Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
 
Go Back   Zimbra - Forums > General Zimbra > Announcements
Reload this Page Security: Debian-Based OpenSSL issue

Welcome to the Zimbra - Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-14-2008, 12:38 PM
Zimbra-Yahoo Consultant
  
Posts: 5,608
Exclamation Security: Debian-Based OpenSSL issue
An issue has been identified for OpenSource users of Debian and Zimbra 5.0RC1 to 5.0.2. Zimbra does not provide a Network Edition of Debian, so Network Edition Customers are not effected if installed on a Zimbra-supported platform. Any user(FOSS or Network Edition) who installed Zimbra 5.0RC1 to 5.0.2 on Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS would also be affected. This is the only advisory that will be issued by Zimbra.

Severity: CRITICAL

Issue: It has been discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This includes SSL Certificates in Zimbra.

Impact: It would be possible for a malicious person to guess cryptographic material on a Debian-based system.

Scope: This only affects Debian Open Source users who have started out with Zimbra 5.0 RC1 to 5.0.2 and have kept the certificate generated during the initial period. User's who started out with 4.5.x and have kept the same certificate(s) are not affected. Users who started out with 5.0.3 or later are not affected as Zimbra no longer uses Debian's port of the OpenSSL libraries. Any user running on a debian -based platform where the administrator has altered the installer to install on the debian-based system may also be affected. You should check your Linux Distribution to see whether you're using the affected packages. Zimbra-supported ubuntu packages/installations are not affected, however some Ubuntu installations are vulnerable: Ubuntu 7.04, Ubuntu 7.10, Ubuntu 8.04 LTS. See USN-612-1: OpenSSL vulnerability | Ubuntu for more information on Ubuntu based systems.

Resolution: Users who meet the scope should upgrade to Zimbra 5.0.3 or higher and then regenerate all of their SSL certificates following this article: Commercial Certificate in 5.x - Zimbra :: Wiki The administrator should also upgrade the OpenSSL package from their Vendor.

More Information:
Gmane -- Mail To News And Back Again
USN-612-1: OpenSSL vulnerability | Ubuntu
USN-612-2: OpenSSH vulnerability | Ubuntu
SSL Certificate Problems - Zimbra :: Wiki
Commercial Certificate in 5.x - Zimbra :: Wiki
Mail Queue Monitoring - Zimbra :: Wiki
Last edited by jholder : 05-14-2008 at 12:43 PM.
Reply With Quote
  #2 (permalink)  
Old 05-14-2008, 03:52 PM
Zimbra Consultant
  
Posts: 5,814
Default
For those who've asked today - how to handle the vulnerability process: Reporting Security Issues - Zimbra :: Wiki
__________________
-Mike Morse (MCode151)

ZCS-to-ZCS Migrations & Moves | Admin Tools & Tidbits » ZimbraBlog.com | ZimbraCommunity.com
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

Zimbrablog.com


Home - Blog - Contact Us - Archive - Top


 

Search Engine Optimization by vBSEO 3.1.0