Re: ClamAV security update

From: Roger Marquis <>
Date: Fri, 20 May 2022 12:49:47 UTC
Thank you Florian!  If there are any policy changes that can be made to
prevent this sort of issue (critical vulnerabilities not getting patches
or not showing up in vuln.xml for days or weeks after a CVE and/or
update) please do recommend them to, well, who does set ports/security
management policies?

Roger Marquis

> On 19.05.22 09:30, Andrea Venturoli wrote:
>> Hello.
>> I see Clamav 0.105.0, 0.104.3 and 0.103.6 were released on May 5th, the 
>> latter two closing "several CVE fixes".
>> However, the port was not updated and not even portaudit entries were 
>> added.
>> Was this overlooked?
>> Are the FreeBSD ports somehow not affected?
> I created a patch and PR a week ago. I was waiting for the maintainer 
> timeout. After discussing with bapt I went ahead and committed the update 
> without approval of the maintainer.
> IMHO, security fixes should be specifically mentioned in the blanket section.
> Florian