Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Request: Emergency Security Fix for CVE-2014-0160

  1. #11
    twokeys is offline Intermediate Member
    Join Date
    Oct 2012
    Posts
    22
    Rep Power
    2

    Default

    Quote Originally Posted by quanah View Post
    There's no specifically noting when it'll occur. Processes will just randomly crash. I'd be curious why you are unable to download an updated build of openssl from Zimbra and deploy it.
    I (think) I misunderstood what the patch does.

    After you saying that and re-reading the Security Fix post, this line threw me right off:

    The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
    ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7

    It sounded to me like the patch downloads the fixed version of openssl, then proceeds to upgrade your Zimbra! I have created a window to apply the official patch tonight. Thanks for your help, Quanah.

  2. #12
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    Quote Originally Posted by twokeys View Post
    I (think) I misunderstood what the patch does.

    After you saying that and re-reading the Security Fix post, this line threw me right off:

    The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
    ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7

    It sounded to me like the patch downloads the fixed version of openssl, then proceeds to upgrade your Zimbra! I have created a window to apply the official patch tonight. Thanks for your help, Quanah.
    Running the patch downloads an updated, fixed version of OpenSSL and replaces the defective version within /opt/zimbra tree. You need to restart Zimbra thereafter.

    Even on busy mailbox servers with thousands of mailboxes, restarting Zimbra takes but a minute or two. Many users will never even notice the restart unless they are doing something interactively with the server. Composing a new email in the web UI is not impacted by a Zimbra restart (but saving a draft will fail).

    Hope that helps,
    Mark

  3. #13
    twokeys is offline Intermediate Member
    Join Date
    Oct 2012
    Posts
    22
    Rep Power
    2

    Default

    Quote Originally Posted by LMStone View Post
    Running the patch downloads an updated, fixed version of OpenSSL and replaces the defective version within /opt/zimbra tree. You need to restart Zimbra thereafter.

    Even on busy mailbox servers with thousands of mailboxes, restarting Zimbra takes but a minute or two. Many users will never even notice the restart unless they are doing something interactively with the server. Composing a new email in the web UI is not impacted by a Zimbra restart (but saving a draft will fail).

    Hope that helps,
    Mark
    Understood. Like I said, the way the line was worded just made me believe that it will update Zimbra's OpenSSL then upgrade Zimbra itself to a new version. I realize I misread and it was referring to upgrading the OpenSSL library. Thanks again.

  4. #14
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    Quote Originally Posted by twokeys View Post
    Understood. Like I said, the way the line was worded just made me believe that it will update Zimbra's OpenSSL then upgrade Zimbra itself to a new version. I realize I misread and it was referring to upgrading the OpenSSL library. Thanks again.
    I now see how someone might interpret "package" as "all of Zimbra" instead of "the just-downloaded and patched OpenSSL package" but having applied the patches yesterday (don't ask me how many terminal windows to different Zimbra servers I had open yesterday all at once...) I can assure you the download and installation process for the "just-downloaded and patched OpenSSL package" :-) is very quick. The Zimbra restart will take a little longer.

    And just to be clear at the risk of telling you something you've most likely already sorted out: 8.0.7 needs this OpenSSL patch too. So, if you upgrade your Zimbra server to 8.0.7 at a later date you MUST reapply the OpenSSL patch for 8.0.7 else you will have just re-enabled the exploit!

    Hope that helps,
    Mark

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Godaddy Certificate installation 2014
    By mtanzer in forum Administrators
    Replies: 4
    Last Post: 01-22-2014, 09:39 AM
  2. Replies: 15
    Last Post: 05-14-2012, 09:32 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •