More OpenSSL vulnerabilities - NOT POODLE

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Thu Oct 16, 2014 12:11 pm

I presume the following are an issue for Zimbra, since OpenSSL is built in. Patches have been released for OSs but I don't see anything for Zimbra


What should be done about :


CVE-2014-3513


CVE-2014-3567


I'm running 8.0.7 with OpenSSL 1.0.1h 5 Jun 2014





dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Mon Oct 20, 2014 12:52 pm

In case anyone cares there's a bug open for this.


However it's progress seems rather slow even though it's been marked "critical" by Zimbra and "Severity: High" by OpenSSL


Ho hum

cozthegrov
Posts: 3
Joined: Thu Feb 11, 2010 4:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby cozthegrov » Tue Oct 21, 2014 1:33 pm

Hi [mention:1d4892c8726445c694ef751f5a0b92ed:e9ed411860ed4f2ba0265705b8793d05] ,



We are tracking those CVE's and are currently working on patches/fixes, we expect to have them ready Early in November.
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Tue Oct 21, 2014 3:46 pm

That's good to know, although early November does seem like quite a long time compared to how long it took the various flavours of Linux that Zimbra sits on to release updated versions of OpenSSL.



Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?

User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 609
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.0.9.GA.6191.UBUNTU12.64 FOSS

More OpenSSL vulnerabilities - NOT POODLE

Postby ccelis5215 » Tue Oct 21, 2014 5:15 pm

Don't understand why this is marked as a "Answer Suggested", in any case after patches/fixes ready to deploy.

ccelis

metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby metux » Fri Oct 24, 2014 7:13 am

[quote]

Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?

[/quote]



I'm asking those questions for years now. Their answers are just silly excuses and dumb rants againts distros, but no serious arguments whatsoever.

Seems to be some religious issue ...



Actually, I stopped these useless discussions and did it on my own in the OpenZimbra project.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby jorgedlcruz » Fri Oct 24, 2014 12:56 pm

Hi ccelis5215,


This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here -  https://bugzilla.zimbra.com/show_bug.cgi?id=96008


I don't know the exact release date, but I know that it will be soon.


Best regards.

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 609
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.0.9.GA.6191.UBUNTU12.64 FOSS

More OpenSSL vulnerabilities - NOT POODLE

Postby ccelis5215 » Fri Oct 24, 2014 4:37 pm

Thanks Jorge!
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

More OpenSSL vulnerabilities - NOT POODLE

Postby dik23 » Fri Oct 24, 2014 5:50 pm

Thanks for the update, much appreciated.


However I'm still a little concerned that OpenSSL consider this to be "Severity: High".


Can anyone here explain how serious a vulnerability this is for Zimbra ?

metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

More OpenSSL vulnerabilities - NOT POODLE

Postby metux » Mon Oct 27, 2014 2:40 am

[quote]

However I'm still a little concerned that OpenSSL consider this to be "Severity: High".

[/quote]



Well, allowing an remote attacker to fill up your machine's memory, thus giving him an easy DOS attack vector, indeed is a high severity case.



If you guys would just use the system openssl (provided by distro packages), the issue would already have been solved by the distros.

But the way you're doing that, we yet again have to wait several weeks for your fix, while our systems remain vulnerable.

Do you call that quality ? Seriously ?

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 7 guests