Hébergements

  • État Terminé
  • Pourcentage achevé
    100%
  • Type Correction de bug
  • Catégorie Zimbra
  • Assignée à Personne
  • Système d'exploitation All
  • Sévérité Basse
  • Priorité Très Basse
  • Basée sur la version 1.0
  • Due pour la version Non décidée
  • Échéance Non décidée
  • Votes
  • Privée
Concerne le projet: Hébergements
Ouverte par Aurélien PONCINI - 11.06.2014
Dernière modification par Aurélien PONCINI - 17.06.2014

FS#278 - Zimbra Security Advisory on CVE-2014-0224

Bonjour, nous devons intervenir sur les serveurs Zimbra pour palier à une faille de sécurité. Une coupure de quelques secondes est à prévoir sur chaque store. Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability) On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled. The impact to Zimbra Collaboration Server is as follows: ZCS 6 is not affected ZCS 7 is not affected ZCS 8 is affected Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference: https://www.zimbra.com/forums/announ...g-84547-a.html]. Please upgrade to a newer version first, then run this patch. Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package: ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7 ZCA versions 8.0.3 or 8.0.4
Admin
Aurélien PONCINI a commenté le 11.06.2014 12:16
Sur chaque serveurs Zimbra (1 LDAP Master ; 5 MTA ; 2 PROXY ; 9 STORES) : cd /tmp && wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh && chmod a+rx zmopenssl-updater.sh && service zimbra stop && ./zmopenssl-updater.sh

Chargement...

Available keyboard shortcuts

Liste des tâches

Task Details

Task Editing