From Newsgroup: muc.lists.freebsd.ports

Hello.

I know these ports are currently without a maintainer.
However, they are apparently vulnerable, as a security release was
published 9 days ago:

https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html

Is anyone already working on this update?

bye & Thanks
av.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

------=_Part_2342_681370538.1773418027411
Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit

Van: Andrea Venturoli <ml@netfence.it>
Datum: vrijdag, 13 maart 2026 16:17
Aan: ports@FreeBSD.org
Onderwerp: Clamav security patch

Hello.

I know these ports are currently without a maintainer.
However, they are apparently vulnerable, as a security release was published 9 days ago:

https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html

Is anyone already working on this update?

bye & Thanks
av.

Started a test build in local Poudriere with a naive version bump of the clamav and clamav-lts.
Let's see what happens.
No promises.

Did you already test the new versions?

Regards,
Ronald.

------=_Part_2342_681370538.1773418027411
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head></head><body><br>
<p><strong>Van:</strong> Andrea Venturoli &lt;ml@netfence.it&gt;<br> <strong>Datum:</strong> vrijdag, 13 maart 2026 16:17<br>
<strong>Aan:</strong> ports@FreeBSD.org<br>
<strong>Onderwerp:</strong> Clamav security patch</p>

<blockquote style="padding-right: 0px; padding-left: 5px; margin-left: 5px; border-left: #000000 2px solid; margin-right: 0px">
<div class="MessageRFC822Viewer" id="P">
<div class="TextPlainViewer" id="P.P">Hello.<br>

I know these ports are currently without a maintainer.<br>
However, they are apparently vulnerable, as a security release was published 9 days ago:<br>
&gt; <a href="https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html">https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html</a><br>

Is anyone already working on this update?<br>

&nbsp;&nbsp;bye &amp; Thanks<br>
&nbsp;&nbsp;&nbsp;&nbsp;av.<br>
&nbsp;</div>

<hr></div>
</blockquote>


Started a test build in local Poudriere with a naive version bump of the clamav and clamav-lts.<br>
Let's see what happens.<br>
No promises.<br>

Did you already test the new versions?<br>

Regards,<br>
Ronald.<br>
&nbsp;</body></html>
------=_Part_2342_681370538.1773418027411--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

------=_Part_246096_256443701.1773431087538
Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable

Van: Andrea Venturoli <ml@netfence.it>
Datum: 13 maart 2026 17:11
Aan: Ronald Klop <ronald-lists@klop.ws>
CC: ports@FreeBSD.org
Onderwerp: Re: Clamav security patch

=20
=20
On 3/13/26 17:07, Ronald Klop wrote:
=20

Started a test build in local Poudriere with a naive version bump of th=

e > clamav and clamav-lts.

Let's see what happens.
No promises.
=20
Did you already test the new versions?

=20
No.
I was about to do what you did, but thought I'd ask before, in case other=

s were already do=C3=ACng it :)

=20
bye & Thanks
av.
=20
=20
=20
=20

It builds but packaging fails. I don=E2=80=99t have time this weekend to lo=
ok into this further.=20

Regards,
Ronald

------=_Part_246096_256443701.1773431087538
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><br><p><small><strong>Van:</strong> Andrea Venturo=
li &lt;ml@netfence.it&gt;<br><strong>Datum:</strong> 13 maart 2026 17:11<br= ><strong>Aan:</strong> Ronald Klop &lt;ronald-lists@klop.ws&gt;<br><strong>= CC:</strong> ports@FreeBSD.org<br><strong>Onderwerp:</strong> Re: Clamav se= curity patch<br></small></p><blockquote style=3D"margin-left: 5px; border-l= eft: 3px solid #ccc; margin-right: 0px; padding-left: 5px;"><div class=3D"M= essageRFC822Viewer do_not_remove" id=3D"P"><!-- P -->
<!-- processMimeMessage --><div class=3D"TextPlainViewer do_not_remove" id= =3D"P.P"><!-- P.P -->On 3/13/26 17:07, Ronald Klop wrote:<br>

&gt; Started a test build in local Poudriere with a naive version bump of t=
he &gt; clamav and clamav-lts.<br>
&gt; Let's see what happens.<br>
&gt; No promises.<br>
&gt; <br>
&gt; Did you already test the new versions?<br>

No.<br>
I was about to do what you did, but thought I'd ask before, in case others = were already do=C3=ACng it :)<br>

&nbsp;&nbsp;bye &amp; Thanks<br>
&nbsp;&nbsp;&nbsp;&nbsp;av.<br>
</div><!-- TextPlainViewer -->

</div><!-- MessageRFC822Viewer -->
</blockquote><br><br>It builds but packaging fails. I don=E2=80=99t have ti=
me this weekend to look into this further.&nbsp;<div><br></div><div>Regards= ,</div><div>Ronald<br><br></div></body></html> ------=_Part_246096_256443701.1773431087538--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

Kurt Jaeger (pi@freebsd.org) wrote on Pi Day 2026 09:39:53 +0100 (CET):

It builds but packaging fails. I don't have time this weekend to look into
this further.

@work

done

Kindly apply to clamav-lts as well (probably requires straight-forward update to 1.4.4). Thanks.

Kind regards
Helge


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

Hi!

Kurt Jaeger (pi@freebsd.org) wrote on Pi Day 2026 09:39:53 +0100 (CET):

It builds but packaging fails. I don't have time this weekend to look into
this further.

@work

done

Kindly apply to clamav-lts as well (probably requires straight-forward update to 1.4.4). Thanks.

What's the reason for having 1.4.4 besides 1.5.2 ?

Is there really that much of a difference ?
--
pi@FreeBSD.org +49 171 3101372 Now what ?


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

Kurt Jaeger wrote on Sun, 15 Mar 2026 14:20:41 +0100 (CET):

Kurt Jaeger (pi@freebsd.org) wrote on Pi Day 2026 09:39:53 +0100 (CET):

It builds but packaging fails. I don't have time this weekend to look into
this further.

@work

done

Kindly apply to clamav-lts as well (probably requires straight-forward update to 1.4.4). Thanks.

What's the reason for having 1.4.4 besides 1.5.2 ?

Is there really that much of a difference ?

Vendor provides both feature (1.5.2) and LTS (1.4.4) releases. https://docs.clamav.net/faq/faq-eol.html

It appears we a refollowing suit: In our terms, the feature release is security/clamav (updated yesterday to 1.5.2) and the LTS release is security/clamav-lts (still at 1.4.3).

CVE-2026-20031 is fixed in both 1.5.2 and 1.4.4: https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html

I have no opinion about keeping or dropping clamav-lts but since we have it I suggest to fix CVE-2026-20031 likewise, which means 1.4.3 -> 1.4.4.

Kind regards
Helge


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

Hi!

What's the reason for having 1.4.4 besides 1.5.2 ?

Is there really that much of a difference ?

Vendor provides both feature (1.5.2) and LTS (1.4.4) releases. https://docs.clamav.net/faq/faq-eol.html

It appears we a refollowing suit: In our terms, the feature release is security/clamav (updated yesterday to 1.5.2) and the LTS release is security/clamav-lts (still at 1.4.3).

CVE-2026-20031 is fixed in both 1.5.2 and 1.4.4: https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html

I have no opinion about keeping or dropping clamav-lts but since we have it I suggest to fix CVE-2026-20031 likewise, which means 1.4.3 -> 1.4.4.

Done.
--
pi@FreeBSD.org +49 171 3101372 Now what ?


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.ports

Kurt Jaeger wrote on Sun, 15 Mar 2026 14:55:18 +0100 (CET):

Hi!

What's the reason for having 1.4.4 besides 1.5.2 ?

Is there really that much of a difference ?

Vendor provides both feature (1.5.2) and LTS (1.4.4) releases. https://docs.clamav.net/faq/faq-eol.html

It appears we a refollowing suit: In our terms, the feature release is security/clamav (updated yesterday to 1.5.2) and the LTS release is security/clamav-lts (still at 1.4.3).

CVE-2026-20031 is fixed in both 1.5.2 and 1.4.4: https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html

I have no opinion about keeping or dropping clamav-lts but since we have it I suggest to fix CVE-2026-20031 likewise, which means 1.4.3 -> 1.4.4.

Done.

Thanks!

Kind regards
Helge


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21d-Linux NewsLink 1.2