Package: libclamav1 Severity: important Tags: sarge (Please read the thread below for more details.)
The version of clamav currently in sarge has a bug in the digest handling that can lead to an infinte loop. This was initially reported in bug 299469. (The bug has been fixed in version 0.83.84rc1-1 which is currently in sid.) Normally I would just reopen that bug and tag it sarge, but as that bug has an example problem message attached when the bug is closed the problem message would be sent again and anyone who hasn't upgraded would once again have problems. As such I'm creating a new bug to track the status of this in sarge. (Sorry to handle this in a non-standard way, but I believe the thread below explains why this is needed.) ---------------- Thanks Jefferson Cowart [EMAIL PROTECTED] > -----Original Message----- > From: Stephen Gran [mailto:[EMAIL PROTECTED] > Sent: Sunday, April 10, 2005 11:13 > To: Jefferson Cowart > Subject: Re: Bug 299469 > > On Sun, Apr 10, 2005 at 10:46:11AM -0700, Jefferson Cowart said: > > I'm one of the people who has been bit by the bug in 299469 > (twice now - > > Once on bug open and once on bug close). Since that bug is > still present in > > Sarge and (at least on my system) can lead to a DOS against > the mail server, > > I want to make sure it gets fixed in sarge. Normally I > would simply re-open > > the bug report and then tag the bug as sarge. However if I > do that when the > > bug is closed I'm worried that I will once again get the > problem e-mail and > > again have problems with my mail server until I manually > remove the message. > > Do you have any suggestions on tracking that bug to ensure > sarge gets a > > fixed version? > > Hmm. That's a good point. I guess the simplest is to just open a new > bug, priority normal and tagged sarge, that says that the > digest handling > bug is still present in sarge. That way it can be tracked > manually, and > it won't have any of the problems of the old bug report. I normally > wouldn't want to handle it this way (it seems counter intuitive, at > least) but it seems the cleanest way to avoid the potential for > problems. > > You can also grab the latest version from p.d.o/~sgran, although > upstream has not yet labeled the version stable. I am running it here > without any problems so far, but for Debian, I am a little more > conservative. > > Take care, > -- > > -------------------------------------------------------------- > ------------ > | Stephen Gran | Genius doesn't work on an > assembly line | > | [EMAIL PROTECTED] | basis. You can't simply > say, "Today I | > | http://www.lobefin.net/~steve | will be brilliant." -- > Kirk, "The | > | | Ultimate Computer", stardate > 4731.3 | > > -------------------------------------------------------------- > ------------ > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
