Description of problem: The Clamav package sends out daily E-mails that it is not current. Version-Release number of selected component (if applicable): clamav-0.88.7-2.fc6 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Apparently this application monitors for updates and whines if it is not kept current.
can you provide more details please? I am running this version for some days and I never got such an e-mail
From the E-mail to the root user everyday: --------------------- clam-update Begin ------------------------ Last ClamAV update process started at Sun Feb 25 23:13:07 2007 Last Status: WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.88.7 Recommended version: 0.90 DON'T PANIC! Read http://www.clamav.net/faq.html main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkoj m) daily.cvd updated (version: 2654, sigs: 10790, f-level: 13, builder: ccordes ) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 10, recommended = 13 DON'T PANIC! Read http://www.clamav.net/faq.html Database updated (94741 signatures) from db.us.clamav.net (IP: 63.166.28.8) ---------------------- clam-update End -------------------------
mmh... I do not have a clue where this is coming from. Who is sending this message? The string 'clam-update' does not seem to appear in the clamav (sub)package(s).
Here are the clam rpms that I have install: [dhighley@douglas ~]$ rpm -qa | grep clam clamav-0.88.7-2.fc6 clamav-milter-0.88.7-2.fc6 clamav-milter-sysv-0.88.7-2.fc6 clamav-update-0.88.7-2.fc6 clamav-lib-0.88.7-2.fc6 clamav-data-0.88.7-2.fc6 The E-mail seems to be derived from greping the /var/log/freshclam.log file. I do not find any direct link to this file in the /etc/cron.daily directory but assume it is part of the log file monitoring process.
sorry; there seems to be a 3rd party program on your machine which generates these warnings. I do not see how I can fix this from within the 'clamav' package.
This does not involve any non Fedora core/extras software. The logwatch utility monitors the log files and the clamav installation put and entry in the /usr/share/logwatch structure to be monitored. By default the clam virus service is disabled. Do you have your clamav service enabled and have you configured the clam configuration files so that it will run? That took me a little while to figure out. Do you have your clamav configured to check for updates? I do not use any other software except some multimedia stuff from livna.
I have the same problem. I use ClamAV together with Amavisd (combined with Postfix), both from Fedora Extras. The warning appears in the freshclam.log logfile: -------------------------------------- ClamAV update process started at Fri Mar 2 12:46:57 2007 main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm) daily.cvd updated (version: 2696, sigs: 11778, f-level: 13, builder: ccordes) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 10, recommended = 13 DON'T PANIC! Read http://www.clamav.net/faq.html Database updated (95729 signatures) from db.nl.clamav.net (IP: 62.133.206.90) and also on-screen when restarting the service: Stopping clamd.amavisd: [ OK ] Starting clamd.amavisd: LibClamAV Warning: ******************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: ******************************************************** [ OK ] The freshclam.log logfile is a bit more precise about the problem: The "Functionality level" is 10 instead of the recommended 13. From the FAQ mentioned in the error-message: <------------> * What does WARNING: Current functionality level = 1, required = 2 mean? o The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don’t upgrade immediately you will be missing the latest viruses. * What does Your ClamAV installation is OUTDATED mean? o You’ll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it’s not enough to keep your database up to date. You also need to run the latest version of the scanner. You can download the sources of the latest release from our website. Upgrade instructions are on the WikiWiki. If you are afraid to break something while upgrading, use the precompiled packages for your operating system/distribution. Remember: running the latest stable release also improves stability. <------------> So it seems that there's a newer version available for the ClamAV engine. Sven
There are also a couple of known security issues with versions previous to 0.90. See http://www.securityfocus.com/bid/22580 and http://www.securityfocus.com/bid/22581. Pete
named CVEs/BIDs should be fixed in 0.88.7-2
Is there a reason that FE's clamav has not yet been updated to version 0.9? That is the reason for the outdated messages reported above and which will still be present with clamav-0.88.7-2.fc6. It will be three weeks tomorrow since 0.90 was released. What's the deal? This is the first time in recent memory that there has been such a long delay.
In order of precedence: - it requires changes to configuration files - it is not API and ABI compatible with clamav-0.88.x - there are lot of reports about instabilities
Enrico, prompted by your reply, I did some checking, as I was aware of some of the issues you raised (ie. config files, CLI args) as a user of ClamAssassin. >>- it requires changes to configuration files There appears to be a script here: http://wiki.clamav.net/Main/UpgradeNotes090 that facilitates end user changes to the config file. This would not be the first time such changes are required with a version update of an application. >>- it is not API and ABI compatible with clamav-0.88.x Is your plan to coordinate such changes to the apps involved with the upstream folks and/or Fedora maintainers, or to defer this until F7? >>- there are lot of reports about instabilities Some of these seem to be issues pertaining to the failure to properly update config files as above. Others, such as memory leaks, etc. seem to be resolved in version 0.90.1, which is now available. Any plans here? Thanks.
BTW, there are update notes for 0.90.1 here: http://wiki.clamav.net/Main/UpgradeNotes0901
> >>- it requires changes to configuration files > > There appears to be a script here: > > http://wiki.clamav.net/Main/UpgradeNotes090 I do not have an idea how to handle this during a nightly 'yum upgrade' operation.
I am not expert in RPMs unfortunately, but it seems to me that the script can be run post-install at the time of the update via entries in the spec file. I would have to defer to others on the details of implementation. A very brief Google search leads me to: http://www.rpm.org/max-rpm/s1-rpm-inside-scripts.html#S2-RPM-INSIDE-BUILD-TIME-SCRIPTS which suggests that a "%post" script directive in the spec file would facilitate this process. HTH
I appreciate all the work done Enrico, but something, anything, is better than suspending in time because this is harder than usual. The virus producers don't stop. Red Hat/Fedora can't afford to stop either. There is an awk script, http://wiki.clamav.net/twiki/pub/Main/UpgradeNotes090/updateclamconf , that converts .8 conf files to .9, which could be made part of the clamav package and run as part of the post-install rpm section. A test could be made in pre-install of current version of clamav and if it is .8x, set a flag to run the post-install config file update script. Another alternative is you could update and supply a generic conf file for .90 and preserve the original conf in an rpmsave file and disable clamav until the user updates the conf file like it is when first installed. Put a comment in the new conf file about the conversion script. Just for information, the email to root discussed earlier comes from a package called logwatch. Name : logwatch Relocations: (not relocatable) Version : 7.3 Vendor: Red Hat, Inc. Release : 7.fc6 Build Date: Wed 20 Dec 2006 03:33:49 AM EST Install Date: Tue 02 Jan 2007 03:00:07 PM EST Build Host: js20-bc1-9.build.redhat.com Group : Applications/System Source RPM: logwatch-7.3-7.fc6.src.rpm Size : 1014100 License: MIT Signature : DSA/SHA1, Tue 02 Jan 2007 10:18:43 AM EST, Key ID b44269d04f2a6fd2 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.logwatch.org/ Summary : A log file analysis program. Description : Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on many systems.
* virus database is still updated; accordingly http://article.gmane.org/gmane.comp.security.virus.clamav.user/25389 | only 5% of our users are running 0.9x Hence, 0.88.7 database should be still updated for some time (hopefully until FC6's EOL ;) ) * I really do not see how to update the user configuration files; I neither know their exact location, nor can I guarantee that e.g. ~foo/.clamscan.conf is writable, nor can I guarantee that my chances are not overridden at next 'cfagent' run. Breaking an existing clamav installation during a nightly 'yum upgrade' is not an option.
Context is everything. You left out "I urge everyone to upgrade to 0.90.1 ." That seems pretty clear. Entire post follows: Hello Dennis, > Sidebar - continuing to see freshclam update failures - trussed > freshclam and watched it walking through the list of mirrors looking for > data and never finding it. That seems to be a lot of mirrors out of > service or busy doing other things. Did I catch them at a bad time? Is > there a bad time? Well our sigmakers are publishing a lot of updates (which is a good thing) but only 5% of our users are running 0.9x which means no scripted updates and a lot of traffic for our mirrors. Many of them cannot cope with the current traffic. I urge everyone to upgrade to 0.90.1 . Best regards -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit
again: I do not know an upgrade path which guarantees a working clamav installation after a nightly 'yum upgrade'. Therefore, I will stay at 0.88.7 as long as possible
Sorry, but sitting on the fence is not an option. Several options were proprosed of which updating and moving the configuration files to rpmsave seemed the safest. I would say that you either need to update the package or pull the package from the distribution if your not going to maintain it, which I think would be the wron g choice.
# freshclam ClamAV update process started at Mon Apr 9 02:32:16 2007 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.88.7 Recommended version: 0.90.1 DON'T PANIC! Read http://www.clamav.net/faq.html main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm) daily.cvd is up to date (version: 3050, sigs: 23289, f-level: 14, builder: ccordes) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 10, recommended = 14 DON'T PANIC! Read http://www.clamav.net/faq.html We should get this updated soon. I'd be willing to take a look at what could be done for updates. Is there a reason we can not just backup the existing config(s) as .rpmsave and call it an update?
I suggested that in comment 16: Enrico seems reluctant to do anything about this.
Enrico's decision seems perfectly justifiable. The current Fedora package, whilst not the latest, has no known security holes and provides up-to-date anti-virus definitions. As such, it is up to Enrico as packager to make a decision, and he seems to have made one which is his prerogative. Nothing requires packagers to provide the latest version within a few weeks of it coming out.
I would agree with one exception; the recommendation of the developers of clamav. Well our sigmakers are publishing a lot of updates (which is a good thing) but only 5% of our users are running 0.9x which means no scripted updates and a lot of traffic for our mirrors. Many of them cannot cope with the current traffic. I urge everyone to upgrade to 0.90.1 . We help cause a strain on their servers, and they urge everyone to upgrade.
(In reply to comment #23) > Enrico's decision seems perfectly justifiable. The current Fedora package, > whilst not the latest, has no known security holes and provides up-to-date > anti-virus definitions. As such, it is up to Enrico as packager to make a > decision, and he seems to have made one which is his prerogative. Nothing > requires packagers to provide the latest version within a few weeks of it > coming out. That may be true. But given his reasoning and the upstream recommendations to upgrade, there is an intrinsic conflict here. If Enrico continues to avoid the burden of dealing with the relatively minor issues of the upgrade hurdle, then users will move to an alternative source for the application as I did. At that point, Enrico's work here, as much as we value his contribution to the community, becomes irrelevant. Whether it be for FC6 or F7, he or someone else will need to deal with this if clamav is to be available as part of Fedora. One way or another, end-users will have to deal with the incompatibility issues, either via the assistance of the package maintainer or on their own. If Enrico is under-informed of the options that are available relative to incorporating upgrade mechanisms in the RPM, then he can certainly ask for assistance from those with that expertise. I am not one of them, but as I noted in a comment above (#15), it only took me a few minutes to identify at least some possibilities. This is Fedora after all, not Debian Stable. We do expect to be on the leading edge and we do expect bumps along the way.
> We do expect to be on the leading > edge and we do expect bumps along the way. Many of our users do not. Actually they even blame us for each of those "bumps".
Michael, then I would respectfully suggest that those users switch to a Linux distro with a less aggressive update schedule. As neither Fedora, nor Ubuntu for that matter, will be for them. If they want a more stable distro for the desktop or a server, where they can get support for long periods and where upgrades will be relatively painless, they need to look elsewhere. I have been using RH based distros since the late RH 8.0 betas and have never been under the false impression that the upgrade process would be painless. Less so with Fedora, which initially had projected and openly stated 2 to 3 major version upgrades per year. Fedora is not a ride for the meek...at least not for the foreseeable future.
I should note, for the record, and I stand corrected on this point by Jason and Jima on the FE e-mail list just now, that the latest version of clamav is present in the F7 Extras repo (presumably to be merged into the main repo at some point prior to release). So we will have that available to us as of the next release (for those waiting for the stable release of F7). Enrico, I think you could have saved yourself a great deal of anguish here if you would have announced that here, rather than leave the impression that you had no plans to upgrade beyond the version in FC6 at present. Needless to say, users will face the same incompatibility issues at that point, albeit in conjunction with a major Fedora version upgrade. I do appreciate your efforts on this, but would point out that communications are critical to managing the expectations of those who are using your 'product'. That goes for a voluntary community as much as in the case of a for-profit business.
(In reply to comment #27) > Fedora is not a ride for the meek...at least not for the foreseeable future. But fedora has grown since RH 8.0 (thanx a lot). We're using it for software development and need fairly recent versions of the relevant packages. Thus debian stable is not an option. On the other hand for ISVs software development is production, which means we cannot afford to find a broken system in the morning, just because some nightly update did not work. Enrico, I think most people here did not really get your point (I hope I did): Adapting THE configuration for clamav would have taken about half a day max. The problem are the USER configurations in their homes, or - worse - anywhere else. Imagine the CTO comes back from a longer journey, three weeks after clamav was updated, and she wants to check her portable disk. How do you handle her 0.8x configuration when running the new clamav 0.9x? Building a clever wrapper which can cope with different config versions is more of a challange, than updating one set of configs while doing the update. So what I read from all above is: 1. 0.8x still works and gets sig updates, though it puts more load on the mirrors than necessary. 2. Upgrading the FC6-clamav without breaking existing configs, especially USER-configs, is a major hassle (and will only be done, if loads of dollars are involved ;) 3. There is a clamav 0.9x for FC7 in the extras repo. 4. FC7 is not too far away. Excuse me clamav.net, but I will keep putting that load on your mirrors, until FC7 gets out. If s.o. really MUST have 0.9x, www.clamav.net has the info how to compile it yourself. [ To use external repos may be dangerous. I stumled into conflicts last time I tried. I tried to get something else from an external repo, but got parts of clamav from there as well, because the version was higher but the packaging was different. ]
Ok, to summarize my points: I want to prevent that after a nightly 'yum upgrade' all mails since 04:05 will be bounced due to the changed configuration syntax. There is no way for me to detect and change the used configuration files (which might me on a cfengine server or in NFS $HOME directores inaccessibly for root). A wrapper or (better) forward-porting of the old config parser are options, but as long as 0.8x works, this has a very low priority for me.
Houston we have a problem. I have a file DSC00017.scr which is a file from 991944 submission to ClamAV and have been added as Trojan.Spambot-397 and Trojan.Downloader-5261. If I scan this file on Jotti's malware scan and VirusTotal websites it is properly recognised, but when I scan it with up-to-date (main.cvd 43, daily.cvd 3087) clamav-0.88.7-2.fc6 it gives me "DSC00017.scr: OK". So either there is something wrong with my ClamAV installation, or this virus isn't recognised by 0.88.7 version. I could provide this file for testing.
http://wiki.clamav.net/Main/UpgradeNotes090 The stability problems are solved in 0.90.1 according to upstream. As for the config files, IMHO, the RPM should just run updateclamconf on the config files in /etc, if someone puts config files for a system-wide daemon or a system-wide update tool out of /etc, that's their problem, they're on their own for fixing it.
Isn't there at least a way to allow for manual upgrade while disallowing automated upgrade (some alert to wake up unaware mail admins should be provided though)? Breaking a virus-checking mail server by automated updates is no good, but preventing to fix security holes (see e.g. release notes of 0.90.2) is even worse. I'd prefer not to break the dependency chain with amavisd rpms by compiling my own clamav. Is there any mechanism in yum-updatesd which allows to restrict an upgrade to manual?
Now the problem got worse as there seem to be security problems with the current clamav package (see CVE-2007-1745). I guess, this fix will be backported given the headaches the new configuration causes?
0.88.7-2 should not be vulnerable to the issues fixed by 0.90.2. CHM fd leak does not seem to triggerable by attackers (happens only when an 'fdopen()' fails, and there is a test whether open(2) returns !0 instead of <0). 0.90.x executes other code which might lead to the fd leak. CAB scanning was disabled by the fix for CVE-2007-0897, and 0.88.7 does not contain code for PDF scanning overall.
OK, Enrico will not add updated clamav packages to Fedora Core Repos. Is there any *official* Repo that include current packages (current=0.91)? Where can I obtain instructions on how can update the compatible Fedora Core package from sources? If package maintainer does not add a current version to repos, at least he would write a document for people that want update compatible packages.
*** Bug 240531 has been marked as a duplicate of this bug. ***
Marie Henri Beyle, others: if you want new packages, upgrade to the newest Fedora release. F7 has (currently) 0.90.3, and Rawhide (the devel branch) has 0.91.1. If you can't upgrade your whole system right now, you could rebuild one of those packages.
Current version on ClamAV site is 0.91.2 and may fix some serious security holes. ClamAV bugs 608 and 614 are locked and one site is taking bids on proof of concept code for a remote execution exploit they claim works against 0.91.1. 0.91.2 is almost 3 months old. Even F7 may be vulnerable. Please make this a high severity.
(In reply to comment #39) > Current version on ClamAV site is 0.91.2 and may fix some serious security > holes. ClamAV bugs 608 and 614 are locked and one site is taking bids on > proof of concept code for a remote execution exploit they claim works against > 0.91.1. 0.91.2 is almost 3 months old. Even F7 may be vulnerable. Please make > this a high severity. Never mind. Was looking at an FC6 system I thought had already been upgraded to F7. F7 is current. Should still release for FC6, since it is now a security problem.
named bugs should be no issue for clamav-0.88.x. It does not have a PDF scanner nor the vulnerable blackhole milter-mode.
Here we go again in Fedora 8. --------------------- clam-update Begin ------------------------ Last ClamAV update process started at Sun Dec 30 20:02:09 2007 Last Status: WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.91.2 Recommended version: 0.92 DON'T PANIC! Read http://www.clamav.net/support/faq main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven) Downloading daily-5300.cdiff [100%] Downloading daily-5301.cdiff [100%] Downloading daily-5302.cdiff [100%] Downloading daily-5303.cdiff [100%] Downloading daily-5304.cdiff [100%] daily.inc updated (version: 5304, sigs: 14622, f-level: 21, builder: ccordes) Database updated (184298 signatures) from db.us.clamav.net (IP: 65.110.48.11) ---------------------- clam-update End -------------------------
Fedora version needs to be updated to 8.
Worse. There's now a remote code execution exploit against 0.91.2 at Milw0rm.
Resolved now that update 0.92-6 has been released for Fedora 8.