Hi,
I opened a ticket for this, a bug was created (and the ticket subsequently closed) but it seems nothing is happening?
As Zimbra doesn't link to the "normal" OS libraries (which is understandable, given the complexities involved), we need to wait for Zimbra to patch their OpenSSL accordingly and provide a patch-release...
Rainer
What about CVE-2021-3449?
Re: What about CVE-2021-3449?
Opening a support case to report security vulnerabilities is 1 of 2 preferred options by Zimbra to report vulnerabilities. The other is to send an email to security@zimbra.com to report an issue. I cannot speak for the Zimbra developers, but I believe they use a combination of the CVSS score assigned to a vulnerability and the number of requests they receive from Zimbra admins to fix an issue, to determine its internal priority to fix.
Would you mind sharing the ZBUG number that you were given for this vulnerability?
Would you mind sharing the ZBUG number that you were given for this vulnerability?
Re: What about CVE-2021-3449?
ZBUG-2198
In the meantime, I received a report that openssl 1.0.2 (as apparently used in Zimbra, judging from the output of common/bin/openssl version) is not vulnerable.
https://cve.mitre.org/cgi-bin/cvename.c ... =2021-3449
Maybe someone should have updated the bug with this information (if it is indeed correct)?
In the meantime, I received a report that openssl 1.0.2 (as apparently used in Zimbra, judging from the output of common/bin/openssl version) is not vulnerable.
https://cve.mitre.org/cgi-bin/cvename.c ... =2021-3449
Maybe someone should have updated the bug with this information (if it is indeed correct)?