does not ship any update, then rebuilding it won't fix anything.
If you backport the fix to the shipped zlib source code and build it yourself, then if all goes well everything which was built against the original ABI will continue to work without recompiling
If you compile a new zlib then you may need to recompile it but also every other spec that requires zlib-devel.
On 01/11/2022 18:36, Stephen Smoogen wrote:
On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel <epel-devel@lists.fedoraproject.org mailto:epel-devel@lists.fedoraproject.org> wrote:
On 01/11/2022 15:46, Tuomo Soini wrote: > On Tue, 1 Nov 2022 10:50:02 +0000 > Nick Howitt via epel-devel <epel-devel@lists.fedoraproject.org <mailto:epel-devel@lists.fedoraproject.org>> wrote: > >> Yesterday, ClamAV announced CVE-2022-37434 as critical >> (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html <https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html>). >> Redhat only seem to classify the issue as Moderate in EL7 - >> https://access.redhat.com/security/cve/cve-2022-37434 <https://access.redhat.com/security/cve/cve-2022-37434>. It looks like >> that, unless Redhat classify it as Critical, zlib and zlib-devel >> won't get updated so ClamAV can't be rebuilt against the updated >> zlib-devel. What is the EPEL take on the issue? > Question was about update of bundled libraries which are not used by > epel package. > Sorry but the spec file has "BuildRequires: zlib-devel" so it is used for building and, if I understand correctly, the CVE effectively means ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let me know if I have misunderstood.
That means it is using the OS zlib to build things. If RHEL does not ship any update, then rebuilding it won't fix anything.
If you backport the fix to the shipped zlib source code and build it yourself, then if all goes well everything which was built against the original ABI will continue to work without recompiling
If you compile a new zlib then you may need to recompile it but also every other spec that requires zlib-devel.
That is going too far for me. I guess I am stuck on RedHat. I have compiled 0.103.7-2 but with the current zlib/zlib-devel.
On Tue, 2022-11-01 at 10:50 +0000, Nick Howitt via epel-devel wrote:
Yesterday, ClamAV announced CVE-2022-37434 as critical (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044. html). Redhat only seem to classify the issue as Moderate in EL7 - https://access.redhat.com/security/cve/cve-2022-37434. It looks like that, unless Redhat classify it as Critical, zlib and zlib-devel won't get updated so ClamAV can't be rebuilt against the updated zlib-devel. What is the EPEL take on the issue?
we build clamav from the sources , no bundles evolved , we use system zlib and libxml2
epel-devel@lists.fedoraproject.org