More OpenSSL vulnerabilities - NOT POODLE
More OpenSSL vulnerabilities - NOT POODLE
I presume the following are an issue for Zimbra, since OpenSSL is built in. Patches have been released for OSs but I don't see anything for Zimbra
What should be done about :
CVE-2014-3513
CVE-2014-3567
I'm running 8.0.7 with OpenSSL 1.0.1h 5 Jun 2014
What should be done about :
CVE-2014-3513
CVE-2014-3567
I'm running 8.0.7 with OpenSSL 1.0.1h 5 Jun 2014
More OpenSSL vulnerabilities - NOT POODLE
In case anyone cares there's a bug open for this.
However it's progress seems rather slow even though it's been marked "critical" by Zimbra and "Severity: High" by OpenSSL
Ho hum
However it's progress seems rather slow even though it's been marked "critical" by Zimbra and "Severity: High" by OpenSSL
Ho hum
-
- Posts: 3
- Joined: Thu Feb 11, 2010 4:21 pm
More OpenSSL vulnerabilities - NOT POODLE
Hi [mention:1d4892c8726445c694ef751f5a0b92ed:e9ed411860ed4f2ba0265705b8793d05] ,
We are tracking those CVE's and are currently working on patches/fixes, we expect to have them ready Early in November.
We are tracking those CVE's and are currently working on patches/fixes, we expect to have them ready Early in November.
More OpenSSL vulnerabilities - NOT POODLE
That's good to know, although early November does seem like quite a long time compared to how long it took the various flavours of Linux that Zimbra sits on to release updated versions of OpenSSL.
Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?
Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
More OpenSSL vulnerabilities - NOT POODLE
Don't understand why this is marked as a "Answer Suggested", in any case after patches/fixes ready to deploy.
ccelis
ccelis
More OpenSSL vulnerabilities - NOT POODLE
[quote]
Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?
[/quote]
I'm asking those questions for years now. Their answers are just silly excuses and dumb rants againts distros, but no serious arguments whatsoever.
Seems to be some religious issue ...
Actually, I stopped these useless discussions and did it on my own in the OpenZimbra project.
Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?
[/quote]
I'm asking those questions for years now. Their answers are just silly excuses and dumb rants againts distros, but no serious arguments whatsoever.
Seems to be some religious issue ...
Actually, I stopped these useless discussions and did it on my own in the OpenZimbra project.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
More OpenSSL vulnerabilities - NOT POODLE
Hi ccelis5215,
This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here - https://bugzilla.zimbra.com/show_bug.cgi?id=96008
I don't know the exact release date, but I know that it will be soon.
Best regards.
This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here - https://bugzilla.zimbra.com/show_bug.cgi?id=96008
I don't know the exact release date, but I know that it will be soon.
Best regards.
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
More OpenSSL vulnerabilities - NOT POODLE
Thanks Jorge!
More OpenSSL vulnerabilities - NOT POODLE
Thanks for the update, much appreciated.
However I'm still a little concerned that OpenSSL consider this to be "Severity: High".
Can anyone here explain how serious a vulnerability this is for Zimbra ?
However I'm still a little concerned that OpenSSL consider this to be "Severity: High".
Can anyone here explain how serious a vulnerability this is for Zimbra ?
More OpenSSL vulnerabilities - NOT POODLE
[quote]
However I'm still a little concerned that OpenSSL consider this to be "Severity: High".
[/quote]
Well, allowing an remote attacker to fill up your machine's memory, thus giving him an easy DOS attack vector, indeed is a high severity case.
If you guys would just use the system openssl (provided by distro packages), the issue would already have been solved by the distros.
But the way you're doing that, we yet again have to wait several weeks for your fix, while our systems remain vulnerable.
Do you call that quality ? Seriously ?
However I'm still a little concerned that OpenSSL consider this to be "Severity: High".
[/quote]
Well, allowing an remote attacker to fill up your machine's memory, thus giving him an easy DOS attack vector, indeed is a high severity case.
If you guys would just use the system openssl (provided by distro packages), the issue would already have been solved by the distros.
But the way you're doing that, we yet again have to wait several weeks for your fix, while our systems remain vulnerable.
Do you call that quality ? Seriously ?