Mailing List Archive

It’s available on the webpage.

> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>
> It seems the package is now signed with a different PGP key. Is there a location from where I can directly download the public key, rather than copying it from the webpage?
>
> Best regards, Arjen
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Citeren "Joel Esler (jesler) via clamav-users"
<clamav-users@lists.clamav.net>:

> It’s available on the webpage.

I already wrote that I know it is available from the website. I need
to update the stored keyring in openSUSE Factory, which needs a
backlink to the origin. Rather than downloading
https://www.clamav.net/downloads and trimming the HTML code, a
straight download link for the keyfile would make it easier to verify
it.

>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users
>> <clamav-users@lists.clamav.net> wrote:
>>
>> Citeren "Joel Esler (jesler) via clamav-users"
>> <clamav-users@lists.clamav.net>:
>>
>> It seems the package is now signed with a different PGP key. Is
>> there a location from where I can directly download the public key,
>> rather than copying it from the webpage?
>>
>> Best regards, Arjen
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

We’ll look into that for a future update.

Sent from my ? iPhone

> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>
>> It’s available on the webpage.
>
> I already wrote that I know it is available from the website. I need to update the stored keyring in openSUSE Factory, which needs a backlink to the origin. Rather than downloading https://www.clamav.net/downloads and trimming the HTML code, a straight download link for the keyfile would make it easier to verify it.
>
>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>
>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>>>
>>> It seems the package is now signed with a different PGP key. Is there a location from where I can directly download the public key, rather than copying it from the webpage?
>>>
>>> Best regards, Arjen
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Wednesday 07 April 2021, Joel Esler (jesler) via clamav-users wrote:

> CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.
>
> CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.

I seems you got the CVE description mixed between: 1405 about PDF (and in NEWS.md).

--
Regards,
Sergey

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks for pointing that out. We’ve corrected it with mitre, but obviously, we can’t correct the news.md for now.

—
Sent from my ? iPad

> On Apr 10, 2021, at 08:14, Sergey <a_s_y@sama.ru> wrote:
>
> ?On Wednesday 07 April 2021, Joel Esler (jesler) via clamav-users wrote:
>
>> CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.
>>
>> CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
>
> I seems you got the CVE description mixed between: 1405 about PDF (and in NEWS.md).
>
> --
> Regards,
> Sergey
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Joel,

You can add a direct link to the PGP key now as this is completely independant
of the released packages.

Better yet would be to
1) Sign the new key with the old one (which doesn't actually expire until Monday)
2) Get other (public domain) software people to sign your key.
This assumes that you can get the key to them and the signature back
in a way that satisfies both of you that they really came from the person
they claim to be ...

3) Put the key (presumably with the signatures above)
on some of the public keyservers, eg
https://pgp.mit.edu/
https://keyserver.ubuntu.com/

If a software package is signed With an unsigned key and the key and
the package are put on the same webserver there is no advantage to users
over just giving an MD5 or SHA checksum - we have no way of measuring
the trust in the key.
By getting other know parties (including the old key's owner)
to sign the new key, we have some idea that the new key can be trusted
and was not put up by a malicous webmaster - possibly of a spoof website.

Thanks,

On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:

> We’ll look into that for a future update.
>
> Sent from my iPhone
>
>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> ?Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>>
>>> It’s available on the webpage.
>>
>> I already wrote that I know it is available from the website. I need to update the stored keyring in openSUSE Factory, which needs a backlink to the origin. Rather than downloading https://www.clamav.net/downloads and trimming the HTML code, a straight download link for the keyfile would make it easier to verify it.
>>
>>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>>
>>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>>>>
>>>> It seems the package is now signed with a different PGP key. Is there a location from where I can directly download the public key, rather than copying it from the webpage?
>>>>
>>>> Best regards, Arjen

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I understand the request. The new key is signed with the old key already.

> On Apr 14, 2021, at 9:42 AM, Andrew C Aitchison <clamav@aitchison.me.uk> wrote:
>
>
> Joel,
>
> You can add a direct link to the PGP key now as this is completely independant
> of the released packages.
>
> Better yet would be to
> 1) Sign the new key with the old one (which doesn't actually expire until Monday)
> 2) Get other (public domain) software people to sign your key.
> This assumes that you can get the key to them and the signature back
> in a way that satisfies both of you that they really came from the person
> they claim to be ...
>
> 3) Put the key (presumably with the signatures above)
> on some of the public keyservers, eg
> https://pgp.mit.edu/
> https://keyserver.ubuntu.com/
>
> If a software package is signed With an unsigned key and the key and
> the package are put on the same webserver there is no advantage to users
> over just giving an MD5 or SHA checksum - we have no way of measuring
> the trust in the key.
> By getting other know parties (including the old key's owner)
> to sign the new key, we have some idea that the new key can be trusted
> and was not put up by a malicous webmaster - possibly of a spoof website.
>
> Thanks,
>
> On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
>
>> Weâ??ll look into that for a future update.
>>
>> Sent from my iPhone
>>
>>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>
>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>>>
>>>> Itâ??s available on the webpage.
>>>
>>> I already wrote that I know it is available from the website. I need to update the stored keyring in openSUSE Factory, which needs a backlink to the origin. Rather than downloading https://www.clamav.net/downloads and trimming the HTML code, a straight download link for the keyfile would make it easier to verify it.
>>>
>>>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>>>
>>>>> Citeren "Joel Esler (jesler) via clamav-users" <clamav-users@lists.clamav.net>:
>>>>>
>>>>> It seems the package is now signed with a different PGP key. Is there a location from where I can directly download the public key, rather than copying it from the webpage?
>>>>>
>>>>> Best regards, Arjen
>
> --
> Andrew C. Aitchison Kendal, UK
> andrew@aitchison.me.uk


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml