Zimbra ClamAV Security Updates?

[jdell]

Quote:

Originally Posted by martinfst

And DSPAM and MySQL and ....
Even Postfix gets regular updates ..... It's now at 2.3 Patchlevel 5 and Zimbra uses 2.2.9. Not sure about CVE's....

Guess we need some kind of voting thread with all packages to be selected and get an impression from the community of which packages should be "separate".

Whoops! DSPAM yes, I forgot about that.

In general, I would consider packages that are directly exposed to the internet to be the ones I'm worried about as well as things that are indirectly exposed like AmavisD-New/ClamAV/SA/DSPAM because they are processing spam/virus/trojan emails.

Unless you are doing something funny with Zimbra, MySQL current shouldn't be an issue as there is no public exposure.

Although Postfix isn't current, I don't think any of those releases included security updates, I think they are just normal feature/bug fix updates. I have a lot of confidence in Postfix because it's security track record speaks for itself.

Apache/PHP/A-Spell seems lower risk because of the very limited nature of what you are *supposed* to be doing with that.

Just because there is a vulnerability in a package doesn't mean that you are exposed. It really depends on how the package is being used. So, for example, even though PHP is not current and there are security updates for PHP, I don't think that Zimbra is affected by those because of how it is used.

[LMStone]

It makes sense to me have ClamAV and SpamAssassin be quickly updated within Zimbra when ClamAV and SA are updated themselves. These packages directly impact the end user experience, and with the overwhelming majority of email traffic comprising spam, bots and viruses, these two packages stand out as ones Zimbra ought to be updating ASAP, IMHO.

Re Apache, Cyrus, Postfix and MySQL, I believe we should get security updates ASAP, but we don't need version updates unless there is a major functionality improvement (anvil in postfix comes to mind as worthy of justifying a version upgrade).

Since Zimbra insists on installing its own version of components normally supplied by a distro, Zimba to me is kind of like a mini-distro. Consequently, I think Zimbra have a responsibility to keep their "distro" as secure as possible, just as Fedore, SuSE, etc. keep the components of their distro up to date with security updates on a timely basis.

All the best,
Mark

[jdell]

http://bugzilla.zimbra.com/show_bug.cgi?id=15137

Please vote if you want to see out-of-cycle updates for clamav/spamassassin/etc.

[su_A_ve]

As a paying customer, who's liable for not providing a security update ? If it's provided, but not applied, the responsibility lies on th end user. If the vendor does not provide one in a reasonable time, then won't they be liable ?

These packages should be updated as soon as a security fix is made available, or they should left out for the user to update provided the means to do so is supported.

My .02...