The IMPEX 3.6.3 release

This release is a patch release that fixes an accidental F-Secure package release that went out to some customers on the 11th of September.

AV engine malfunction

During testing of an upgraded F-Secure package a procedure went wrong and it got released to production servers. This got reverted within 24 hours but some customer’s repository servers synchronized it before the revert. This patch release adds a fix that will remove it on those affected systems.

The effect on those customers who had F-Secure enabled and whose repository server synchronized the faulty upgrade was that the F-Secure scanner was not working between Monday morning and the time before this upgrade was applied. SYSCTL has started an internal process that will investigate what went wrong and what needs to be done to make sure this does not happen again.

Security

  • The third party server component Django was bumped to 3.2.21 because of a released security patch. The security issue is a potential Denial Of Service in a component that IMPEX is not using

  • The Antivirus engine Clamav was upgraded to 0.103.10 which fixes CVE-2023-40477, this is a vulnerability in libunrar. This library is however not bundled with the Clamav package IMPEX uses so IMPEX was not affected