WeÂ’re sorry to have to do this, but if you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.
Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.
Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")
Here is how you can check your OpenSSL version - only un-patched versions of OpenSSL 1.0.1 that are compiled with TLS Heartbeat support are vulnerable:
$ ls -ld /opt/zimbra/openssl*
lrwxrwxrwx 1 root root 26 Jan 17 16:04 /opt/zimbra/openssl -> /opt/zimbra/openssl-1.0.1d
drwxr-xr-x 6 root root 4096 Jan 17 16:03 /opt/zimbra/openssl-1.0.1d
Here is how you can confirm if your libssl library is vulnerable or not:
Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
dtls1_heartbeat
$
Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
$
In order to re-patch, please download the latest version of the updater script and re-patch all Zimbra nodes (particularly those Internet-accessible, but all nodes should be patched):
(as root)
1) wget http://files.zimbra.com/downloads/secur ... updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh
(as user zimbra)
4) su - zimbra
5) zmcontrol restart
The results should show the updater re-patching the system:
# ./zmopenssl-updater.sh
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart
If you were to run the updater again, it should then show the system as patched:
# ./zmopenssl-updater.sh
Error: Already patched
openssl-1.0.1e.brokenheart.46302
All 8.0.3 patching after Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, should be fine, as the openssl builds on files.zimbra.com were updated to disable TLS Heartbeat. To double check, please use the “strings†method shown above.
For additional information, please reference these instructions:
https://www.zimbra.com/forums/announcem ... ility.html[/URL]
OpenSSL Patch Update for ZCS 8.0.3 Only
Official Zimbra news, events, releases, and updates.
Jump to
- Zimbra Collaboration Server
- ↳ Administrators
- ↳ Installation and Upgrade
- ↳ Migration
- ↳ Virtualization
- ↳ Developers
- ↳ Zimlets
- ↳ Users
- ↳ Zimbra Connector for Outlook
- ↳ Zimbra Connector for Blackberry
- ↳ CalDAV / CardDAV / iSync
- ↳ Zimbra Collaboration 8.8 Beta
- ↳ Mobility
- ↳ Zimbra Talk
- ↳ Universal UI
- ↳ Zimbra Chat
- ↳ Zimbra Drive
- Zimbra Suite Plus
- ↳ Installation and Upgrade
- ↳ Zimbra Admin Plus
- ↳ Zimbra Backup Plus
- ↳ Zimbra HSM Plus
- ↳ Zimbra Mobile Plus
- Zimbra Desktop
- ↳ General Questions
- ↳ Error Reports
- ↳ Installation Help
- ↳ Zimbra Desktop Beta/RC
- General Zimbra
- ↳ General Zimbra Feedback
- ↳ Announcements
- ↳ Community News
- ↳ Zimbra Success Stories
- Portability
- ↳ BSD
- Other
- ↳ /etc
- ↳ International
- ↳ I18N/L10N - Translations
- ↳ Русский язык-фор
- ↳ French
- ↳ Italian
- ↳ German
- ↳ Spanish
- ↳ Scandinavian
- ↳ Portuguese