Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Zimbra ClamAV Security Updates?

  1. #11
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by martinfst View Post
    And DSPAM and MySQL and ....
    Even Postfix gets regular updates ..... It's now at 2.3 Patchlevel 5 and Zimbra uses 2.2.9. Not sure about CVE's....

    Guess we need some kind of voting thread with all packages to be selected and get an impression from the community of which packages should be "separate".
    Whoops! DSPAM yes, I forgot about that.

    In general, I would consider packages that are directly exposed to the internet to be the ones I'm worried about as well as things that are indirectly exposed like AmavisD-New/ClamAV/SA/DSPAM because they are processing spam/virus/trojan emails.

    Unless you are doing something funny with Zimbra, MySQL current shouldn't be an issue as there is no public exposure.

    Although Postfix isn't current, I don't think any of those releases included security updates, I think they are just normal feature/bug fix updates. I have a lot of confidence in Postfix because it's security track record speaks for itself.

    Apache/PHP/A-Spell seems lower risk because of the very limited nature of what you are *supposed* to be doing with that.

    Just because there is a vulnerability in a package doesn't mean that you are exposed. It really depends on how the package is being used. So, for example, even though PHP is not current and there are security updates for PHP, I don't think that Zimbra is affected by those because of how it is used.

  2. #12
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default Not Every Component Needs To Be at The Latest Version

    It makes sense to me have ClamAV and SpamAssassin be quickly updated within Zimbra when ClamAV and SA are updated themselves. These packages directly impact the end user experience, and with the overwhelming majority of email traffic comprising spam, bots and viruses, these two packages stand out as ones Zimbra ought to be updating ASAP, IMHO.

    Re Apache, Cyrus, Postfix and MySQL, I believe we should get security updates ASAP, but we don't need version updates unless there is a major functionality improvement (anvil in postfix comes to mind as worthy of justifying a version upgrade).

    Since Zimbra insists on installing its own version of components normally supplied by a distro, Zimba to me is kind of like a mini-distro. Consequently, I think Zimbra have a responsibility to keep their "distro" as secure as possible, just as Fedore, SuSE, etc. keep the components of their distro up to date with security updates on a timely basis.

    All the best,
    Mark

  3. #13
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default I opened a bug (RFE) for this...

    http://bugzilla.zimbra.com/show_bug.cgi?id=15137

    Please vote if you want to see out-of-cycle updates for clamav/spamassassin/etc.

  4. #14
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    181
    Rep Power
    8

    Default

    As a paying customer, who's liable for not providing a security update ? If it's provided, but not applied, the responsibility lies on th end user. If the vendor does not provide one in a reasonable time, then won't they be liable ?

    These packages should be updated as soon as a security fix is made available, or they should left out for the user to update provided the means to do so is supported.

    My .02...

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  2. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 12:11 PM
  3. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •