CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
zim_mike
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 3:26 am

Re: CVE-2019-9670 being actively exploited

Postby zim_mike » Tue Jan 07, 2020 6:55 pm

So much reading that I'm not sure at this point so best to simply ask. Please don't flame as saying I didn't read because I have but not 100% clear.

I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?


apiening
Posts: 18
Joined: Tue Aug 30, 2016 9:57 pm

Re: CVE-2019-9670 being actively exploited

Postby apiening » Tue Jan 07, 2020 7:40 pm

zim_mike wrote:I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?

You can see which vulnerability is fixed or patched in which version on this overview page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
I would suggest to update to the latest version in case you're unsure. Keeping the installation updated is generally a good thing in terms of security.
zim_mike
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 3:26 am

Re: CVE-2019-9670 being actively exploited

Postby zim_mike » Sat Feb 08, 2020 12:11 am

Thanks for the lead, I'll take a look. It took a while to get back to this because I didn't get an email about the post :).
Doesn't the server or the client let you know when there are updates?
halfgaar
Advanced member
Advanced member
Posts: 84
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64

Re: CVE-2019-9670 being actively exploited

Postby halfgaar » Sat Feb 08, 2020 11:56 am

zim_mike wrote:Doesn't the server or the client let you know when there are updates?


It doesn't seem to, to my dismay :(
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2103
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: CVE-2019-9670 being actively exploited

Postby L. Mark Stone » Sat Feb 08, 2020 12:06 pm

The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
fatemi
Posts: 2
Joined: Sat Feb 15, 2020 9:09 am

Re: CVE-2019-9670 being actively exploited

Postby fatemi » Sat Feb 15, 2020 9:50 am

Hi
I have a problem to install the patch for this bug. when I use CLI to show my Zimbra version it displays Release 8.5.0_GA_3042.RHEL6_64_20140828192005 RHEL6_64 FOSS edition, Patch 8.5.0_P2. But when I use GUI (About) this display: 8.6.0_GA_1153.FOSS.
Please guide me on how can I solve it and what of them is correct?
Thank you so much.
halfgaar
Advanced member
Advanced member
Posts: 84
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64

Re: CVE-2019-9670 being actively exploited

Postby halfgaar » Sat Feb 15, 2020 12:04 pm

The first thing I'd try, is to just upgrade to the latest version (8.8.15 Patch-7). You can download it at zimbra.org (although I don't know why they offer that, as opposed to zimbra.com, where you have to fill out a form for the open source edition).

There are some difficulties upgrading from 8.6 to 8.7, see here. Always make a easy to restore backup, before upgrading.
fatemi
Posts: 2
Joined: Sat Feb 15, 2020 9:09 am

Re: CVE-2019-9670 being actively exploited

Postby fatemi » Sun Feb 16, 2020 7:02 am

L. Mark Stone wrote:The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark



Thank you so much mark.
I use " zmcontrol -v" and display zimbra 8.5.0.
but when i use GUI " about section from the top menu" display 8.6.0.
Why are the two different and which is correct?

best regard
fatemi
phoenix
Ambassador
Ambassador
Posts: 26448
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Postby phoenix » Sun Feb 16, 2020 7:22 am

Whichever version of ZCS it is you should not me using it, i'd suggest you get onto the most recent 8.8.15 ASAP.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 7 guests