Ubuntu - more problems with security updates
Ubuntu users using the Universe or Multiverse repositories can no longer be sure of the security of their system. An update for a critical vulnerability in the ClamAV virus scanner has apparently simply been forgotten. Only after heise Security filed a Bug-Report, three weeks after release of the update for Debian, Fedora and Suse Linux, was the update produced one week later. Questions regarding this addressed to the security contact address have to date received no response. In addition, the fix was assigned an urgency of "low", even though an attacker could under certain circumstances exploit the vulnerability to infiltrate arbitrary malicious code via the internet, something which prompted Debian, for example, to set it to "high".
ClamAV is in Ubuntu part of the Universe repository, which is by default deactivated. The blame for the delayed update should therefore not necessarily be laid at the door of Ubuntu distributor Canonical. The company specifically states in the /etc/apt/sources.list configuration file, that the Universe and Multiverse repositories are not fully supported with security updates. Nevertheless, a considerable proportion of Ubuntu users make use of the Universe repository, as some packages for playing multimedia content in particular are only found in this repository. And once this entry has been activated, it is difficult to determine at a later date from which repository a new packet originates and for which installed programs punctual updates can be expected, and for which they cannot.
The repository problem, which also affects, for example, users of Fedora Extras or Packman for Suse, is further complicated by the fact that the recent update debacles have shaken confidence in the update mechanism. An error in the update of the X.org server in August and a problem with the driver for NVidia graphics cards last week left a considerable proportion of Dapper installations completely without a graphical user interface for a time - a problem which will have proved particularly taxing for new users.
- ClamAV can trip over UPX-compressed .EXEs from 08.08.2006 on heise Security