ZCS 7.0, 6.0.x, and 5.0.x Security Patch Instructions

From Zimbra :: Wiki

Jump to: navigation, search

Note:

  • This advisory does not apply to ZCS releases 7.0.1 and 6.0.11 as they include JDK 1.6u24, which has the security patch from Oracle.
  • This advisory does not apply to Zimbra OSX 10.4.
  • Read the FPUpdater Tool README before performing this update.


Overview

Oracle has issued Oracle Security Alert for CVE-2010-4476 that affects ZCS releases running versions 7.0, 6.0.x, and 5.0.x. This security alert addresses “security issue CVE-2010-4476 (Java Runtime Environment hangs when converting ‘2.2250738585072012e-308’ to a binary floating-point number)”. For the full security alert, go to: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

To resolve this issue, Oracle has issued the FPUpdater Tool as a patch. If you are running ZCS 7.0, 6.0.x, or 5.0.x, you may want to perform this update. You can obtain this tool and README at: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

Example of Installing the FPUpdater Tool Patch on ZCS

Note:

  • The following is an example of installing the FPUpdater Tool patch on ZCS and may vary from your update.
  • Be sure to run the Java version located at /opt/zimbra/java/bin
  • A full backup should be performed before any patch is applied.


1. Obtain the FPUpdater Tool from Oracle at: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html


2. On your system, confirm you are running a ZCS 7.0, 6.0.x or 5.0.x version. Enter zmcontrol -v 

 [zimbra@example ~]$ zmcontrol -v
 Release 5.0.26_GA_3366.RHEL4_20101215133223 RHEL4 NETWORK edition


3. Run zmcontrol status to verify the ZCS server is running. 

 [zimbra@example ~]$ zmcontrol status
 Host example.eng.vmware.com
       antispam                Running
       antivirus               Running
       archiving               Running
       convertd                Running
       ldap                    Running
       logger                  Running
       mailbox                 Running
       mta                     Running
       snmp                    Running
       spell                   Running
       stats                   Running


4. Stop ZCS. Enter zmcontrol stop 

 [zimbra@example ~]$ zmcontrol stop
 Host zqa-052.eng.vmware.com
       Stopping stats...Done
       Stopping mta...Done
       Stopping spell...Done
       Stopping snmp...Done
       Stopping archiving...Done
       Stopping antivirus...Done
       Stopping antispam...Done
       Stopping imapproxy...Done
       Stopping mailbox...Done
       Stopping convertd...Done
       Stopping logger...Done
       Stopping ldap...Done


5. As root, unzip the FPUpdater Tool patch. Be sure to place the zip file in the tmp directory. 

 cd /tmp
 [root@example tmp]# unzip ./fpupdater-1_0.zip 
     Archive:  ./fpupdater-1_0.zip
     creating: fpupdater/
     inflating: fpupdater/fpupdater.jar


6. As root, run the FPUpdater Tool patch. Be sure to run the ZCS Java version in /opt/zimbra/java/bin 

 /opt/zimbra/java/bin/java -jar fpupdater/fpupdater.jar –u


Example of the FPUpdater Tool script installing on ZCS

Note: Your output will differ 

 [root@example tmp]# cd /opt/zimbra/jdk1.5.0_20/jre/lib
 java.home: /opt/zimbra/jdk1.5.0_20/jre
 java.vendor: Sun Microsystems Inc.
 java.version: 1.5.0_20
 os.name: Linux
 Checking for update for major: 1.5.0 minor: 20
 Retrieved update jar file from tool:
 /opt/zimbra/jdk1.5.0_20/jre/tmpUpdate1559471137797517925/tmpUpdate9221570560858611948.jar
 Updating files. Please note this can take several minutes to run. Allow
 FPUpdater tool to complete.
 Jar file /opt/zimbra/jdk1.5.0_20/jre/lib/rt.jar.fpupdater successfully verified.
 Done backup of rt.jar to /opt/zimbra/jdk1.5.0_20/jre/lib/rt.jar.fpupdater
 Made working copy of rt.jar:
 /opt/zimbra/jdk1.5.0_20/jre/lib/tmpUpdate1977471307117885279/copyofRt.jar
 Jar file
 /opt/zimbra/jdk1.5.0_20/jre/lib/tmpUpdate1977471307117885279/copyofRt.jar
 succesfully verified.
 Moving working copy of rt.jar back to live rt.jar.
 Update applied successfully to java.home path : /opt/zimbra/jdk1.5.0_20/jre


7. Confirm the patch files rt.jar.fpupdater, rt.jar, and .fpupdater.log are installed successfully. Cd to /opt/zimbra/java/jre/lib to confirm. Note: "0" bytes for *.log is correct. 

 -rw-r--r--   1 root root 40218589 Feb 28 12:22 rt.jar.fpupdater
 -rw-r--r--   1 root root 40211603 Feb 28 12:22 rt.jar
 -rw-r--r--   1 root root        0 Feb 28 12:22 .fpupdater.log
 drwxr-xr-x   6 root root     4096 Feb 28 12:22 ..
 drwxr-xr-x  17 root root     4096 Feb 28 12:22 .
 [root@example lib]# pwd
 /opt/zimbra/jdk1.5.0_20/jre/lib


8. As Zimbra, su – zimbra, enter zmcontrol start to restart ZCS for changes to take effect. 

 [root@example lib]# su – zimbra
 [zimbra@example ~]$ zmcontrol start
 Host example.eng.vmware.com
       Starting ldap...Done.
       Starting logger...Done.
       Starting convertd...Done.
       Starting mailbox...Done.
       Starting antispam...Done.
       Starting antivirus...Done.
       Starting archiving...Done.
       Starting snmp...Done.
       Starting spell...Done.
       Starting mta...Done.
       Starting stats...Done.


9. To verify the server is running, enter zmcontrol status 

 [zimbra@example ~]$ zmcontrol status
 Host example.eng.vmware.com
       antispam                Running
       antivirus               Running
       archiving               Running
       convertd                Running
       ldap                    Running
       logger                  Running
       mailbox                 Running
       mta                     Running
       snmp                    Running
       spell                   Running
       stats                   Running


Verified Against: 7.0, 6.0.x, 5.0.x Date Created: 3/1/2011
Article ID: http://wiki.zimbra.com/index.php?title=ZCS_7.0,_6.0.x,_and_5.0.x_Security_Patch_Instructions Date Modified: 3/2/2011
Retrieved from "http://wiki.zimbra.com/wiki/ZCS_7.0,_6.0.x,_and_5.0.x_Security_Patch_Instructions"