Solved: DANGER: 8.8.15p20 broke working machine openssl

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by JDunphy »

Confirmed this patch works perfectly. I just spun up my broken zimbra instance running a 5.11.9-x86_64 kernel that failed after patch20 and did a yum update and everything came up perfectly from the failed state.
Here is the updated components:

Code: Select all

Updated:
  zimbra-core-components.x86_64 0:2.0.8-1zimbra8.8b1.el6     zimbra-ldap-components.x86_64 0:1.0.8-1zimbra8.8b1.el6    
  zimbra-mta-patch.x86_64 0:8.8.15.1617362579.p20-1.r6       zimbra-openssl.x86_64 0:1.1.1h-1zimbra8.7b4.el6           
  zimbra-openssl-libs.x86_64 0:1.1.1h-1zimbra8.7b4.el6       zimbra-patch.x86_64 0:8.8.15.1617362579.p20-2.r6          
  zimbra-proxy-patch.x86_64 0:8.8.15.1617362579.p20-1.r6    
  
Outstanding response... In a little over 24 hours from first ticket opened to a patched solution is pretty incredible! That was a lot of platforms to QE against.

w/r

Jim
mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by mgarbin »

New Openssl dangerous CVE : https://cve.mitre.org/cgi-bin/cvename.c ... -2021-3449
The version that have been released by zimbra can be compromised easily
User avatar
dbayer
Advanced member
Advanced member
Posts: 84
Joined: Thu Oct 09, 2014 9:10 am
Location: Maine
ZCS/ZD Version: Zimbra 10.0.5
Contact:

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by dbayer »

Are there any known issues with this patch and Ubuntu 18.04?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by JDunphy »

dbayer wrote:Are there any known issues with this patch and Ubuntu 18.04?
Hopefully someone running that can provide a clearer answer. My guess is no issues given the following observations:

1) I am running a 5.11 kernel
2) The openssl fix should have a few methods for trying entropy for both newer and older kernels if that is how they solved it. That is how I solved it and reported it via my bug report but I am now running their fix. The bug in this thread turned out to be for newer kernels which is 4.8 and above when they introduced openssl 1.1.1.1h in patch 20. It probably broke in 1.1.1.1d from what others on openssl mailing list have been saying about this known issue given it broke docker, ssh, etc and we are seeing this 1.1.1.1 version of the library for the first time in patch20. We don't run beta modules here so I have no history on how long it had been tested by customers.

Having said that, P20 also broke legacy backups and some functions like mail queue display from the console but I think that was isolated for RHEL6 variants. That has more to do with their ssh internal client not being able to connect to older sshd that can exist on legacy platforms like RHEL6. I think any 7+ and newish version of sshd should work without issue. Also... they just introduced a bug for SA 3.4.5 which wasn't initially broke but is now for rule updates as of Friday Apr 10, 2021.

I am running 8.1815p20 on RHEL6 and it seems to be working well here.

Mail Queue and Backup problem described here.

Ref: viewtopic.php?f=15&t=69426

SA update 3.4.5 described here.

Ref: viewtopic.php?f=15&t=69403

Should be a non issue given you are running a newer distribution. RHEL6 had a really good run for 10 years and those with RedHat support are still running it.

Jim
Last edited by JDunphy on Sat Apr 10, 2021 10:04 pm, edited 1 time in total.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by davidkillingsworth »

dbayer wrote:Are there any known issues with this patch and Ubuntu 18.04?

I want to know this too.
User avatar
dbayer
Advanced member
Advanced member
Posts: 84
Joined: Thu Oct 09, 2014 9:10 am
Location: Maine
ZCS/ZD Version: Zimbra 10.0.5
Contact:

Re: Solved: DANGER: 8.8.15p20 broke working machine openssl

Post by dbayer »

Hopefully someone running that can provide a clearer answer. My guess is no issues given the following observations:
Thank you for the detailed answer Jim. I'm going to give it a try. I'll be taking a snapshot first though!
Post Reply