More OpenSSL vulnerabilities - NOT POODLE

dik23 · Post by **dik23** » Thu Oct 16, 2014 12:11 pm

I presume the following are an issue for Zimbra, since OpenSSL is built in. Patches have been released for OSs but I don't see anything for Zimbra
What should be done about :
CVE-2014-3513
CVE-2014-3567
I'm running 8.0.7 with OpenSSL 1.0.1h 5 Jun 2014

dik23 · Post by **dik23** » Mon Oct 20, 2014 12:52 pm

In case anyone cares there's a bug open for this.
However it's progress seems rather slow even though it's been marked "critical" by Zimbra and "Severity: High" by OpenSSL
Ho hum

cozthegrov · Post by **cozthegrov** » Tue Oct 21, 2014 1:33 pm

Hi [mention:1d4892c8726445c694ef751f5a0b92ed:e9ed411860ed4f2ba0265705b8793d05] ,

We are tracking those CVE's and are currently working on patches/fixes, we expect to have them ready Early in November.

dik23 · Post by **dik23** » Tue Oct 21, 2014 3:46 pm

That's good to know, although early November does seem like quite a long time compared to how long it took the various flavours of Linux that Zimbra sits on to release updated versions of OpenSSL.

Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?

ccelis5215 · Post by **ccelis5215** » Tue Oct 21, 2014 5:15 pm

Don't understand why this is marked as a "Answer Suggested", in any case after patches/fixes ready to deploy.

ccelis

metux · Post by **metux** » Fri Oct 24, 2014 7:13 am

[quote]

Is there a specific reason Zimbra can't use OpenSSL that's found in the repositories ?

[/quote]

I'm asking those questions for years now. Their answers are just silly excuses and dumb rants againts distros, but no serious arguments whatsoever.

Seems to be some religious issue ...

Actually, I stopped these useless discussions and did it on my own in the OpenZimbra project.

jorgedlcruz · Post by **jorgedlcruz** » Fri Oct 24, 2014 12:56 pm

Hi ccelis5215,
This issue will fix in the next 8.5.1 and 8.0.9, you can follow the bug here - https://bugzilla.zimbra.com/show_bug.cgi?id=96008
I don't know the exact release date, but I know that it will be soon.
Best regards.

ccelis5215 · Post by **ccelis5215** » Fri Oct 24, 2014 4:37 pm

Thanks Jorge!

dik23 · Post by **dik23** » Fri Oct 24, 2014 5:50 pm

Thanks for the update, much appreciated.
However I'm still a little concerned that OpenSSL consider this to be "Severity: High".
Can anyone here explain how serious a vulnerability this is for Zimbra ?

metux · Post by **metux** » Mon Oct 27, 2014 2:40 am

[quote]

However I'm still a little concerned that OpenSSL consider this to be "Severity: High".

[/quote]

Well, allowing an remote attacker to fill up your machine's memory, thus giving him an easy DOS attack vector, indeed is a high severity case.

If you guys would just use the system openssl (provided by distro packages), the issue would already have been solved by the distros.

But the way you're doing that, we yet again have to wait several weeks for your fix, while our systems remain vulnerable.

Do you call that quality ? Seriously ?