7-1-09 security patch

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
8243Hubert
Posts: 13
Joined: Sat Sep 13, 2014 12:31 am

7-1-09 security patch

Postby 8243Hubert » Fri Jun 26, 2009 8:48 am

I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.
4.5, 5.0.16GA and 6 Beta 2 are all affected.
The initial response from support@zimbra.com has been unhelpful and I do not want to report this on your public bugtracker.
Please contact me at hubert at itsecurity.net


zombiewithamasseffect
Posts: 4
Joined: Sat Sep 13, 2014 12:31 am

7-1-09 security patch

Postby zombiewithamasseffect » Fri Jun 26, 2009 11:01 am

I commend you for trying to handle this in a responsible manner.
8243Hubert
Posts: 13
Joined: Sat Sep 13, 2014 12:31 am

7-1-09 security patch

Postby 8243Hubert » Fri Jun 26, 2009 12:42 pm

I have done some more research on this with a colleague and the issue is highly critical.
If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.
As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.
Still waiting to be contacted by Zimbra...
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

7-1-09 security patch

Postby uxbod » Fri Jun 26, 2009 12:55 pm

I have moderated this post until one of the employees respond; this is for the safety on the community.
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1666
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

7-1-09 security patch

Postby quanah » Fri Jun 26, 2009 1:08 pm

[quote user="uxbod"]I have moderated this post until one of the employees respond; this is for the safety on the community.[/QUOTE]
I'm trying to get the details offline.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
13445raj
Outstanding Member
Outstanding Member
Posts: 743
Joined: Fri Sep 12, 2014 9:59 pm
Location: Canada
Contact:

7-1-09 security patch

Postby 13445raj » Fri Jun 26, 2009 1:25 pm

http://itsecurity.net

dont open..is this for real?
Raj
p24t
Outstanding Member
Outstanding Member
Posts: 406
Joined: Fri Sep 12, 2014 10:28 pm

7-1-09 security patch

Postby p24t » Fri Jun 26, 2009 2:15 pm

itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.
8243Hubert
Posts: 13
Joined: Sat Sep 13, 2014 12:31 am

7-1-09 security patch

Postby 8243Hubert » Fri Jun 26, 2009 6:11 pm

My domain should be working again now (it has nothing about this bug on it at this time).
Yes it's real, Zimbra have confirmed the issues and are working on a patch.
jholder
Zimbra Employee
Zimbra Employee
Posts: 4686
Joined: Fri Sep 12, 2014 10:00 pm

7-1-09 security patch

Postby jholder » Wed Jul 01, 2009 3:12 am

I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.
Once we announce it, this thread will be republished.
sgruby
Posts: 10
Joined: Sat Sep 13, 2014 12:11 am

7-1-09 security patch

Postby sgruby » Wed Jul 01, 2009 8:26 pm

I received email apparently from support@zimbra.com indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.
There is no way I'm installing this without something on the web site.
Is this a forgery or does Zimbra not have a clue how to alert their users?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 22 guests