This site is a archive of debian security ML

On Fri, 9 Oct 2009 16:39:41 +0200 Philipp Kern wrote:
>On Thu, Oct 08, 2009 at 08:31:49AM -0400, Scott Kitterman wrote:
>> I do not think removal is the approach that would be best for users. It
>> would leave them with an orhpaned, non-working package and they will
have
>> to upgrade systems to a newer release, install from external sources
(e.g.
>> volatile), or compile from dource directly.
>>
>> Updating clamav and needed rdepends to something that upstream supports
>> would be more benificial for users. With a half a year of notice, I
think
>> this is managable.
>>
>> This is the approach Ubuntu will be taking (they already have a full set
of
>> updates in their backport repository that is tested and almost ready).
>
>Especially as there is no use in keeping old versions of a virus scanner
>around which cannot be updated anymore and as a sufficient amount of people do
>want a virus scanner on their box.
>
>I ask me, though, how many people are actually using the version Lenny
>provides. If they do, they probably do not know it better to use volatile,
>or do not trust it because it’s not as official as the stable suite is.
>Of course we could do a noisy drop of clamav out of Lenny and point people
to
>volatile, I just wonder if that’s actually a disservice to our users.

One reason to use Lenny’s is if you are using it with one of the libclamav
rdepends, the volatile clamav wonalt work, since the updated rdepends are
not in volatile.

>For squeeze I see two proposals:
> a) Either we could relax the policy for clamav a bit if sufficient upgrade
> testing is ensured (like Ubuntu already does, thanks to Scott’s work)

I can attest that this is a significant amount of work, but it is
achievable.

> or
> b) We push volatile to be a really official service alongside the stable
> tree residing on our normal infrastructure as a goal for squeeze.
> Volatile updates are currently undergoing testing (thanks to the clamav
> team) but maybe a coordinated effort in reviewing for stable
suitability
> of the Ubuntu and Debian counterparts of clamav maintainance would help
> us to convince a possible set of people not using volatile yet.

It would also need to deal with rdepends to be a suitable replacement for
the official archive.

My view is that it’s pointless to try to keep stability in anti-virus.
Staying still is actually a regression as the bad guys start new ways of
causing problems.

Debian users ought to be able to just update their systems with what is
provided by Debian in confidence that their software will keep working.
Currently, at least for the subset using libclamav rdepends, they don’t
have that at all.

Scott K

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

–ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 08, 2009 at 08:31:49AM -0400, Scott Kitterman wrote:
> I do not think removal is the approach that would be best for users. It=
=20
> would leave them with an orhpaned, non-working package and they will have=
=20
> to upgrade systems to a newer release, install from external sources (e.g=
=2E=20
> volatile), or compile from dource directly.
>=20
> Updating clamav and needed rdepends to something that upstream supports=
=20
> would be more benificial for users. With a half a year of notice, I thin=
k=20
> this is managable.
>=20
> This is the approach Ubuntu will be taking (they already have a full set =
of=20
> updates in their backport repository that is tested and almost ready).

Especially as there is no use in keeping old versions of a virus scanner
around which cannot be updated anymore and as a sufficient amount of people=
do
want a virus scanner on their box.

I ask me, though, how many people are actually using the version Lenny
provides. If they do, they probably do not know it better to use volatile,
or do not trust it because it’s not as official as the stable suite is.
Of course we could do a noisy drop of clamav out of Lenny and point people =
to
volatile, I just wonder if that’s actually a disservice to our users.

For squeeze I see two proposals:
a) Either we could relax the policy for clamav a bit if sufficient upgrade
testing is ensured (like Ubuntu already does, thanks to Scott’s work)
or
b) We push volatile to be a really official service alongside the stable
tree residing on our normal infrastructure as a goal for squeeze.
Volatile updates are currently undergoing testing (thanks to the clamav
team) but maybe a coordinated effort in reviewing for stable suitability
of the Ubuntu and Debian counterparts of clamav maintainance would help
us to convince a possible set of people not using volatile yet.

Now b) was already planned, but hasn’t got any progress in the last months.

Kind regards,
Philipp Kern
–=20
.”`. Philipp Kern Debian Developer
: :’ : http://philkern.de Stable Release Manager
`. `’ xmpp:phil@0×539.de Wanna-Build Admin
`- finger pkern/key@db.debian.org

–ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature; name=”signature.asc”
Content-Description: Digital signature
Content-Disposition: inline

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrPSywACgkQ7Ro5M7LPzdhQ6gCghza1bt6yirs+X5BhAKLtnZKp
aTcAoOP72Utza1CKULxXuaW5eel5lsnD
=mpoH
—–END PGP SIGNATURE—–

–ZPt4rx8FFjLCG7dd–

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

On 2009-10-07, Paul Wise wrote:
> Just in case the stable release managers what to do something about it
> and don’t know about this yet, clamav upstream are taking some
> interesting measures to “encourage” people to upgrade from the now
> EOLed 0.94.x series. The mail isn’t fully clear, but it seems that
> clamav 0.94.x will not work at all from April 15th 2010 and will not
> recieve signature updates from May 2010, so I guess removal from
> stable/oldstable is in order as well as an announcement of some sort
> (DSA perhaps?).
>
> http://lurker.clamav.net/message/20091006.143601.d27bbd20.en.html

Yes, we should direct people to volatile, I’ve opened a ticket in
the security RT queue.

And we shouldn’t repeat the same mistake for Squeeze, i.e. keep it
out of stable and in volatile only.

Cheers,
Moritz

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

–RkLO0ZVuuT1d19pw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 08, 2009 at 09:08:31AM +0000, J=F6rg Sommer wrote:
> > You need to make sure that the machine actually gets rebooted when
> > security updates are made.
>=20
> I thought for security fixes in modules it’s enough to update/replace
> the module. Isn’t it?

No. If the module is already loaded in memory, then overwriting the
file isn’t going to help. The vulnerability is in memory. Of course,
if the module is not actually loaded, then ovewriting the file is OK.

noah

–RkLO0ZVuuT1d19pw
Content-Type: application/pgp-signature; name=”signature.asc”
Content-Description: Digital signature
Content-Disposition: inline

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKzhIJYrVLjBFATsMRAvUQAJ910HbdMw9RsMeplIKBrH6JYMz7lACfXPYh
76LnqkvZSXnnYXdOC3amGOM=
=ovBD
—–END PGP SIGNATURE—–

–RkLO0ZVuuT1d19pw–

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

On Thu, Oct 08, 2009 at 02:11:39PM +0200, Tomasz Papszun wrote:
> On Thu, 08 Oct 2009 at 13:09:02 +0200, Bastian Blank wrote:
> > On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> > > Sorry, it may seem a little harsh,
> > Why?
> Well, from the Paul’s message I had an impression he felt so .

Well, I remember the discussion before the release of Lenny, if clamav
can be part of a stable release at all. And the apprehension that clamav
upstream will kill that version completely before the security support
of this version ends got reality. So Paul have the right to sound harsh.

Please note that this decision may also affect the answer to the same
question for clamav and all related tools in a future stable release of
Debian.

> > > but the reason is that unless the
> > > majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> > > an excessive load on ClamAV database mirrors and that will harm *all*
> > > of ClamAV users, not only the ones running old versions.
> > And a _targeted_ fix is not possible?
> 0.94.x is no longer officially supported,

There are easier ways to discourage all the distributions with stable
releases to not include your software at all.

Anyway, this mail was enough to convince me that clamav can’t be
released as part of a stable release.

Bastian

–
The heart is not a logical organ.
– Dr. Janet Wallace, “The Deadly Years”, stardate 3479.4

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

On Thu, 8 Oct 2009 12:25:51 +0200 Tomasz Papszun wrote:
>On Wed, 07 Oct 2009 at 14:47:21 +0800, Paul Wise wrote:
>> Just in case the stable release managers what to do something about it
>> and don’t know about this yet, clamav upstream are taking some
>> interesting measures to “encourage” people to upgrade from the now
>> EOLed 0.94.x series. The mail isn’t fully clear, but it seems that
>> clamav 0.94.x will not work at all from April 15th 2010 and will not
>> recieve signature updates from May 2010, so I guess removal from
>> stable/oldstable is in order as well as an announcement of some sort
>> (DSA perhaps?).
>>
>> http://lurker.clamav.net/message/20091006.143601.d27bbd20.en.html
>>
>
>Sorry, it may seem a little harsh, but the reason is that unless the
>majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
>an excessive load on ClamAV database mirrors and that will harm *all*
>of ClamAV users, not only the ones running old versions.
>
Personally, I appreciate having significant advance notice so we can do
something to prepare.

I do not think removal is the approach that would be best for users. It
would leave them with an orhpaned, non-working package and they will have
to upgrade systems to a newer release, install from external sources (e.g.
volatile), or compile from dource directly.

Updating clamav and needed rdepends to something that upstream supports
would be more benificial for users. With a half a year of notice, I think
this is managable.

This is the approach Ubuntu will be taking (they already have a full set of
updates in their backport repository that is tested and almost ready).

Scott K

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

On Thu, 08 Oct 2009 at 13:09:02 +0200, Bastian Blank wrote:
> On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> > Sorry, it may seem a little harsh,
>
> Why?

Well, from the Paul’s message I had an impression he felt so .

> > but the reason is that unless the
> > majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> > an excessive load on ClamAV database mirrors and that will harm *all*
> > of ClamAV users, not only the ones running old versions.
>
> And a _targeted_ fix is not possible?
>
> Bastian

0.94.x is no longer officially supported, however you can fix the
problem on your own in Debian and update the internal functionality
counter to mimic 0.95. Such versions will still be working after 15
April 2010.

HTH
–
Tomasz Papszun | And it’s only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

Peter Palfrader schrieb:
> On Mon, 05 Oct 2009, dann frazier wrote:
>
>
>> cat /proc/version is nice because it is the running kernel, and
>> includes the package version.
>>
>
> Also, maybe
> http://git.debian.org/?p=mirror/dsa-nagios.git;a=blob;f=dsa-nagios-checks/checks/dsa-check-running-kernel;hb=HEAD
> might be useful for some.
>
>
There is also a checkon nagios exchange
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Running-kernel-compared-to-installed-kernel-version-%252D-updated!/details

It deals different versions of Debian and Ubuntu too.

By the way, on ubuntu systems this information is stored in
/proc/version_signature:
root@web1:~/bin# cat /proc/version
Linux version 2.6.28-15-server (buildd@yellow) (gcc version 4.3.3
(Ubuntu 4.3.3-5ubuntu4) ) #52-Ubuntu SMP Wed Sep 9 11:34:09 UTC 2009
root@web1:~/bin# cat /proc/version_signature
Ubuntu 2.6.28-15.52-server

Cheers,
Gunni

–
Guntram Trebs
freier Programmierer und Administrator

gt@trebs.net
+49 (30) 42 80 61 55
+49 (179) 519 82 39 (vorl

On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> Sorry, it may seem a little harsh,

Why?

> but the reason is that unless the
> majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> an excessive load on ClamAV database mirrors and that will harm *all*
> of ClamAV users, not only the ones running old versions.

And a _targeted_ fix is not possible?

Bastian

–
… bacteriological warfare … hard to believe we were once foolish
enough to play around with that.
– McCoy, “The Omega Glory”, stardate unknown

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org

On Wed, 07 Oct 2009 at 14:47:21 +0800, Paul Wise wrote:
> Just in case the stable release managers what to do something about it
> and don’t know about this yet, clamav upstream are taking some
> interesting measures to “encourage” people to upgrade from the now
> EOLed 0.94.x series. The mail isn’t fully clear, but it seems that
> clamav 0.94.x will not work at all from April 15th 2010 and will not
> recieve signature updates from May 2010, so I guess removal from
> stable/oldstable is in order as well as an announcement of some sort
> (DSA perhaps?).
>
> http://lurker.clamav.net/message/20091006.143601.d27bbd20.en.html
>

Sorry, it may seem a little harsh, but the reason is that unless the
majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
an excessive load on ClamAV database mirrors and that will harm *all*
of ClamAV users, not only the ones running old versions.

Best regards
–
Tomasz Papszun | And it’s only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner

–
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org