More OpenSSL vulnerabilities - NOT POODLE

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby metux » Mon Oct 27, 2014 3:15 am

[quote]

This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here - https://bugzilla.zimbra.com/show_bug.cgi?id=96008



I don't know the exact release date, but I know that it will be soon.

[/quote]



The corresponding commit is now a week old ... why does it take you so long to get out such critical releases ?!


cozthegrov
Posts: 3
Joined: Thu Feb 11, 2010 4:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby cozthegrov » Mon Oct 27, 2014 1:30 pm

8.0.9 and 8.5.1 are expected to be GA on Nov 4th. More information regarding these specifically will be available then. In terms of our time to fix, you're right our current packaging is not ideal because we can't simply patch OpenSSL by itself. This has been discussed quite thoroughly internally for a few months and work is underway to break apart some of these components to make updates/patches/fix/upgrades etc much easier to do going forward.
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby metux » Tue Oct 28, 2014 10:51 am

[quote]

8.0.9 and 8.5.1 are expected to be GA on Nov 4th.

[/quote]



Expected ... hmm.

So, you're leaving the all the systems vulnerable for yet another week.



Will you provide updated packages this time, or yet again just a (unpackaged) loose bunch of files (so, leaving the package db in an inconsistent state), downloaded via insecure channels ?



[quote]

In terms of our time to fix, you're right our current packaging is not ideal because we can't simply patch OpenSSL by itself.

[/quote]



Well, you could easily patch it, and you're doing it:

devel@factory:~/zimbra/main.git$ ls -la ThirdParty/openssl/patches/

total 32

drwxrwxr-x 2 devel devel 4096 Oct 28 16:27 .

drwxrwxr-x 4 devel devel 4096 Oct 28 16:27 ..

-rw-rw-r-- 1 devel devel 18236 Oct 28 16:27 ipv6.patch

-rw-rw-r-- 1 devel devel 455 Oct 28 16:27 leopard.sharedlib.fix



But you shouldn't should ship your own copy of OpenSSL at all. It's not necessary at all,

and it's *HARMFUL* - you'll always lag behind the distros, and you'll never get the broad

expertise on that area as the distros have.



So, the correct way is dropping it and using the distro package. I've already provided

a patch for that long time ago - got rejected with silly excuses (and even more silly

and stupid rants against certain distros).



Oh, and one of the primary reason for being so extremly slow w/ security patches

lies in the lack of a proper SCM and appropriate workflows. With a decent SCM,

it would be pretty trivial to maintain several maintenance and hotfix branches

each existing release. But as long as you stick w/ the horrible P4, you'll waste

your time w/ trivial things being complicated. (in similar projects, I already measured

over 30% overhead / wasted workforce by lack of professional SCM infrastructure).

Already told this _years_ ago, but it's of no use, your devs simply dont listen.



[quote]

This has been discussed quite thoroughly internally for a few months and work is underway to break apart some of these components to make updates/patches/fix/upgrades etc much easier to do going forward.

[/quote]



Yeah, talking about splitting the fat zimbra-core package into several smaller ones. Month of talking, nothing but talking, even it's a pretty simple task.

If your devs wouldn't behave so destructive and ignorant (just see the various bugzilla tickets - my tickets are always rejected w/ silly excuses), I already would have supplied patches. But I won't even consider it anymore - it's of no use at all.
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Tue Oct 28, 2014 7:44 pm

[quote user="Brendan Cosgrove"]8.0.9 and 8.5.1 are expected to be GA on Nov 4th. More information regarding these specifically will be available then. In terms of our time to fix, you're right our current packaging is not ideal because we can't simply patch OpenSSL by itself. This has been discussed quite thoroughly internally for a few months and work is underway to break apart some of these components to make updates/patches/fix/upgrades etc much easier to do going forward.[/quote]


This is good news, the current system is borked. [:D]


I'd also like to point out that this has exactly the same meaning if the words "going forward" are removed. Therefore those words are meaningless.


Behrooz
Posts: 1
Joined: Wed Oct 29, 2014 10:51 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby Behrooz » Wed Oct 29, 2014 10:55 pm

I downloaded 8.5.0 a few days ago. It sounds like I should wait for the next release before I install anything. Is this a good approach?
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby metux » Thu Oct 30, 2014 3:12 am

Maybe it's better to switch to some _professional_ solution ... I doubt it will get better anytime soon ...
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Fri Oct 31, 2014 6:31 pm

If you've not installed yet then waiting for what looks to be a few days would be a good idea.



Personally I'd wait at least a week after the next release just to make sure there's no obvious issues with it.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests