Security: Debian-Based OpenSSL issue
An issue has been identified for OpenSource users of Debian and Zimbra 5.0RC1 to 5.0.2. Zimbra does not provide a Network Edition of Debian, so Network Edition Customers are not effected if installed on a Zimbra-supported platform. Any user(FOSS or Network Edition) who installed Zimbra 5.0RC1 to 5.0.2 on Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS would also be affected. This is the only advisory that will be issued by Zimbra.
Issue: It has been discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This includes SSL Certificates in Zimbra.
Impact: It would be possible for a malicious person to guess cryptographic material on a Debian-based system.
Scope: This only affects Debian Open Source users who have started out with Zimbra 5.0 RC1 to 5.0.2 and have kept the certificate generated during the initial period. User's who started out with 4.5.x and have kept the same certificate(s) are not affected. Users who started out with 5.0.3 or later are not affected as Zimbra no longer uses Debian's port of the OpenSSL libraries. Any user running on a debian -based platform where the administrator has altered the installer to install on the debian-based system may also be affected. You should check your Linux Distribution to see whether you're using the affected packages. Zimbra-supported ubuntu packages/installations are not affected, however some Ubuntu installations are vulnerable: Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS. See USN-612-1: OpenSSL vulnerability | Ubuntu for more information on Ubuntu based systems.
Resolution: Users who meet the scope should upgrade to Zimbra 5.0.3 or higher and then regenerate all of their SSL certificates following this article: Commercial Certificate in 5.x - Zimbra :: Wiki The administrator should also upgrade the OpenSSL package from their Vendor.
Gmane -- Mail To News And Back Again
USN-612-1: OpenSSL vulnerability | Ubuntu
USN-612-2: OpenSSH vulnerability | Ubuntu
SSL Certificate Problems - Zimbra :: Wiki
Commercial Certificate in 5.x - Zimbra :: Wiki
Mail Queue Monitoring - Zimbra :: Wiki