Results 1 to 2 of 2

Thread: Security: Debian-Based OpenSSL issue

  1. #1
    Join Date
    Oct 2005
    Thatcher, AZ
    Rep Power

    Exclamation Security: Debian-Based OpenSSL issue

    An issue has been identified for OpenSource users of Debian and Zimbra 5.0RC1 to 5.0.2. Zimbra does not provide a Network Edition of Debian, so Network Edition Customers are not effected if installed on a Zimbra-supported platform. Any user(FOSS or Network Edition) who installed Zimbra 5.0RC1 to 5.0.2 on Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS would also be affected. This is the only advisory that will be issued by Zimbra.

    Severity: CRITICAL

    Issue: It has been discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This includes SSL Certificates in Zimbra.

    Impact: It would be possible for a malicious person to guess cryptographic material on a Debian-based system.

    Scope: This only affects Debian Open Source users who have started out with Zimbra 5.0 RC1 to 5.0.2 and have kept the certificate generated during the initial period. User's who started out with 4.5.x and have kept the same certificate(s) are not affected. Users who started out with 5.0.3 or later are not affected as Zimbra no longer uses Debian's port of the OpenSSL libraries. Any user running on a debian -based platform where the administrator has altered the installer to install on the debian-based system may also be affected. You should check your Linux Distribution to see whether you're using the affected packages. Zimbra-supported ubuntu packages/installations are not affected, however some Ubuntu installations are vulnerable: Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS. See USN-612-1: OpenSSL vulnerability | Ubuntu for more information on Ubuntu based systems.

    Resolution: Users who meet the scope should upgrade to Zimbra 5.0.3 or higher and then regenerate all of their SSL certificates following this article: Commercial Certificate in 5.x - Zimbra :: Wiki The administrator should also upgrade the OpenSSL package from their Vendor.

    More Information:
    Gmane -- Mail To News And Back Again
    USN-612-1: OpenSSL vulnerability | Ubuntu
    USN-612-2: OpenSSH vulnerability | Ubuntu
    SSL Certificate Problems - Zimbra :: Wiki
    Commercial Certificate in 5.x - Zimbra :: Wiki
    Mail Queue Monitoring - Zimbra :: Wiki
    Last edited by jholder; 05-14-2008 at 11:43 AM.

  2. #2
    Join Date
    May 2006
    Rep Power


    For those who've asked today - how to handle the vulnerability process: Reporting Security Issues - Zimbra :: Wiki

Similar Threads

  1. Is LMTP On External Interface A Security Issue?
    By freedomics in forum Installation
    Replies: 2
    Last Post: 08-27-2007, 12:37 PM
  2. Open Relay Help & Telnet Security Issue
    By OfMacAndMen in forum Installation
    Replies: 17
    Last Post: 07-10-2007, 07:51 PM
  3. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM
  4. Debian Installation Issue
    By Neil P in forum Installation
    Replies: 1
    Last Post: 11-10-2006, 01:51 PM
  5. Bizzare Issue After Upgrade (3.0.1->4.0.3) - Debian
    By jasonsz in forum Installation
    Replies: 1
    Last Post: 10-31-2006, 11:43 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts