LWN.net News from the source
| From: | Luca Gibelli <luca-AT-clamav.net> | |
| To: | clamav-announce-AT-lists.clamav.net | |
| Subject: | End of Life Announcement: ClamAV 0.94.x | |
| Date: | Tue, 6 Oct 2009 16:36:01 +0200 | |
| Archive-link: | Article, Thread |
Dear ClamAV users, all ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes. You can find more details on this issue on our bugzilla: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1395 This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates. So far we haven't released any signatures which exceed this limit. Before we do we want as many users as possible to upgrade to the latest version of ClamAV. Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. This move is needed to push more people to upgrade to 0.95 . We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors. We plan to start releasing signatures which exceed the 980 bytes limit on May 2010. We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance. This message will be sent every two months to remind you to upgrade all of your ClamAV installations in time. Thanks for your cooperation, Best regards -- Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-a...
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 15:50 UTC (Tue) by rfunk (subscriber, #4054) [Link]
Similarly, the current stable Debian release has Clamav version "0.94.dfsg.2-1lenny2", though the
lenny-volatile repository has "0.95.1+dfsg-1~volatile1", and current Debian testing (and unstable)
has version "0.95.2+dfsg-4+b1". The next Debian stable is also likely to be out next spring, but
that's less firm than Ubuntu.
It will be interesting to see what happens when ClamAV on Ubuntu LTS servers gets disabled two
weeks before a new Ubuntu LTS release is available.
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 17:01 UTC (Tue) by proski (guest, #104) [Link]
Perhaps Ubuntu could provide a fixed version that's immune to the disabling update.
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 17:23 UTC (Tue) by foom (subscriber, #14868) [Link]
And what good is a virus checker without updated rules?
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 18:26 UTC (Tue) by proski (guest, #104) [Link]
It's a fact of life that some programs are not compatible with long time support releases. Antivirus software is a perfect example, as it has to deal with an evolving adversary.
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 8, 2009 13:47 UTC (Thu) by epa (subscriber, #39769) [Link]
In this case, the only meaningful way of providing long term support for an antivirus product is to keep it updated with the latest code and the latest virus definitions. To keep it frozen at an old (and therefore ineffective) version is not support at all.
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 18:38 UTC (Tue) by nybble41 (subscriber, #55106) [Link]
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 6, 2009 17:43 UTC (Tue) by jspaleta (subscriber, #50639) [Link]
So the remaining question here is.. how are people going to be notified that they need to enable backports and pull the 0.95 release? When 0.94 gets disabled are admins going to get a local log notification and will they know what to do about it? Hopefully Ubuntu can push these packages out of backports and into security or updates before the deadline so admins won't have to figure it out on their own.
-jef
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 7, 2009 19:09 UTC (Wed) by orev (subscriber, #50902) [Link]
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 7, 2009 19:19 UTC (Wed) by rfunk (subscriber, #4054) [Link]
ClamAV 0.94.x and Ubuntu / Debian
Posted Oct 12, 2009 2:21 UTC (Mon) by pabs (subscriber, #43278) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Oct 6, 2009 16:06 UTC (Tue) by yokem_55 (subscriber, #10498) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Oct 6, 2009 17:00 UTC (Tue) by moxfyre (guest, #13847) [Link]
Does anyone here have some raised eyebrows over the fact that a piece of Free Software is providing a data file update which contains some magic bits that disables the use of said software? I'm not questioning the intentions of the ClamAV folks, but isn't this over the top?Well, as you said: it is free software/open source. There's nothing that would prevent you from patching the old engine to work with the new virus definition update files... even though that would be pretty pointless :-p
It seems the goal of the ClamAV devs is to counteract apathy on the part of users who haven't bothered to upgrade to the newer, better engine. Evidently, they've decided that having old versions still in use is sufficiently harmful to security that they should do everything possible to encourage/force an upgrade.
But again, if there are some disgruntled die-hard 0.94.x users, they can patch or fork. However, as I said above, there's no good reason to!
ClamAV 0.94.x end of life - with prejudice
Posted Oct 7, 2009 19:11 UTC (Wed) by orev (subscriber, #50902) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Oct 20, 2009 10:55 UTC (Tue) by robbe (subscriber, #16131) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Jul 30, 2010 17:27 UTC (Fri) by moxfyre (guest, #13847) [Link]
It seems to me that their commitment to "stability" is part of the security problem, and not a solution to it.
ClamAV 0.94.x end of life - with prejudice
Posted Oct 6, 2009 18:54 UTC (Tue) by clugstj (subscriber, #4020) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Oct 6, 2009 19:04 UTC (Tue) by dskoll (subscriber, #1630) [Link]
ClamAV 0.94.x end of life - with prejudice
Posted Oct 9, 2009 11:41 UTC (Fri) by addw (guest, #1771) [Link]
Distros tend to be conservative on installing new versions of s/ware since things can break; that doesn't seem to be the case here - so why the fuss ?
My CentOS box is already on 0.95.2, quite when it happened I don't know, I just pull updates automatically from Dag's archive -- nothing broke that I can recall.
Summary: fuss over nothing.
ClamAV 0.94.x end of life - with prejudice
Posted Oct 9, 2009 22:39 UTC (Fri) by nix (subscriber, #2304) [Link]
In practice I suspect the number of installations affected numbers in the
tens, if that :)
Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds