Zimbra 8.8.15 Patch 38 Release please share experience

[bulletxt]

Hi
as topic suggests Zimbra has just release 8.8.15 Patch 38 release that fixes Clamav CVE stuff. Please share experience after upgrading

[JDunphy]

Code: Select all

# Last metadata expiration check: 0:16:51 ago on Thu 02 Mar 2023 01:36:57 AM PST.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                      Architecture                  Version                                              Repository                              Size
==============================================================================================================================================================================
Upgrading:
 zimbra-clamav                                x86_64                        0.105.2-1zimbra8.8b3.el8                             zimbra-8815-oss                        728 k
 zimbra-clamav-libs                           x86_64                        0.105.2-1zimbra8.8b3.el8                             zimbra-8815-oss                        3.8 M
 zimbra-mta-components                        x86_64                        1.0.19-1zimbra8.8b1.el8                              zimbra-8815-oss                        9.9 k
 zimbra-mta-patch                             x86_64                        8.8.15.1677488961.p38-1.r8                           zimbra-8815-oss                        116 k

Transaction Summary
==============================================================================================================================================================================
Upgrade  4 Packages
...

On RHEL8, no issues going from P37 to P38 for both OSS and Network versions.

Code: Select all

% zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 NETWORK edition, Patch 8.8.15_P38.
% /opt/zimbra/common/sbin/clamd --help

                      Clam AntiVirus: Daemon 0.105.2
           By The ClamAV Team: https://www.clamav.net/about.html#credits
           (C) 2022 Cisco Systems, Inc.
....
....

freshclam pulled and reloaded db without issue. Sent test message without issue.

[bulletxt]

Zimbra is actually targeting the issue as Zimbra Rating "Low" https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P38 . Can someone give further information?

[Klug]

They're not saying anything on it except "it's not that serious as there's no public exploit".
viewtopic.php?f=15&t=71693&start=20#p308303

[JDunphy]

Cisco said it best on Feb 15:

“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco explained.

IMHO, Zimbra's rating is too conservative. Amazons Linux Security Center rated this as 9.8 and critical in comparison.
Ref: https://alas.aws.amazon.com/cve/html/CV ... 20032.html

[halfgaar]

It was also pretty late. On my Debian systems, I already received this Feb 21st.

[bulletxt]

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P38

They just changed the rating to "CRITICAL"

[L. Mark Stone]

IMHO, Zimbra's rating is too conservative. Amazons Linux Security Center rated this as 9.8 and critical in comparison.
Ref: https://alas.aws.amazon.com/cve/html/CV ... 20032.html

Zimbra have changed the criticality in the Patch Release Notes to "Critical" FWIW.

IMHO all customers should be applying this patch forthwith.

Best regards to all,
Mark

[agenis]

No problem whatsoever in Centos 7.

[7224jobe]

No problems with CentOS7 here, too.
We updated from 8.8.15 FOSS P31 to P38.