Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Request: Emergency Security Fix for CVE-2014-0160

  1. #1
    jafeha is offline Starter Member
    Join Date
    Feb 2014
    Posts
    3
    Rep Power
    1

    Default Request: Emergency Security Fix for CVE-2014-0160

    Hello,

    Issue
    yesterday a serious Bug in OpenSSL was published as CVE-2014-0160. As described on heartbleed.com this bug allows anyone on the internet to read up to 64K memory on affected systems. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

    Affected OpenSSL Versions
    The following OpenSSL Versions are affected:

    • OpenSSL 1.0.1 up to 1.0.1f
    • OpenSSL 1.0.2-beta up to 1.0.2-beta1


    Fixed Versions
    The Issue is fixed in the following versions:
    • OpenSSL 1.0.1g
    • OpenSSL 1.0.2-beta2


    Zimbra Affected Versions
    I haven't put too much effort into checking affected Zimbra Versions, but as far as i can see last week's ZCS 8.0.7 & 7.2.7 are still affected as they're running openssl 1.0.1f. I see that you guy's are already working on confirmation as Bug 88688 was filed for Zimbra.

    Request: Emergency Fix
    This being a really serious issue i'd kindly ask for an emergency security upgrade to ZCS 8.0.7a & 7.2.7a or any other version introducing OpenSSL 1.0.1g. I know this causes stress and needs testing, but because of the severity i'd really like to fix this asap.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by jafeha View Post
    Request: Emergency Fix
    This being a really serious issue i'd kindly ask for an emergency security upgrade to ZCS 8.0.7a & 7.2.7a or any other version introducing OpenSSL 1.0.1g. I know this causes stress and needs testing, but because of the severity i'd really like to fix this asap.
    These are Community support forums not official Zimbra support and RFEs and bug requests go in bugzilla not these forums, vote on the outstanding bug reports (or create on if none exists) for relevant version(s) of ZCS.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

  4. #4
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    davidkillingsworth is offline Loyal Member
    Join Date
    Feb 2012
    Location
    Hong Kong
    Posts
    77
    Rep Power
    3

    Default

    Is Zimbra 7 affected? The announcement forum post only mentioned Zimbra 8.0.x
    Release 7.2.4_GA_2900.UBUNTU10_64 UBUNTU10_64 FOSS edition.

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    If you read the announcement, it specifically says:

    ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    twokeys is offline Intermediate Member
    Join Date
    Oct 2012
    Posts
    21
    Rep Power
    2

    Default

    Why don't you just relink your SSL libraries? Why hasn't anybody mentioned it? Sure it's not the best way to do it, but it works..

    Im on Zimbra 8.0.2 Open Source

    All I did to fix the problem was:

    login to MTA/Proxy
    update system to latest openssl with yum update openssl
    cd /opt/zimbra/openssl/lib
    unlink libssl.so
    mv libssl.so.1.0.0 orig.libssl.so.1.0.0
    ln -sf /usr/lib64/libssl.so.1.0.1e ./libssl.so.1.0.0
    ln -sf /usr/lib64/libssl.so.1.0.1e ./libssl.so
    service zimbra restart

    We had like 10 seconds of outage while the restart happened and also fixed our problem. The official guide posted is good, but if you just need to get this fixed, you should be able to do it this way too.

  8. #8
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Quote Originally Posted by twokeys View Post
    Why don't you just relink your SSL libraries? Why hasn't anybody mentioned it? Sure it's not the best way to do it, but it works..

    Im on Zimbra 8.0.2 Open Source
    a) This only works on OSes that have OpenSSL 1.0.1 (RHEL6, Ubuntu12).
    b) OS openssl builds are not built or linked the same way as Zimbra OpenSSL builds. By doing this, you add additional CONFLICTING libraries (On RHEL, for example, you are now loading MIT kerberos in along with Heimdal Kerberos) into the Zimbra user process space (particularly for postfix, openldap, and nginx)

    I would also note that there is a reason no security patches for the last several major issues have been released for ZCS 8.0.2. NO ONE, as has been stated numerous times, should be running ZCS 8.0.2 as it is completely unstable and can have instant irreversible database corruption at any time. Save yourself and your users, and please upgrade to ZCS8.0.7.

    Thanks
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #9
    twokeys is offline Intermediate Member
    Join Date
    Oct 2012
    Posts
    21
    Rep Power
    2

    Default

    Quote Originally Posted by quanah View Post
    a) This only works on OSes that have OpenSSL 1.0.1 (RHEL6, Ubuntu12).
    b) OS openssl builds are not built or linked the same way as Zimbra OpenSSL builds. By doing this, you add additional CONFLICTING libraries (On RHEL, for example, you are now loading MIT kerberos in along with Heimdal Kerberos) into the Zimbra user process space (particularly for postfix, openldap, and nginx)

    I would also note that there is a reason no security patches for the last several major issues have been released for ZCS 8.0.2. NO ONE, as has been stated numerous times, should be running ZCS 8.0.2 as it is completely unstable and can have instant irreversible database corruption at any time. Save yourself and your users, and please upgrade to ZCS8.0.7.

    Thanks
    Hey yeah sorry I guess I overlooked that people may use other OS than CentOS/RHEL . Apologies. Our server was upgraded to 8.0.6 last month.

    Either way I saw the procedure to upgrading and we weren't able to go through it for certain reasons. We did this instead for the time being. Unless this effect youre talking about will happen over time, there is nothing going wrong with our email server right now.

  10. #10
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    There's no specifically noting when it'll occur. Processes will just randomly crash. I'd be curious why you are unable to download an updated build of openssl from Zimbra and deploy it.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Godaddy Certificate installation 2014
    By mtanzer in forum Administrators
    Replies: 4
    Last Post: 01-22-2014, 09:39 AM
  2. Replies: 15
    Last Post: 05-14-2012, 09:32 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •