OpenSSL Patch Update for ZCS 8.0.3 Only

Official Zimbra news, events, releases, and updates.
Posts: 16
Joined: Fri Sep 12, 2014 11:27 pm

OpenSSL Patch Update for ZCS 8.0.3 Only

Postby 2610thom » Wed Apr 09, 2014 11:09 am

WeÂ’re sorry to have to do this, but if you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.
Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.
Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")
Here is how you can check your OpenSSL version - only un-patched versions of OpenSSL 1.0.1 that are compiled with TLS Heartbeat support are vulnerable:
$ ls -ld /opt/zimbra/openssl*
lrwxrwxrwx 1 root root 26 Jan 17 16:04 /opt/zimbra/openssl -> /opt/zimbra/openssl-1.0.1d
drwxr-xr-x 6 root root 4096 Jan 17 16:03 /opt/zimbra/openssl-1.0.1d
Here is how you can confirm if your libssl library is vulnerable or not:
$ strings /opt/zimbra/openssl/lib/ | grep dtls1_heartbeat
Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/ | grep dtls1_heartbeat
In order to re-patch, please download the latest version of the updater script and re-patch all Zimbra nodes (particularly those Internet-accessible, but all nodes should be patched):
(as root)
1) wget
2) chmod a+rx
3) ./
(as user zimbra)
4) su - zimbra
5) zmcontrol restart
The results should show the updater re-patching the system:
# ./
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart
If you were to run the updater again, it should then show the system as patched:
# ./
Error: Already patched
All 8.0.3 patching after Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, should be fine, as the openssl builds on were updated to disable TLS Heartbeat. To double check, please use the “strings” method shown above.
For additional information, please reference these instructions:[/URL]

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 4 guests