Page 1 of 3

7-1-09 security patch

Posted: Fri Jun 26, 2009 8:48 am
by 8243Hubert
I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.
4.5, 5.0.16GA and 6 Beta 2 are all affected.
The initial response from support@zimbra.com has been unhelpful and I do not want to report this on your public bugtracker.
Please contact me at hubert at itsecurity.net

7-1-09 security patch

Posted: Fri Jun 26, 2009 11:01 am
by zombiewithamasseffect
I commend you for trying to handle this in a responsible manner.

7-1-09 security patch

Posted: Fri Jun 26, 2009 12:42 pm
by 8243Hubert
I have done some more research on this with a colleague and the issue is highly critical.
If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.
As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.
Still waiting to be contacted by Zimbra...

7-1-09 security patch

Posted: Fri Jun 26, 2009 12:55 pm
by uxbod
I have moderated this post until one of the employees respond; this is for the safety on the community.

7-1-09 security patch

Posted: Fri Jun 26, 2009 1:08 pm
by quanah
[quote user="uxbod"]I have moderated this post until one of the employees respond; this is for the safety on the community.[/QUOTE]
I'm trying to get the details offline.
--Quanah

7-1-09 security patch

Posted: Fri Jun 26, 2009 1:25 pm
by 13445raj
http://itsecurity.net

dont open..is this for real?
Raj

7-1-09 security patch

Posted: Fri Jun 26, 2009 2:15 pm
by p24t
itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.

7-1-09 security patch

Posted: Fri Jun 26, 2009 6:11 pm
by 8243Hubert
My domain should be working again now (it has nothing about this bug on it at this time).
Yes it's real, Zimbra have confirmed the issues and are working on a patch.

7-1-09 security patch

Posted: Wed Jul 01, 2009 3:12 am
by jholder
I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.
Once we announce it, this thread will be republished.

7-1-09 security patch

Posted: Wed Jul 01, 2009 8:26 pm
by sgruby
I received email apparently from support@zimbra.com indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.
There is no way I'm installing this without something on the web site.
Is this a forgery or does Zimbra not have a clue how to alert their users?