I saw this CVE for ClamAV with a remote buffer overflow and got to wondering about how often ClamAV is updated in Zimbra (and any other package that has an outstanding security vulnerability).
and">http://www.cve.mitre.org/cgi-bin/cvenam ... -2006-5874
and there are a few others.
I noticed that Zimbra is still using 0.88.4
Anybody care to address this? Should I be concerned?
I'm thinking there ought to be Zimbra micro-patches. I'm certain I can recompile ClamAV without affecting the rest of Zimbra, but it would be nice if there was an 'official' way to do this without a full-blown upgrade.
Zimbra ClamAV Security Updates?
Zimbra ClamAV Security Updates?
This has been discussed in the past. People have successfully upgraded ClamAV in the past without affecting Zimbra, I'm not sure if anyone has done this lately. Probably the best way to get this upgraded is to put a request into bugzilla and vote on it.
Zimbra ClamAV Security Updates?
[quote user="rsharpe"]This has been discussed in the past. People have successfully upgraded ClamAV in the past without affecting Zimbra, I'm not sure if anyone has done this lately. Probably the best way to get this upgraded is to put a request into bugzilla and vote on it.[/QUOTE]
Opening a bug and voting for it seems quite silly for security updates. Security updates are not popularity contests.
IMHO, a Zimbra employee should be tasked with tracking and updating these packages (as necessary) whenever there are security patch releases.
If a specially crafted email can DOS your zimbra server via ClamAV, that seems like something that ought to be addressed quickly, and not wait until a normal release.
ZCS 4.0.5 still has ClamAV 0.88.4 which was released in August 2006. Since then, 0.88.5, 0.88.6, and 0.88.7 were all released in the meantime but not updated in Zimbra.
Why does Zimbra bother to break out their releases into 8 different RPM packages if you are always going to keep all those packages in lockstep?
Why not release just an updated rpm for zimbra-mta (or whereever ClamAV and SpamAssassin live) that has the proper dependency checks to ensure RPM and Zimbra happiness?
Please note, this isn't sour grapes on my part
, I just would like to understand what Zimbra's thinking is here and not just stick my head in the sand and hope that I don't get affected by a security problem.
Opening a bug and voting for it seems quite silly for security updates. Security updates are not popularity contests.
IMHO, a Zimbra employee should be tasked with tracking and updating these packages (as necessary) whenever there are security patch releases.
If a specially crafted email can DOS your zimbra server via ClamAV, that seems like something that ought to be addressed quickly, and not wait until a normal release.
ZCS 4.0.5 still has ClamAV 0.88.4 which was released in August 2006. Since then, 0.88.5, 0.88.6, and 0.88.7 were all released in the meantime but not updated in Zimbra.
Why does Zimbra bother to break out their releases into 8 different RPM packages if you are always going to keep all those packages in lockstep?
Why not release just an updated rpm for zimbra-mta (or whereever ClamAV and SpamAssassin live) that has the proper dependency checks to ensure RPM and Zimbra happiness?
Please note, this isn't sour grapes on my part
, I just would like to understand what Zimbra's thinking is here and not just stick my head in the sand and hope that I don't get affected by a security problem. 
Zimbra ClamAV Security Updates?
[quote user="jdell"]Opening a bug and voting for it seems quite silly for security updates. Security updates are not popularity contests. [/QUOTE]There has been some mention in the past that there will be separate packages that can be updated but it's a way off. Entering something in bugzilla isn't 'silly' if you want to make a suggestion about the way zimbra is packaged. You expect Zimbra staff to read these messages but they don't always have the time to check each forum post. The best thing to do is file an RFE in bugzilla, those entries are for more than just bugs, it's also a feature request system.
[/QUOTE]There has been some mention in the past that there will be separate packages that can be updated but it's a way off. Entering something in bugzilla isn't 'silly' if you want to make a suggestion about the way zimbra is packaged. You expect Zimbra staff to read these messages but they don't always have the time to check each forum post. The best thing to do is file an RFE in bugzilla, those entries are for more than just bugs, it's also a feature request system. Zimbra ClamAV Security Updates?
[quote user="10330phoenix"]There has been some mention in the past that there will be separate packages that can be updated but it's a way off. Entering something in bugzilla isn't 'silly' if you want to make a suggestion about the way zimbra is packaged. You expect Zimbra staff to read these messages but they don't always have the time to check each forum post. The best thing to do is file an RFE in bugzilla, those entries are for more than just bugs, it's also a feature request system.[/QUOTE]
I totally understand what you are saying, and I do file bugs and enhancement requests in bugzilla and i encourage people to vote for them. In fact, I'm very busy in zimbra bugzilla (my bug/enhancement list is pretty long ).
My point is that security updates are a given. They happen. All the time. I can kind of understand if you are using the FOSS version of Zimbra, but I'm a paying customer and have 3 licensed NE installs. Zimbra should be tracking and updating these things. It shouldn't require input from a user to notice that ClamAV needs to be updated.
There are email announce lists for every FOSS product I use that includes info about security updates. I subscribe to them, so can someone from Zimbra.
If I need to open a bug each time I get a release notice from ClamAV, SpamAssassin, etc, I'll do that, but I really don't think it is appropriate for *me* (joe user) to do that. It just seems appropriate for a Zimbra employee to do that.
I serve that role for software products that I develop (keeping track of security updates for FOSS software we use). That just goes with the territory...but I expect those to be provided for software I'm paying for. I don't think that is an unreasonable expectation.
I totally understand what you are saying, and I do file bugs and enhancement requests in bugzilla and i encourage people to vote for them. In fact, I'm very busy in zimbra bugzilla (my bug/enhancement list is pretty long
).My point is that security updates are a given. They happen. All the time. I can kind of understand if you are using the FOSS version of Zimbra, but I'm a paying customer and have 3 licensed NE installs. Zimbra should be tracking and updating these things. It shouldn't require input from a user to notice that ClamAV needs to be updated.
There are email announce lists for every FOSS product I use that includes info about security updates. I subscribe to them, so can someone from Zimbra.
If I need to open a bug each time I get a release notice from ClamAV, SpamAssassin, etc, I'll do that, but I really don't think it is appropriate for *me* (joe user) to do that. It just seems appropriate for a Zimbra employee to do that.
I serve that role for software products that I develop (keeping track of security updates for FOSS software we use). That just goes with the territory...but I expect those to be provided for software I'm paying for. I don't think that is an unreasonable expectation.
Zimbra ClamAV Security Updates?
[quote user="jdell"]If I need to open a bug each time I get a release notice from ClamAV, SpamAssassin, etc, I'll do that, but I really don't think it is appropriate for *me* (joe user) to do that. It just seems appropriate for a Zimbra employee to do that.[/QUOTE]It's already been mentioned that someone on the forums has done an update to ClamAV. I'm not suggesting you file an RFE for each security update, it seems to me that what you're asking for is a change to the way Zimbra is packaged and distributed - that's what I'm suggesting you file an RFE for.
Zimbra ClamAV Security Updates?
[quote user="10330phoenix"]It's already been mentioned that someone on the forums has done an update to ClamAV. I'm not suggesting you file an RFE for each security update, it seems to me that what you're asking for is a change to the way Zimbra is packaged and distributed - that's what I'm suggesting you file an RFE for.[/QUOTE]
I don't know that the way it is packaged and distributed needs to change, I just see an included FOSS package that needs an update not being updated.
I was hoping that folks on the forums might bounce around different ideas on how this problem might be solved.
In my mind, forums are an appropriate place to discuss/debate the general ideas. Bugzilla has always seemed to be the place for very specific bugs/enhancement requests. If I'm off base on that, I will definitely open a bugzilla ticket.
[/QUOTE]I don't know that the way it is packaged and distributed needs to change, I just see an included FOSS package that needs an update not being updated.
I was hoping that folks on the forums might bounce around different ideas on how this problem might be solved.
In my mind, forums are an appropriate place to discuss/debate the general ideas. Bugzilla has always seemed to be the place for very specific bugs/enhancement requests. If I'm off base on that, I will definitely open a bugzilla ticket.
Zimbra ClamAV Security Updates?
[quote user="jdell"]My point is that security updates are a given. They happen. All the time. [/QUOTE]
I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.
What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....
I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.
What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....
Zimbra ClamAV Security Updates?
[quote user="martinfst"]
What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....[/QUOTE]
I'd like to kick around the ideas here in the forum before opening an bugzilla RFE. That seems the best way to get mindshare and agreement before we specifically propose something in bugzilla.
[quote user="martinfst"]I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.
[/QUOTE]
My first thought is that the low-hanging fruit is ClamAV and SpamAssassin. IMHO, these 2 packages are the most likely to see frequent updates. I can't remember the last time I saw a postfix security update. I'm not a Java guy so I can't speak to all the Java stuff.
So, what about splitting out ClamAV and SpamAssassin into a separate RPM (zimbra-mail-filter?) that would include Source RPM's for easy rebuild (dependencies for these would just be standard clam/sa deps plus installed zimbra RPMS and version checks)? Maybe, probably, amavisd-new ought to be included in there?
What's the bugzilla number to vote for this? Or hasn't a single rfe not been created yet? A quick scan of the bugzilla list shows several similar requests, but I failed to find a single clear request .....[/QUOTE]
I'd like to kick around the ideas here in the forum before opening an bugzilla RFE. That seems the best way to get mindshare and agreement before we specifically propose something in bugzilla.
[quote user="martinfst"]I fully support this. Zimbra staff should (must) pay attention to security vulnerabilities and act accordingly. I really would like to support the request to break the whole of Zimbra into separate packages, especially as a lot of the components are individual packages anyway. Many OS-ses support this, specifically the target platform RedHat by means of rpm's.
[/QUOTE]
My first thought is that the low-hanging fruit is ClamAV and SpamAssassin. IMHO, these 2 packages are the most likely to see frequent updates. I can't remember the last time I saw a postfix security update. I'm not a Java guy so I can't speak to all the Java stuff.
So, what about splitting out ClamAV and SpamAssassin into a separate RPM (zimbra-mail-filter?) that would include Source RPM's for easy rebuild (dependencies for these would just be standard clam/sa deps plus installed zimbra RPMS and version checks)? Maybe, probably, amavisd-new ought to be included in there?
Zimbra ClamAV Security Updates?
[quote user="jdell"]So, what about splitting out ClamAV and SpamAssassin into a separate RPM (zimbra-mail-filter?) that would include Source RPM's for easy rebuild (dependencies for these would just be standard clam/sa deps plus installed zimbra RPMS and version checks)? Maybe, probably, amavisd-new ought to be included in there?[/QUOTE]
And DSPAM and MySQL and ....
Even Postfix gets regular updates ..... It's now at 2.3 Patchlevel 5 and Zimbra uses 2.2.9. Not sure about CVE's....
Guess we need some kind of voting thread with all packages to be selected and get an impression from the community of which packages should be "separate".
And DSPAM and MySQL and ....
Even Postfix gets regular updates ..... It's now at 2.3 Patchlevel 5 and Zimbra uses 2.2.9. Not sure about CVE's....
Guess we need some kind of voting thread with all packages to be selected and get an impression from the community of which packages should be "separate".