yesterday a serious Bug in OpenSSL was published as CVE-2014-0160. As described on heartbleed.com this bug allows anyone on the internet to read up to 64K memory on affected systems. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Affected OpenSSL Versions
The following OpenSSL Versions are affected:
- OpenSSL 1.0.1 up to 1.0.1f
- OpenSSL 1.0.2-beta up to 1.0.2-beta1
The Issue is fixed in the following versions:
- OpenSSL 1.0.1g
- OpenSSL 1.0.2-beta2
Zimbra Affected Versions
I haven't put too much effort into checking affected Zimbra Versions, but as far as i can see last week's ZCS 8.0.7 & 7.2.7 are still affected as they're running openssl 1.0.1f. I see that you guy's are already working on confirmation as Bug 88688 was filed for Zimbra.
Request: Emergency Fix
This being a really serious issue i'd kindly ask for an emergency security upgrade to ZCS 8.0.7a & 7.2.7a or any other version introducing OpenSSL 1.0.1g. I know this causes stress and needs testing, but because of the severity i'd really like to fix this asap.