Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

Porting to Debian and build/packaging cleanup

Zimbra portability to BSD
metux2
Posts: 5
Joined: Tue Sep 24, 2019 9:15 pm

Porting to Debian and build/packaging cleanup

Postby metux2 » Thu Sep 26, 2019 9:23 am

Hello folks,

I'm currently in process of porting ZCS to Debian stable, in this context already fixed several bugs in the build system (which seems to be pretty broken and misdesigned).
My goal is providing an out-of-the-box buildable ZCS with much cleaner build and deployment process (eg. completely get rid of the ugly install script).

Anybody who's interested, just drop me a mail: info@metux.net

--mtx


neutronscott
Posts: 28
Joined: Fri Jun 09, 2017 2:05 pm

Re: Porting to Debian and build/packaging cleanup

Postby neutronscott » Sun Dec 29, 2019 2:29 am

I'm interested to hear about the fixes. Do you have a fork on GitHub?

Return to “BSD”

Who is online

Users browsing this forum: No registered users and 2 guests