Page 1 of 2

More OpenSSL vulnerabilities - NOT POODLE

Posted: Thu Oct 16, 2014 12:11 pm
by dik23

I presume the following are an issue for Zimbra, since OpenSSL is built in. Patches have been released for OSs but I don't see anything for Zimbra


What should be done about :


CVE-2014-3513


CVE-2014-3567


I'm running 8.0.7 with OpenSSL 1.0.1h 5 Jun 2014




More OpenSSL vulnerabilities - NOT POODLE

Posted: Mon Oct 20, 2014 12:52 pm
by dik23

In case anyone cares there's a bug open for this.


However it's progress seems rather slow even though it's been marked "critical" by Zimbra and "Severity: High" by OpenSSL


Ho hum


More OpenSSL vulnerabilities - NOT POODLE

Posted: Tue Oct 21, 2014 1:33 pm
by cozthegrov
Hi [mention:1d4892c8726445c694ef751f5a0b92ed:e9ed411860ed4f2ba0265705b8793d05] ,



We are tracking those CVE's and are currently working on patches/fixes, we expect to have them ready Early in November.

More OpenSSL vulnerabilities - NOT POODLE

Posted: Tue Oct 21, 2014 3:46 pm
by dik23

That's good to know, although early November does seem like quite a long time compared to how long it took the various flavours of Linux that Zimbra sits on to release updated versions of OpenSSL.



Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?


More OpenSSL vulnerabilities - NOT POODLE

Posted: Tue Oct 21, 2014 5:15 pm
by ccelis5215

Don't understand why this is marked as a "Answer Suggested", in any case after patches/fixes ready to deploy.

ccelis


More OpenSSL vulnerabilities - NOT POODLE

Posted: Fri Oct 24, 2014 7:13 am
by metux
[quote]

Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?

[/quote]



I'm asking those questions for years now. Their answers are just silly excuses and dumb rants againts distros, but no serious arguments whatsoever.

Seems to be some religious issue ...



Actually, I stopped these useless discussions and did it on my own in the OpenZimbra project.

More OpenSSL vulnerabilities - NOT POODLE

Posted: Fri Oct 24, 2014 12:56 pm
by jorgedlcruz

Hi ccelis5215,


This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here -  https://bugzilla.zimbra.com/show_bug.cgi?id=96008


I don't know the exact release date, but I know that it will be soon.


Best regards.


More OpenSSL vulnerabilities - NOT POODLE

Posted: Fri Oct 24, 2014 4:37 pm
by ccelis5215
Thanks Jorge!

More OpenSSL vulnerabilities - NOT POODLE

Posted: Fri Oct 24, 2014 5:50 pm
by dik23

Thanks for the update, much appreciated.


However I'm still a little concerned that OpenSSL consider this to be "Severity: High".


Can anyone here explain how serious a vulnerability this is for Zimbra ?


More OpenSSL vulnerabilities - NOT POODLE

Posted: Mon Oct 27, 2014 2:40 am
by metux
[quote]

However I'm still a little concerned that OpenSSL consider this to be "Severity: High".

[/quote]



Well, allowing an remote attacker to fill up your machine's memory, thus giving him an easy DOS attack vector, indeed is a high severity case.



If you guys would just use the system openssl (provided by distro packages), the issue would already have been solved by the distros.

But the way you're doing that, we yet again have to wait several weeks for your fix, while our systems remain vulnerable.

Do you call that quality ? Seriously ?