Bug 1538844 - clamav-0.99.3 is available
Summary: clamav-0.99.3 is available
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: clamav
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1539041 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-26 00:11 UTC by Upstream Release Monitoring
Modified: 2018-03-02 16:02 UTC (History)
16 users (show)

Fixed In Version: clamav-0.99.3-1.el7 clamav-0.99.3-1.fc27 clamav-0.99.3-8.el6
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-02 16:02:43 UTC


Attachments (Terms of Use)

Description Upstream Release Monitoring 2018-01-26 00:11:20 UTC
Latest upstream release: 0.99.3
Current version/release in rawhide: 0.99.2-18.fc28
URL: http://www.clamav.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Based on the information from anitya:  https://release-monitoring.org/project/291/

Comment 1 Upstream Release Monitoring 2018-01-26 00:11:39 UTC
Skipping the scratch build because an SRPM could not be built: ['rpmbuild', '-D', '_sourcedir .', '-D', '_topdir .', '-bs', u'/var/tmp/thn-2XHWq_/clamav.spec'] returned 1: error: File ./clamav-0.99.3-norar.tar.xz: No such file or directory

Comment 2 Tim Niemueller 2018-01-26 13:00:26 UTC
This seems to be a rather critical update as it fixes several security issues:
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

An article by Heise (German only: https://www.heise.de/security/meldung/Jetzt-patchen-Angriffe-auf-Viren-Scanner-ClamAV-3951801.html) mentions that some flaws are being actively exploited.

It would be nice to see a timely update, also for EPEL.

Comment 3 Sergio Monteiro Basto 2018-01-26 14:30:44 UTC
OK, my plan is push this ones [1] to stable before . Please give me some feedback that nothing is broken.  
Only this weekend I have spare time. 

Thanks, 

[1]
https://bodhi.fedoraproject.org/updates/?search=clamav

Comment 4 Tim Niemueller 2018-01-26 15:44:14 UTC
That update works for me in combination with clamav-milter (where there is only the annoyance that SELinux prevents clamav-milter to bind to milter_t ports which I have fixed with a local override). Just updated Karma on Bodhi.

However, just to avoid a misunderstanding: 0.99.2 which is on Bodhi does not fix the mentioned vulnerabilities.

Comment 5 Sergio Monteiro Basto 2018-01-26 15:59:57 UTC
yeah ,

Comment 6 Orion Poplawski 2018-01-26 16:04:37 UTC
I'll see if I can get 0.99.3 out soon.

Comment 7 Sergio Monteiro Basto 2018-01-26 16:15:22 UTC
*** Bug 1539041 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2018-01-27 00:52:24 UTC
clamav-0.99.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-685990fa70

Comment 9 Fedora Update System 2018-01-27 00:53:04 UTC
clamav-0.99.3-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-369a48191f

Comment 10 Fedora Update System 2018-01-27 00:56:44 UTC
clamav-0.99.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cb339851e7

Comment 11 Robert Scheck 2018-01-28 13:52:05 UTC
Sergio, could you please explain why you simply merged the EPEL 7 packaging
layout into the EPEL 6 package? Because so far, EPEL 6 clamav packages had a
completely different packaging layout.

Comment 12 Tim Niemueller 2018-01-28 14:29:51 UTC
I have tested this version on EL7 and it's working fine (using clamav-milter). Thanks for the quick update!

Comment 13 Sergio Monteiro Basto 2018-01-28 17:15:51 UTC
(In reply to Robert Scheck from comment #11)
> Sergio, could you please explain why you simply merged the EPEL 7 packaging
> layout into the EPEL 6 package? Because so far, EPEL 6 clamav packages had a
> completely different packaging layout.

IIRC I had inform you that my intention in another bugzilla report, after we got this urgency, release version reset and I took the "opportunity" to change. 

I wanted merge repos because still some bugs out there to fix [1] and I want fix it in all releases . 

epel 6 have some different files and I'm studying it : 

        clamav-milter.init
        clamav-milter.sysconfig
        clamav.init

Also I'm checking if we need provides / obsoletes for el6 exactly because the change of the layout, meanwhile the package is only in testing repo, I hope .

I'm doing what I think is the best, I had inform you and any suggestion / help is welcome . 

Best regards and thanks.

[1] 
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&component=clamav&known_name=clamav&list_id=8348125&product=Fedora&product=Fedora%20EPEL&query_based_on=clamav&query_format=advanced

Comment 14 Robert Scheck 2018-01-28 18:26:01 UTC
Related to a critical security update, I dislike the idea of changing the
packaging layout at all. Aside of that you argumented that RHEL 6 goes EOL
in < 1.5 years. So why not keeping the old layout for this time simply? It
definitely doesn't make server admins happy to handle such changes now.

Comment 15 Fedora Update System 2018-01-28 22:09:50 UTC
clamav-0.99.3-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-369a48191f

Comment 16 Fedora Update System 2018-01-28 22:10:10 UTC
clamav-0.99.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-685990fa70

Comment 17 Sergio Monteiro Basto 2018-01-28 22:27:23 UTC
RHEL 6 EOL is November 30, 2020 [1], all 2018 , 2019 and almost all 2020 , so EOL is > 2.5 , I will try reduce the impact. I had already all prepared, was not precipitation, if we haven't this security urgency, maybe update to el6 was delayed one or two months . And don't gave me more work, now all Fedora(s) and RHEL(s) will have same experience, so will be more well tested.

Thanks  


[1]
https://access.redhat.com/support/policy/updates/errata

Comment 18 Fedora Update System 2018-01-28 23:04:31 UTC
clamav-0.99.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cb339851e7

Comment 19 Andreas Büthe 2018-01-29 12:04:11 UTC
The changed package layout for EPEL 6 breaks dependencies for amavisd-new.

$ yum info amavisd-new
Name        : amavisd-new
Arch        : noarch
Version     : 2.9.1
Release     : 3.el6
Size        : 3.0 M
Repo        : installed
From repo   : epel

$ yum deplist amavisd-new | grep clam
  dependency: clamd
   provider: clamd.x86_64 0.99.2-3.el6

I haven't found a way to update to ClamAV 0.99.3. An updated version of amavisd-new doesn't exist in epel-testing.

Comment 20 Fedora Update System 2018-01-29 17:30:17 UTC
clamav-0.99.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2018-01-29 18:09:14 UTC
clamav-0.99.3-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Robert Scheck 2018-01-29 20:53:19 UTC
(In reply to Sergio Monteiro Basto from comment #17)
> RHEL 6 EOL is November 30, 2020 [1], all 2018 , 2019 and almost all 2020 ,
> so EOL is > 2.5 , I will try reduce the impact. I had already all prepared,
> was not precipitation, if we haven't this security urgency, maybe update to
> el6 was delayed one or two months . And don't gave me more work, now all
> Fedora(s) and RHEL(s) will have same experience, so will be more well tested.

Anyway, breaking things like it is currently happening is IMHO not acceptable
for EPEL. Do you have objections to revert to the old packaging layout for
EPEL 6 to get the security fix ASAP out? The upgrade path to the new packaging 
layout seems not to be ready yet according to Bodhi karma and above comment.

Comment 23 Sergio Monteiro Basto 2018-01-30 01:04:48 UTC
hello , please wait a little bit , unfortunately I'm very busy , I'd like add provides / obsolete to el6 , or use same layout but in this spec , I think thing could be fixed very easily .
we even could use same init script of el6 , but easily applicable on current spec ,
At least give me 24 hours ... 

Things are easy to fix testing with mock [1] 
error number 1 
package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but 
what provides "old" clamd ?  clamav-scanner ? 

[1] 
mock -r epel-6-x86_64 --install "clamav*"
mock -r epel-6-x86_64 --update "clamav*" --enablerepo=testing
Problem 1: problem with installed package clamd-0.99.2-3.el6.x86_64
  - package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but none of the providers can be installed
  - clamav-0.99.2-3.el6.i686 has inferior architecture
  - cannot install both clamav-0.99.3-1.el6.x86_64 and clamav-0.99.2-3.el6.x86_64
  - cannot install the best update candidate for package clamav-0.99.2-3.el6.x86_64
 Problem 2: problem with installed package amavisd-new-2.9.1-3.el6.noarch
  - package amavisd-new-2.9.1-3.el6.noarch requires clamd, but none of the providers can be installed
  - package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but none of the providers can be installed
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.x86_64
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.i686
  - package clamav-devel-0.99.3-1.el6.x86_64 requires clamav-filesystem = 0.99.3-1.el6, but none of the providers can be installed
  - cannot install the best update candidate for package clamav-devel-0.99.2-3.el6.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)

next testing  amavisd-new 
mock -r epel-6-x86_64 --install amavisd-new
mock -r epel-6-x86_64 --update --enablerepo=testing  
Error: 
 Problem 1: clamav-0.99.2-3.el6.i686 has inferior architecture
  - package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but none of the providers can be installed
  - cannot install both clamav-0.99.3-1.el6.x86_64 and clamav-0.99.2-3.el6.x86_64
  - cannot install the best update candidate for package clamd-0.99.2-3.el6.x86_64
  - cannot install the best update candidate for package clamav-0.99.2-3.el6.x86_64
 Problem 2: package amavisd-new-2.9.1-3.el6.noarch requires clamd, but none of the providers can be installed
  - package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but none of the providers can be installed
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.x86_64
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.i686
  - package clamav-devel-0.99.3-1.el6.x86_64 requires clamav-filesystem = 0.99.3-1.el6, but none of the providers can be installed
  - cannot install the best update candidate for package clamav-devel-0.99.2-3.el6.x86_64
  - cannot install the best update candidate for package amavisd-new-2.9.1-3.el6.noarch
 Problem 3: problem with installed package clamd-0.99.2-3.el6.x86_64
  - package clamd-0.99.2-3.el6.x86_64 requires clamav = 0.99.2-3.el6, but none of the providers can be installed
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.x86_64
  - package clamav-filesystem-0.99.3-1.el6.noarch conflicts with clamav < 0.99.3-1.el6 provided by clamav-0.99.2-3.el6.i686
  - package clamav-milter-0.99.3-1.el6.x86_64 requires group(virusgroup), but none of the providers can be installed
  - cannot install the best update candidate for package clamav-milter-0.99.2-3.el6.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)

Comment 24 Sergio Monteiro Basto 2018-02-01 02:28:11 UTC
Hello , sorry I give up , before next week is impossible , and I'm sorry though that specs be a little more similar ... 

2 big problems

1- 
cat /etc/passwd | grep clam
clamupdate:x:492:479:Clamav database update user:/var/lib/clamav:/sbin/nologin
clamscan:x:483:461::/:/sbin/nologin
clamilt:x:438:401:Clamav Milter user:/var/run/clamav-milter:/sbin/nologin

vs 

cat /etc/passwd | grep clam
clam:x:499:462:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin
clam-update:x:498:461:clamav-unofficial-sigs user account:/var/lib/clamav-unofficial-sigs:/bin/bash

2-

This gives errors like

[LibClamAV] cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping

when a scan is run. This is a regression as clamconf | grep Optional gives

Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 ICONV JIT

for this version but clamav-0.99.2-2.el6 gave

Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JIT

Comment 25 Sergio Monteiro Basto 2018-02-06 13:35:45 UTC
Hello , First I'm deeply sorry for this mess .

I'm thinking remove sub-packages , sysvinit , upstart,  systemd to be more compatible with el6 .

Second thing is copy from el6 to master the sysvinit scripts ...

Comment 26 Tim Niemueller 2018-02-06 14:51:39 UTC
Please don't. No need to confuse users of systemd systems with unnecessary scripts.

I think the best way to resolve this is to acknowledge that el6 has to stay separate and different from the other branches. After all, that is something branches in git handle very well. Maybe someone still relying on el6 can step in and help?

Comment 27 Sergio Monteiro Basto 2018-02-06 15:17:49 UTC
(In reply to Tim Niemueller from comment #26)
> Please don't. No need to confuse users of systemd systems with unnecessary
> scripts.

NAK, Nobody packs systemd in a sub-package (almost),  clamav-server-systemd and others packages have only file [1], for me the confuse is not have clamav-scanner-systemd when I install clamav-scanner 


[1]
rpm -ql clamav-server-systemd
/usr/lib/systemd/system/clamd@.service

rpm -ql clamav-milter-systemd
/usr/lib/systemd/system/clamav-milter.service

rpm -ql clamav-scanner-systemd
usr/lib/systemd/system/clamd@scan.service

Comment 28 Tim Niemueller 2018-02-06 15:45:24 UTC
Fair enough. But also installing SysV is just error-prone and confusing. The sane way would be to package systemd files on el7 and Fedora, and SysV init on el6.

Comment 29 Andres Martinson 2018-02-12 23:38:04 UTC
Severity of this bug being urgent, what kind of timeline can we look for the fix being available in epel for the el6 package?

Comment 30 Sergio Monteiro Basto 2018-02-13 20:42:44 UTC
(In reply to Tim Niemueller from comment #28)
> Fair enough. But also installing SysV is just error-prone and confusing. The
> sane way would be to package systemd files on el7 and Fedora, and SysV init
> on el6.

yeah I'm observe more errors in main clamav.spec , systemd-tmpfiles have to be exclusive for systemd and not without systemd , but tmpfiles are in main packages , is an error . 

Now other problem , clamav-scanner and clamav-server , old el6 package [1] obsolete them and IMHO it is the correct clamav-scanner package it is a little stange [2] .

So I will drop server and scanner in favor of clamd , also sysv files from el6 seems more correct 

the work already done [3] 

[1] 
https://koji.fedoraproject.org/koji/rpminfo?rpmID=12188240


[2]
https://koji.fedoraproject.org/koji/rpminfo?rpmID=12908851


[3] 
https://src.fedoraproject.org/rpms/clamav/c/5491d97aceda628aa23cca34147c3e6d9db8571d?branch=master

Comment 31 Sergio Monteiro Basto 2018-02-14 23:08:23 UTC
Hello , 
I'm reverting clamav el6 to old state , I found many issues to fix .
So I prefer revert el6 to old state , fix all issues with some time , and maybe one day try again using master branch on el6 

I'm just testing the build before commit ... 

Thanks

Comment 32 Fedora Update System 2018-02-15 01:38:25 UTC
clamav-0.99.3-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-be69c94866

Comment 33 Fedora Update System 2018-02-15 14:49:05 UTC
clamav-0.99.3-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-be69c94866

Comment 34 Fedora Update System 2018-03-02 16:02:43 UTC
clamav-0.99.3-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.