Mailing List Archive

Hi Jaspal,

My apologies for the late reply. Thank you for raising this to our attention. In the future, please consider submitting an issue via https://github.com/Cisco-Talos/clamav/issues/new/choose to get our attention.

My team is new to maintaining images on Docker Hub. We hadn't yet identified the best practices for how to publish an image for the same ClamAV version with a new base image. After a little investigation, I settled on this on this scheme.

I have published these new newly built images based on the latest Alpine Linux image (3.15.0):

* clamav/clamav:0.104.2-2_base
* clamav/clamav:0.104.2-2

The previous images remain accessible under "clamav/clamav:0.104.2_base" and "clamav/clamav:0.104.2" tags.
If we must do this again before the next patch version, the next image tags would be "0.104.2-3_base" and "0.104.2-3".
Note: the hashes for the image tags without the "_base" suffix change frequently because we update them with newer signature databases.

I also updated the following tags so that people using them can simply "pull" to get the newer image:

* clamav/clamav:stable_base == clamav/clamav:latest_base == clamav/clamav:0.104_base == clamav/clamav:0.104.2-2_base
* clamav/clamav:stable == clamav/clamav:latest == clamav/clamav:0.104 == clamav/clamav:0.104.2-2

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Sandhu, Jaspal (HQP) via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, January 25, 2022 2:05 PM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Sandhu, Jaspal (HQP) <jaspal.sandhu@roberthalf.com>
Subject: [clamav-users] CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities for Busy Box


Hi,



I am using the docker tag clamav/clamav:0.104.2. Could you please help to get it fixed. We can?t deploy this upgrade at the moment.



https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382



Thanks

Jaspal Sandhu

Roberthalf



[cid:image001.png@01D811F4.8FE06590]

> My team is new to maintaining images on Docker Hub. We hadn't yet
> identified the best practices for how to publish an image for the same
> ClamAV version with a new base image. After a little investigation, I
> settled on this on this scheme.
>
I can see ;)

This is of course crap.

# Wait forever (or until canceled)
exec tail -f "/dev/null"

The goal of the entrypoint.sh exec is that if it terminates the OC can take proper action, eg restart the task. In your case clamd can crash and no action will be taken, because the OC monitors a useless tail?????



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> My team is new to maintaining images on Docker Hub. We hadn't yet
> identified the best practices for how to publish an image for the same
> ClamAV version with a new base image. After a little investigation, I
> settled on this on this scheme.
>

Maybe it is time to allow environment variables in the config files?


sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/clamd.pid|" \
-e "s|.*\(LocalSocket\) .*|\1 /run/clamav/clamd.sock|" \
-e "s|.*\(TCPSocket\) .*|\1 3310|" \
-e "s|.*\(TCPAddr\) .*|\1 0.0.0.0|" \
-e "s|.*\(User\) .*|\1 clamav|" \
-e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \
-e "s|^\#\(LogTime\).*|\1 yes|" \
"/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" && \
sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/freshclam.pid|" \
-e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
-e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
-e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
-e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
"/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" && \
sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/clamav-milter.pid|" \
-e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
-e "s|.*\(User\) .*|\1 clamav|" \
-e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
-e "s|^\#\(LogTime\).*|\1 yes|" \
-e "s|.*\(\ClamdSocket\) .*|\1 unix:/run/clamav/clamd.sock|" \
"/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || \

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Sun, 2022-02-13 at 13:10 +0000, Marc wrote:
> >
> > My team is new to maintaining images on Docker Hub. We hadn't yet
> > identified the best practices for how to publish an image for the
> > same
> > ClamAV version with a new base image. After a little investigation,
> > I
> > settled on this on this scheme.
> >
>
> Maybe it is time to allow environment variables in the config files?
>

Then you'll need a file that's just as long, but setting environment
variables instead of config parameters =)

But there is room for improvement here. The build system knows the
correct values for many of those config file parameters. It should
substitute in the ones it knows (like the clamav user, "/run" path,
etc.) For bonus points it could default to syslog which exists
precisely so that you don't have to configure logging manually in each
daemon.



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Sun, Feb 13, 2022 at 2:11 PM Marc <Marc@f1-outsourcing.eu> wrote:
>
...
>
> Maybe it is time to allow environment variables in the config files?
>
> sed -e "s|^\(Example\)|\# \1|" \
> -e "s|.*\(PidFile\) .*|\1 /run/lock/clamd.pid|" \

Maybe it is time for a `sed` script file? :-)
sed -f my_favorite_sed_commands.txt

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Please don't hijack a thread to report a bug or request an improvement. A new thread for new discussion topic is always great.

Please also be careful in your phrasing. ClamAV's docker support was 99% the work of a kind-hearted community member. Mocking the current design isn't helpful. I do see what you're talking about. I'm sure there is room for improvement.

If you know there is a bug, please report the issue https://github.com/Cisco-Talos/clamav/issues/new/choose<https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=>
If you have a proposed solution for the issue, it's still good to make the issue and submit your solution in a pull-request.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: Marc <Marc@f1-outsourcing.eu>
Sent: Sunday, February 13, 2022 5:02 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Micah Snyder (micasnyd) <micasnyd@cisco.com>; Sandhu, Jaspal (HQP) <jaspal.sandhu@roberthalf.com>
Subject: RE: CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities for Busy Box

> My team is new to maintaining images on Docker Hub. We hadn't yet
> identified the best practices for how to publish an image for the same
> ClamAV version with a new base image. After a little investigation, I
> settled on this on this scheme.
>
I can see ;)

This is of course crap.

# Wait forever (or until canceled)
exec tail -f "/dev/null"

The goal of the entrypoint.sh exec is that if it terminates the OC can take proper action, eg restart the task. In your case clamd can crash and no action will be taken, because the OC monitors a useless tail?????

Hi Micah,

I will use https://github.com/Cisco-Talos/clamav/issues/new/choose.

There was no intention of Mocking. It was simply to let you know that we
saw the vulnerabilities in busybox and pulled back from that image.

We have successfully upgraded clamav. It is an awesome product.

Nowadays, it is good to be extra cautious.

Again, thanks for your support.

Thanks,

Jaspal Sandhu
Roberthalf

On Thu, Feb 17, 2022 at 11:52 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Please don't hijack a thread to report a bug or request an improvement. A
> new thread for new discussion topic is always great.
>
> Please also be careful in your phrasing. ClamAV's docker support was 99%
> the work of a kind-hearted community member. Mocking the current design
> isn't helpful. I do see what you're talking about. I'm sure there is room
> for improvement.
>
> If you know there is a bug, please report the issue
> https://github.com/Cisco-Talos/clamav/issues/new/choose
> <https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=>
> If you have a proposed solution for the issue, it's still good to make the
> issue and submit your solution in a pull-request.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* Marc <Marc@f1-outsourcing.eu>
> *Sent:* Sunday, February 13, 2022 5:02 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* Micah Snyder (micasnyd) <micasnyd@cisco.com>; Sandhu, Jaspal (HQP) <
> jaspal.sandhu@roberthalf.com>
> *Subject:* RE: CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities
> for Busy Box
>
> > My team is new to maintaining images on Docker Hub. We hadn't yet
> > identified the best practices for how to publish an image for the same
> > ClamAV version with a new base image. After a little investigation, I
> > settled on this on this scheme.
> >
> I can see ;)
>
> This is of course crap.
>
> # Wait forever (or until canceled)
> exec tail -f "/dev/null"
>
> The goal of the entrypoint.sh exec is that if it terminates the OC can
> take proper action, eg restart the task. In your case clamd can crash and
> no action will be taken, because the OC monitors a useless tail?????
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Jaspal,

I think Micah was replying to Marc.
Your email ettiquette was great.

On Fri, 18 Feb 2022, Jaspal Singh Sandhu via clamav-users wrote:

> Hi Micah,
>
> I will use https://github.com/Cisco-Talos/clamav/issues/new/choose.
>
> There was no intention of Mocking. It was simply to let you know that we
> saw the vulnerabilities in busybox and pulled back from that image.
>
> We have successfully upgraded clamav. It is an awesome product.
>
> Nowadays, it is good to be extra cautious.
>
> Again, thanks for your support.
>
> Thanks,
>
> Jaspal Sandhu
> Roberthalf
>
> On Thu, Feb 17, 2022 at 11:52 AM Micah Snyder (micasnyd) via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Please don't hijack a thread to report a bug or request an improvement. A
>> new thread for new discussion topic is always great.
>>
>> Please also be careful in your phrasing. ClamAV's docker support was 99%
>> the work of a kind-hearted community member. Mocking the current design
>> isn't helpful. I do see what you're talking about. I'm sure there is room
>> for improvement.
>>
>> If you know there is a bug, please report the issue
>> https://github.com/Cisco-Talos/clamav/issues/new/choose
>> <https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=>
>> If you have a proposed solution for the issue, it's still good to make the
>> issue and submit your solution in a pull-request.
>>
>> Regards,
>> Micah
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> ------------------------------
>> *From:* Marc <Marc@f1-outsourcing.eu>
>> *Sent:* Sunday, February 13, 2022 5:02 AM
>> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
>> *Cc:* Micah Snyder (micasnyd) <micasnyd@cisco.com>; Sandhu, Jaspal (HQP) <
>> jaspal.sandhu@roberthalf.com>
>> *Subject:* RE: CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities
>> for Busy Box
>>
>>> My team is new to maintaining images on Docker Hub. We hadn't yet
>>> identified the best practices for how to publish an image for the same
>>> ClamAV version with a new base image. After a little investigation, I
>>> settled on this on this scheme.
>>>
>> I can see ;)
>>
>> This is of course crap.
>>
>> # Wait forever (or until canceled)
>> exec tail -f "/dev/null"
>>
>> The goal of the entrypoint.sh exec is that if it terminates the OC can
>> take proper action, eg restart the task. In your case clamd can crash and
>> no action will be taken, because the OC monitors a useless tail?????
>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml