Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: 7-1-09 security patch

  1. #1
    Join Date
    Jun 2009
    Posts
    13
    Rep Power
    6

    Exclamation 7-1-09 security patch

    I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.

    4.5, 5.0.16GA and 6 Beta 2 are all affected.

    The initial response from support@zimbra.com has been unhelpful and I do not want to report this on your public bugtracker.

    Please contact me at hubert at itsecurity.net
    Last edited by Hubert; 06-26-2009 at 06:55 AM.

  2. #2
    Join Date
    Jun 2009
    Posts
    4
    Rep Power
    6

    Default

    I commend you for trying to handle this in a responsible manner.
    Last edited by zombiewithamasseffect; 06-26-2009 at 02:39 PM.

  3. #3
    Join Date
    Jun 2009
    Posts
    13
    Rep Power
    6

    Default

    I have done some more research on this with a colleague and the issue is highly critical.

    If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.

    As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.

    Still waiting to be contacted by Zimbra...

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    I have moderated this post until one of the employees respond; this is for the safety on the community.

  5. #5
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Quote Originally Posted by uxbod View Post
    I have moderated this post until one of the employees respond; this is for the safety on the community.
    I'm trying to get the details offline.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  6. #6
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    http://itsecurity.net
    dont open..is this for real?

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  7. #7
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.

  8. #8
    Join Date
    Jun 2009
    Posts
    13
    Rep Power
    6

    Default

    My domain should be working again now (it has nothing about this bug on it at this time).

    Yes it's real, Zimbra have confirmed the issues and are working on a patch.
    Last edited by Hubert; 06-26-2009 at 04:13 PM.

  9. #9
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.

    Once we announce it, this thread will be republished.

  10. #10
    Join Date
    Mar 2009
    Posts
    10
    Rep Power
    6

    Default Security Vulnerability

    I received email apparently from support@zimbra.com indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.

    There is no way I'm installing this without something on the web site.

    Is this a forgery or does Zimbra not have a clue how to alert their users?

Similar Threads

  1. Critical Security Issue
    By jholder in forum Announcements
    Replies: 0
    Last Post: 07-02-2009, 11:45 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM
  4. High Performance, Security, Redundancy
    By gjhorne in forum Installation
    Replies: 1
    Last Post: 03-30-2007, 11:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •