Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Zimbra ClamAV Security Updates?

  1. #1
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default Zimbra ClamAV Security Updates?

    I saw this CVE for ClamAV with a remote buffer overflow and got to wondering about how often ClamAV is updated in Zimbra (and any other package that has an outstanding security vulnerability).

    http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-5874

    and there are a few others.

    I noticed that Zimbra is still using 0.88.4

    Anybody care to address this? Should I be concerned?

    I'm thinking there ought to be Zimbra micro-patches. I'm certain I can recompile ClamAV without affecting the rest of Zimbra, but it would be nice if there was an 'official' way to do this without a full-blown upgrade.

  2. #2
    rsharpe is offline Elite Member & Volunteer
    Join Date
    Nov 2005
    Location
    London, ON
    Posts
    255
    Rep Power
    9

    Default

    This has been discussed in the past. People have successfully upgraded ClamAV in the past without affecting Zimbra, I'm not sure if anyone has done this lately. Probably the best way to get this upgraded is to put a request into bugzilla and vote on it.

  3. #3
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by rsharpe View Post
    This has been discussed in the past. People have successfully upgraded ClamAV in the past without affecting Zimbra, I'm not sure if anyone has done this lately. Probably the best way to get this upgraded is to put a request into bugzilla and vote on it.
    Opening a bug and voting for it seems quite silly for security updates. Security updates are not popularity contests.

    IMHO, a Zimbra employee should be tasked with tracking and updating these packages (as necessary) whenever there are security patch releases.

    If a specially crafted email can DOS your zimbra server via ClamAV, that seems like something that ought to be addressed quickly, and not wait until a normal release.

    ZCS 4.0.5 still has ClamAV 0.88.4 which was released in August 2006. Since then, 0.88.5, 0.88.6, and 0.88.7 were all released in the meantime but not updated in Zimbra.

    Why does Zimbra bother to break out their releases into 8 different RPM packages if you are always going to keep all those packages in lockstep?

    Why not release just an updated rpm for zimbra-mta (or whereever ClamAV and SpamAssassin live) that has the proper dependency checks to ensure RPM and Zimbra happiness?

    Please note, this isn't sour grapes on my part , I just would like to understand what Zimbra's thinking is here and not just stick my head in the sand and hope that I don't get affected by a security problem.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by jdell View Post
    Opening a bug and voting for it seems quite silly for security updates. Security updates are not popularity contests.
    There has been some mention in the past that there will be separate packages that can be updated but it's a way off. Entering something in bugzilla isn't 'silly' if you want to make a suggestion about the way zimbra is packaged. You expect Zimbra staff to read these messages but they don't always have the time to check each forum post. The best thing to do is file an RFE in bugzilla, those entries are for more than just bugs, it's also a feature request system.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by phoenix View Post
    There has been some mention in the past that there will be separate packages that can be updated but it's a way off. Entering something in bugzilla isn't 'silly' if you want to make a suggestion about the way zimbra is packaged. You expect Zimbra staff to read these messages but they don't always have the time to check each forum post. The best thing to do is file an RFE in bugzilla, those entries are for more than just bugs, it's also a feature request system.
    I totally understand what you are saying, and I do file bugs and enhancement requests in bugzilla and i encourage people to vote for them. In fact, I'm very busy in zimbra bugzilla (my bug/enhancement list is pretty long ).

    My point is that security updates are a given. They happen. All the time. I can kind of understand if you are using the FOSS version of Zimbra, but I'm a paying customer and have 3 licensed NE installs. Zimbra should be tracking and updating these things. It shouldn't require input from a user to notice that ClamAV needs to be updated.

    There are email announce lists for every FOSS product I use that includes info about security updates. I subscribe to them, so can someone from Zimbra.

    If I need to open a bug each time I get a release notice from ClamAV, SpamAssassin, etc, I'll do that, but I really don't think it is appropriate for *me* (joe user) to do that. It just seems appropriate for a Zimbra employee to do that.

    I serve that role for software products that I develop (keeping track of security updates for FOSS software we use). That just goes with the territory...but I expect those to be provided for software I'm paying for. I don't think that is an unreasonable expectation.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by jdell View Post
    If I need to open a bug each time I get a release notice from ClamAV, SpamAssassin, etc, I'll do that, but I really don't think it is appropriate for *me* (joe user) to do that. It just seems appropriate for a Zimbra employee to do that.
    It's already been mentioned that someone on the forums has done an update to ClamAV. I'm not suggesting you file an RFE for each security update, it seems to me that what you're asking for is a change to the way Zimbra is packaged and distributed - that's what I'm suggesting you file an RFE for.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by phoenix View Post
    It's already been mentioned that someone on the forums has done an update to ClamAV. I'm not suggesting you file an RFE for each security update, it seems to me that what you're asking for is a change to the way Zimbra is packaged and distributed - that's what I'm suggesting you file an RFE for.
    I don't know that the way it is packaged and distributed needs to change, I just see an included FOSS package that needs an update not being updated.

    I was hoping that folks on the forums might bounce around different ideas on how this problem might be solved.

    In my mind, forums are an appropriate place to discuss/debate the general ideas. Bugzilla has always seemed to be the place for very specific bugs/enhancement requests. If I'm off base on that, I will definitely open a bugzilla ticket.

  8. #8
    martinfst is offline Intermediate Member
    Join Date
    Nov 2006
    Location
    Hilversum, The Netherlands
    Posts
    23
    Rep Power
    8

    Default

    Quote Originally Posted by jdell View Post
    My point is that security updates are a given. They happen. All the time.
    I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.

    What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....

  9. #9
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by martinfst View Post
    What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....
    I'd like to kick around the ideas here in the forum before opening an bugzilla RFE. That seems the best way to get mindshare and agreement before we specifically propose something in bugzilla.

    Quote Originally Posted by martinfst View Post
    I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.
    My first thought is that the low-hanging fruit is ClamAV and SpamAssassin. IMHO, these 2 packages are the most likely to see frequent updates. I can't remember the last time I saw a postfix security update. I'm not a Java guy so I can't speak to all the Java stuff.

    So, what about splitting out ClamAV and SpamAssassin into a separate RPM (zimbra-mail-filter?) that would include Source RPM's for easy rebuild (dependencies for these would just be standard clam/sa deps plus installed zimbra RPMS and version checks)? Maybe, probably, amavisd-new ought to be included in there?

  10. #10
    martinfst is offline Intermediate Member
    Join Date
    Nov 2006
    Location
    Hilversum, The Netherlands
    Posts
    23
    Rep Power
    8

    Default

    Quote Originally Posted by jdell View Post
    So, what about splitting out ClamAV and SpamAssassin into a separate RPM (zimbra-mail-filter?) that would include Source RPM's for easy rebuild (dependencies for these would just be standard clam/sa deps plus installed zimbra RPMS and version checks)? Maybe, probably, amavisd-new ought to be included in there?
    And DSPAM and MySQL and ....
    Even Postfix gets regular updates ..... It's now at 2.3 Patchlevel 5 and Zimbra uses 2.2.9. Not sure about CVE's....

    Guess we need some kind of voting thread with all packages to be selected and get an impression from the community of which packages should be "separate".

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  2. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 12:11 PM
  3. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •