Zimbra Security Patches or Updates?

[illscientific]

So... there is vulnerabilities in ClamAV... Is Zimbra planning on releasing and updated version of Zimbra with a patched ClamAV?

From Secunia:

A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the HTTP client in the Freshclam command line utility. This can be exploited to cause a stack-based buffer overflow when the HTTP headers received from a web server exceeds 8KB.

Successful exploitation requires that Freshclam is used to download virus signature updates from a malicious mirror web server e.g. via DNS poisoning.

The vulnerability has been reported in version 0.80 through 0.88.1.

[claros]

Quote:

Originally Posted by illscientific

So... there is vulnerabilities in ClamAV... Is Zimbra planning on releasing and updated version of Zimbra with a patched ClamAV?

Successful exploitation requires that Freshclam is used to download virus signature updates from a malicious mirror web server e.g. via DNS poisoning.

I absolutely agree that every vulns should be fixed asap, so thanks for your post.
But secunia should be aware that if an antivirus can get updates from a malicious site, a dos attack is really the best thing that can happen!
Ciao
Claudio

[dijichi2]

i think recent versions for a while have used 0.88.4, no?

[scottnelson]

0.88.5 is out.
Fixes issues with .chm files that I already block so, not a real big issue for me.
CLAMAV Upgrade is super simple anyway though so, I usually do right away just to get it done.

Scotty

[illscientific]

I just really hope Zimbra takes vulnerabilities in the open source software they use to make their product seriously and it doesn't degenerate into listing mitigating circumstances or comming up with reasons they feel it is not necessary to fix rather than updating the software like most administrators would desire happen. This would be yet another reason to use Zimbra over Exchange.

[scottnelson]

Exchange has more holes than Zimbra does really. ;-)
Then, it's one of those YMMV vary things I guess.
For me, the couple of minutes I spend a day looking at the logs and such, doing a simple Anti-virus engine upgrade so far hasn't been a big issue.
Takes me two minutes now and done. So, not sure if Apple to Oranges comparison really.
Spend more time fixing and patching and maintaining Exchange and also a lot more $$$ by the time you add up all of the stuff you have to buy extra, I am willing to do a couple of things myself. Not many things have come out needed to be patched like RIGHT NOW for blatent security issues/holes other than clamav really. At least that I have seen since June of this year since I moved my mail over to Zimbra.

I do notice as the Zimbra version numbers increase, the underlying stuff does get upgraded. I am fairly sure that if I had the Network Edition ( have the free version ), they could SSH in and take care if it if I called. ( shrug )
With Exchange, I was subscribed to an Microsoft announce list but always found out it had a vulerability way before it was announced by them on cert and other websites so, not really seeing anything different, in that way, other than just me getting in there and taking care of patches when they come out.

Ya know?

Scotty