Page 25 of 25

Re: CVE-2019-9670 being actively exploited

Posted: Tue Jan 07, 2020 6:55 pm
by zim_mike
So much reading that I'm not sure at this point so best to simply ask. Please don't flame as saying I didn't read because I have but not 100% clear.

I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?

Re: CVE-2019-9670 being actively exploited

Posted: Tue Jan 07, 2020 7:40 pm
by apiening
zim_mike wrote:I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?

You can see which vulnerability is fixed or patched in which version on this overview page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
I would suggest to update to the latest version in case you're unsure. Keeping the installation updated is generally a good thing in terms of security.

Re: CVE-2019-9670 being actively exploited

Posted: Sat Feb 08, 2020 12:11 am
by zim_mike
Thanks for the lead, I'll take a look. It took a while to get back to this because I didn't get an email about the post :).
Doesn't the server or the client let you know when there are updates?

Re: CVE-2019-9670 being actively exploited

Posted: Sat Feb 08, 2020 11:56 am
by halfgaar
zim_mike wrote:Doesn't the server or the client let you know when there are updates?


It doesn't seem to, to my dismay :(

Re: CVE-2019-9670 being actively exploited

Posted: Sat Feb 08, 2020 12:06 pm
by L. Mark Stone
The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark

Re: CVE-2019-9670 being actively exploited

Posted: Sat Feb 15, 2020 9:50 am
by fatemi
Hi
I have a problem to install the patch for this bug. when I use CLI to show my Zimbra version it displays Release 8.5.0_GA_3042.RHEL6_64_20140828192005 RHEL6_64 FOSS edition, Patch 8.5.0_P2. But when I use GUI (About) this display: 8.6.0_GA_1153.FOSS.
Please guide me on how can I solve it and what of them is correct?
Thank you so much.

Re: CVE-2019-9670 being actively exploited

Posted: Sat Feb 15, 2020 12:04 pm
by halfgaar
The first thing I'd try, is to just upgrade to the latest version (8.8.15 Patch-7). You can download it at zimbra.org (although I don't know why they offer that, as opposed to zimbra.com, where you have to fill out a form for the open source edition).

There are some difficulties upgrading from 8.6 to 8.7, see here. Always make a easy to restore backup, before upgrading.

Re: CVE-2019-9670 being actively exploited

Posted: Sun Feb 16, 2020 7:02 am
by fatemi
L. Mark Stone wrote:The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark



Thank you so much mark.
I use " zmcontrol -v" and display zimbra 8.5.0.
but when i use GUI " about section from the top menu" display 8.6.0.
Why are the two different and which is correct?

best regard
fatemi

Re: CVE-2019-9670 being actively exploited

Posted: Sun Feb 16, 2020 7:22 am
by phoenix
Whichever version of ZCS it is you should not me using it, i'd suggest you get onto the most recent 8.8.15 ASAP.