Zimbra Security Update

[L. Mark Stone]

How to register for Support Portal?

Send an email to support@zimbra.com with the output from zmlicense -p.

Suggest you also provide an email address to use as the Support Portal account address, and that this address be a distribution list for all of your IT and security staff.

Hope that helps,
Mark

[Sush]

How to register for Support Portal?

Send an email to support@zimbra.com with the output from zmlicense -p.

Suggest you also provide an email address to use as the Support Portal account address, and that this address be a distribution list for all of your IT and security staff.

Hope that helps,
Mark

I'm using 8.8.15 FOSS edition.
Already wrote an email to support@zimbra.com .

Sush

[rainer_d]

The support portal is for licensed NE customers (obviously).

[glenndm]

the patch is in the zimbra repo... what is your output of:

Code: Select all

apt-get download --print-uris zimbra-patch

Code: Select all

root@truckle:~# apt-get download --print-uris zimbra-patch
'https://repo.zimbra.com/apt/8815-ne/pool/zimbra/z/zimbra-patch/zimbra-patch_8.8.15.1692274621.p42-2.u16_amd64.deb' zimbra-patch_8.8.15.1692274621.p42-2.u16_amd64.deb 101807586 SHA256:d21efa559381dcb6a191496f331d84c77621e5b23290007b9b003e2108238616

Some parts of my system do not seem to be fully patched or do not report as such.
the files pertaining to P42 are gone, so that 's good.

an issue with clamav has surfaced possibly harking back to P41 (or earlier?)
atm, the clamav engine is stuck at a earlier version, what P41 did not expect.
for now, everything works again, giving me time to figure out where it all went wrong ( loose Douglas Adams quote: coming down from the trees was a bad move, although some say leaving the sea....)

best regards

[ianw1974]

What I kind of find strange is, that Synacor/Zimbra won't provide the information to OSE/FOSS users on which files need to be deleted. Synacor/Zimbra have a brand to protect, so it is in their interest that OSE/FOSS installs do not make Synacor/Zimbra look bad if they are not patched/updated because the appropriate security information wasn't released to address this. Obviously it's very easy to find out by comparing a system before/after the update to see what files were removed or by looking at commits to see what was changed/remove. It just doesn't make sense.

[BradC]

Synacor made their position pretty clear in this blog post back in 2020 : https://blog.zimbra.com/2020/05/is-zimb ... e-for-you/

If you're not a paying customer, then you have the source. Sort it out yourself or buy a subscription. I haven't seen any deviation from that. I suppose it'll be even more "fun" next year when they finally put the axe through the FOSS edition.

[halfgaar]

Does the patch even contain a difference?

One can download the deb files like:

Code: Select all

apt download zimbra-patch=8.8.15.1692274621.p42-1.u16
apt download zimbra-patch=8.8.15.1688898888.p41-1.u16

And extract with

Code: Select all

dpkg --extract foorbar.deb targetdir

The funny thing is, when I diff them, this is the only difference:

Code: Select all

# diff -r 41 42
Binary files 41/usr/share/doc/zimbra-patch/changelog.Debian.gz and 42/usr/share/doc/zimbra-patch/changelog.Debian.gz differ

I'm not saying the patch didn't do anything, but it's a bit suspect.

[ghen]

I don't know the apt/dpkg equivalent, but with RPM the part to look at is `rpm -qp --scripts zimbra-patch-<version>.rpm`, that is, not the files in the package, but the code executed after installation.

[halfgaar]

I see my post was deleted, but I can say the weakness was in the webinterface (not SMTP or IMAP).

As a fix that transcends the update, put your web interface behind VPN, firewall, or proxy, and keep it that way, forever.

[BradC]

I see my post was deleted, but I can say the weakness was in the webinterface (not SMTP or IMAP).

I thought that was interesting. So we have posts detailing how and where to find the "list of 3 files" from a source anyone can get access to, but posting the file names crosses a line. I'm intrigued now. Tempted to spend some time on the weekend pouring over those files to see if the hole is bleedingly obvious.