Results 1 to 6 of 6

Thread: Zimbra Security Patches or Updates?

  1. #1
    Join Date
    Oct 2005
    Location
    Washington DC
    Posts
    47
    Rep Power
    10

    Default Zimbra Security Patches or Updates?

    So... there is vulnerabilities in ClamAV... Is Zimbra planning on releasing and updated version of Zimbra with a patched ClamAV?

    From Secunia:

    A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system.

    The vulnerability is caused due to a boundary error within the HTTP client in the Freshclam command line utility. This can be exploited to cause a stack-based buffer overflow when the HTTP headers received from a web server exceeds 8KB.

    Successful exploitation requires that Freshclam is used to download virus signature updates from a malicious mirror web server e.g. via DNS poisoning.

    The vulnerability has been reported in version 0.80 through 0.88.1.

  2. #2
    Join Date
    Mar 2006
    Location
    L'Aquila, ITALIA
    Posts
    59
    Rep Power
    9

    Default

    Quote Originally Posted by illscientific
    So... there is vulnerabilities in ClamAV... Is Zimbra planning on releasing and updated version of Zimbra with a patched ClamAV?

    Successful exploitation requires that Freshclam is used to download virus signature updates from a malicious mirror web server e.g. via DNS poisoning.
    I absolutely agree that every vulns should be fixed asap, so thanks for your post.
    But secunia should be aware that if an antivirus can get updates from a malicious site, a dos attack is really the best thing that can happen!
    Ciao
    Claudio

  3. #3
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    i think recent versions for a while have used 0.88.4, no?

  4. #4
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    0.88.5 is out.
    Fixes issues with .chm files that I already block so, not a real big issue for me.
    CLAMAV Upgrade is super simple anyway though so, I usually do right away just to get it done.

    Scotty

  5. #5
    Join Date
    Oct 2005
    Location
    Washington DC
    Posts
    47
    Rep Power
    10

    Default

    I just really hope Zimbra takes vulnerabilities in the open source software they use to make their product seriously and it doesn't degenerate into listing mitigating circumstances or comming up with reasons they feel it is not necessary to fix rather than updating the software like most administrators would desire happen. This would be yet another reason to use Zimbra over Exchange.

  6. #6
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    Exchange has more holes than Zimbra does really. ;-)
    Then, it's one of those YMMV vary things I guess.
    For me, the couple of minutes I spend a day looking at the logs and such, doing a simple Anti-virus engine upgrade so far hasn't been a big issue.
    Takes me two minutes now and done. So, not sure if Apple to Oranges comparison really.
    Spend more time fixing and patching and maintaining Exchange and also a lot more $$$ by the time you add up all of the stuff you have to buy extra, I am willing to do a couple of things myself. Not many things have come out needed to be patched like RIGHT NOW for blatent security issues/holes other than clamav really. At least that I have seen since June of this year since I moved my mail over to Zimbra.

    I do notice as the Zimbra version numbers increase, the underlying stuff does get upgraded. I am fairly sure that if I had the Network Edition ( have the free version ), they could SSH in and take care if it if I called. ( shrug )
    With Exchange, I was subscribed to an Microsoft announce list but always found out it had a vulerability way before it was announced by them on cert and other websites so, not really seeing anything different, in that way, other than just me getting in there and taking care of patches when they come out.

    Ya know?

    Scotty

Similar Threads

  1. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  2. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 12:34 PM
  3. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 12:59 PM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 12:16 PM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •