Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.

If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:

In short:
  • If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020. -> Vulnerable, you would still need the OpenSSL patch: https://www.zimbra.com/forums/announ...erability.html
  • If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021. -> Not Vulnerable

There are a few ways you can confirm:

1. Check your version tarball for the build number 6021. For example:


2. Check zmcontrol for the build number:

# su - zimbra
$ zmcontrol -v
Release 8.0.7_GA_6021.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.

3. Check the libssl shared library

$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat

Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat

Please let us know if you have any questions.