Bug 236818 - security/clamav: Update to 0.101.2.
Summary: security/clamav: Update to 0.101.2.
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Steve Wills
Keywords: security
: 238428 (view as bug list)
Depends on: 236816
  Show dependency treegraph
Reported: 2019-03-27 03:27 UTC by Yasuhiro KIMURA
Modified: 2019-08-01 11:48 UTC (History)
5 users (show)

See Also:
yasu: merge-quarterly?

Patch file (1.65 KB, patch)
2019-03-27 03:27 UTC, Yasuhiro KIMURA
yasu: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro KIMURA 2019-03-27 03:27:00 UTC
Created attachment 203176 [details]
Patch file

Update to 0.101.2.

* CVE-2019-1785
* CVE-2019-1786
* CVE-2019-1787
* CVE-2019-1788
* CVE-2019-1789
* CVE-2019-1798
Bug #236816 describes above vulnerabilities. So please commit together.
Comment 1 cgreen 2019-04-10 17:12:28 UTC
ClamAV 0.101.2, the version fixing the security issues listed above, has been available for download for two weeks now, and the patch on this page was added only the day after that.

The bug describing the vulnerabilities was closed days ago, and the box I updated manually to this version seems to be running fine.

Is there any reason this updated version hasn't yet been pushed into the ports tree?
Comment 2 commit-hook freebsd_committer 2019-04-11 00:56:56 UTC
A commit references this bug:

Author: swills
Date: Thu Apr 11 00:56:13 UTC 2019
New revision: 498628
URL: https://svnweb.freebsd.org/changeset/ports/498628

  security/clamav: Update to 0.101.2

  PR:		236818
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org> (maintainer)

Comment 3 Steve Wills freebsd_committer 2019-04-11 00:57:20 UTC
Committed, thanks!
Comment 4 philk 2019-06-01 03:37:42 UTC
Definitely not committed.

The version in the pkg repository is still 0.101.1,1

# pkg search clamav
clamav-0.101.1,1               Command line virus scanner written entirely in C

This has been known vulnerable for 2 months.
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-12 13:35:46 UTC
*** Bug 238428 has been marked as a duplicate of this bug. ***
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-12 13:36:33 UTC
Re-open for MFH
Comment 7 Dan McGrath 2019-06-14 14:10:44 UTC
Any chance of this fix getting ported to 2019Q2 soonish? Asking for a friend. :)
Comment 8 Yasuhiro KIMURA 2019-08-01 11:48:14 UTC
There is already latest version (0.101.2) in latest quarterly branch (2019Q3).