it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.
In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).
There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).
The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?
Can someone from Zimbra/Synacor make a clear statement on all this?
- Zimbra Collaboration 8.8.6 is available - Improved real-time backup and restore, HSM, Mobile Sync, HSM and Zimbra Chat and Zimbra Drive. Read the announcement.
- Are you using Zimbra Open Source and you need Backup, Mobile sync and more? We have a solution for you - https://www.zimbra.com/zimbra-suite-plus/
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub: https://github.com/Zimbra and check the Community Projects too: https://github.com/Zimbra-Community/
Ask questions about your setup or get help installing ZCS server (ZD section below).
2 posts • Page 1 of 1
Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).
This is insane.
This is insane.
Who is online
Users browsing this forum: No registered users and 12 guests