7-1-09 security patch

[bradb21]

I was just thinking the same thing. I logged onto my suppport account with Zimbra expecting to see something in there, but didn't. I started wondering the same thing wondering if I really wanted to apply that code to my server.

Zimbra is this for real?

[bradb21]

ok, that's what I was thinking as well. I figured you might not want to make it public. It's just alarms started ringing when none of the URL's went back to Zimbra. Just being cautious. Thanks!

[UMDjwain]

In case anybody was waiting for some reports on this, we've applied it to our systems successfully- 5.0.16 on RHEL5-64.

Thanks to all involved for getting the word out and making the patch easy to apply!

[greenrenault]

I received a Zimbra Security Vulnerability Report email today. Is this a hoax or for real? There is no mention of it in the forum announcements.

If real, will this precipitate a new Zimbra release? I really hate 'patching' a system.

Thanks!

[kirme3]

Information about the vulnerability can be found in the support portal, so I would say it's safe to say it's real.

[mmorse]

Valid & available in the portal https://support.zimbra.com

We apologize for the link url's in the notice emails being obscured through loopfuse / not pointing directly to files.zimbra or h.yimg and causing concerns over it's legitimacy.

[cdenley]

We use ZCS Network Pro. We received a security notice last night from Zimbra advising us to install a patch. I verified the md5 checksum provided in the e-mail. However, the link to the update was directed to the server "loopfuse.net". After inspecting the headers, I saw the e-mail came from this domain as well. Only after looking further in the message source did I notice that the text version of the same e-mail actually provides direct links to the same patch hosted on "zimbra.com".

If zimbra expects administrators to replace important system files linked to through a third party in an e-mail, doesn't that leave them vulnerable to social engineering? If I had a copy of that same file except one that creates vulnerabilities instead of fixing them, I can send a similar e-mail to zimbra admins using a domain which sounds like it could be a marketing partner, tricking them into making their system wide open for attack.

[klopfer]

Last night I received an email from Zimbra about a security vulnerability in the mailbox server with a link to download a patch. I was going to apply the patch, but it doesn't download from the Zimbra site, which made me a bit concerned. I haven't seen anything about this in the forums, or the Zimbra site. Is there any more information about this?

Does it just affect NE or the FOSS version as well. If it effects both, is there a FOSS patch somewhere?

[klinet]

A few minutes ago there was a posting titled "Mailboxd security vulnerability?", that post is now gone. What's up with that? I have attached a picture of that post.

I did not receive this message but one of my end users did and has send it to me. I have looked at the headers on the message and it looks like it was sent from loopfuse.net. Is this a scam? The message looks good but the source is questionable and the download links are also pointed at loopfuse.

Picture 8.jpg

[phoenix]

This post has been moderated until a formal forum announcement is made about this issue.