Update Procedure?

[dionrowney]

I finally completed my install of Zimbra... only to hear from Steve Gibson that there is a vulnerbility in Clam AV that allows for an exploit of server (Security Now episode 141: transcript: http://www.grc.com/sn/SN-141.txt).... So I began looking for the procedure to update an existing installation of Zimbra... with little success.

So, is there a documented official procedure to update Zimbra installations?

If so what/where is it?

Many thanks.

[mmorse]

What version are you currently running? NE or FOSS?
Start here: 5.0.5 is Released!
Directions are at the bottom of the release notes.
Make a backup Backup and Restore Articles - Zimbra :: Wiki
Download 5.0.5, untar it, run the installer
http://www.zimbra.com/forums/announcements/12153-dont-forget-update-your-profile.html#post62754

[dionrowney]

I am running 5.0.4.

I can definately do that. I started it and it looked like it was going to uprade. I assume no configs will be wiped?

I also looked at the mta rpm:

rpm -qpl packages/zimbra-mta-5.0.5_GA_2201.RHEL5-20080417012110.i386.rpm |grep clam|less

and can see that the version of clam av is outdated by this version # (newest is 0.93). Was the exploit Steve Gibson is referring to patched in the latest zimbra download?

dion

[mmorse]

Have you made a backup?
That transcript doesn't include any vulnerability number but I gather it's the same as every other site is talking about, which was actually patched in a 0.92 defs update.
5.0.6 will include 0.93 Bug 27165 - Update ClamAV to 0.93 or higher

[dionrowney]

Are you saying that the vulnerability probably doesnt exist in my version (zcs-5.0.4_GA_2101.RHEL5.20080321150546) as the AV version is clamav-0.92.1? Should I be in a hurry to upgrade to this next version or can we take the time to plan it properly?

Dion

[mmorse]

Again the transcript you posted isn't very descriptive:
http://www.grc.com/sn/SN-141.txt

STEVE: Okay. So in the last couple weeks a bunch of stuff has happened. First of all, probably maybe most important, there's a huge problem has been found in the ClamAV system.
LEO: Oh, dear. That's not good.
STEVE: It's open source, as you know, very popular open source antivirus. The problem is that because it's open source, the bad guys have the same access to it as the good guys have. So there are proof-of-concept exploits out such that, if you've got ClamAV filtering your email for malware, viruses, spam, whatever, you can send somebody using the current release of ClamAV a deliberate malformed piece of email. The email scanner has a buffer overflow in it.
LEO: Oh, interesting.
STEVE: Which means that - and, for example, ClamAV is often run on email servers, where it'll be, like, scanning all the mail coming into a corporate facility, to the corporate server. So spam - and as far as we know it's not in the wild yet. Updates are available. So I wanted to make sure that anyone who thinks maybe even their corporation, if they think their corporation IT guys are using ClamAV, make sure they have updated to the latest because - and it's not the signatures they need to update. That's probably happening all the time. It's the code itself has a problem such that just it receiving spam can take over the server.
LEO: That's wild. That is wild.
STEVE: Yeah. So anyway, so...
LEO: So people would - spammers would send out this message to everybody, hoping that they're going to snag somebody who's running the ClamAV...
STEVE: Exactly. Anybody who has not updated, who's running the pre-most recent update, would be vulnerable. And their own AV, I mean, when you think about it, the last place you want a buffer overrun or a similar sort of exploit is in your AV, which you've added to make your system more secure. In the process you've made it much more vulnerable.
LEO: And by the way, it's not just ClamAV. I've heard these kinds of similar buffer overruns with...
STEVE: Yes. I don't mean to be picking...
LEO: Almost all antiviruses seem to have this problem, or have had this problem at one point or another.
STEVE: Well, remember my favorite quote from the RSA show is "Information wants to be free, and code wants to be wrong."
LEO: The other thing you should pay attention to is that ClamAV is used as the engine for many other third-party solutions, so you might want to check and see what the AV engine is in your solution and update as needed.

Based on timing I'm assuming your talking about the one listed here: Techworld.com - Open-source email scanner hit by exploit

According to Danish bug-tracking company Secunia, a vulnerability within the ""cli_scanpe()" function in "libclamav/pe.c" could be exploited with a rigged "Upack" file.

Prior to issuing the patch, ClamAV had remotely disabled the vulnerable module, said a ClamAV spokesman. "Note that 1 week ago the vulnerable module has been switched off via DCONF using a special CVD update so older installations cannot be exploited," said Luca Gibelli in an email.

Users unable to deploy the patch who have also not updated ClamAV's signatures - the program received those as CVD, or ClamAV Virus Database file - should not scan untrusted PE (Portable Executable) files, Secunia recommended.

Another approach if you so desire would be to Updating CLAMAV - Zimbra :: Wiki (again make a backup first)
There's also: Bug 15137 - Breakout RPM packages for ClamAV, SpamAssassin and Others to allow out of cycle updates

We always suggest upgrading to the latest ZCS release whenever possible, as we often fix all sorts of other minor security things as well.

[dionrowney]

Great. It sounds like if the server was getting regular updates then vulnerbility will have been shut off.

thanks