Zimbra Security Advisories: Difference between revisions

(Additional details made public along with a few other reporter updates)
(updates for 83547)
Line 111: Line 111:
<td>Major</td>
<td>Major</td>
<td>8.5.0</td>
<td>8.5.0</td>
<td>-</td>
<td>iSEC Partners, Sysdream</td>
</tr>
</tr>



Revision as of 18:15, 25 February 2016

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score
Zimbra
Rating
Fix Release or
Patch Version
Reporter

101435
101436

Persistent XSS [CWE-79] CVE-2015-7609

6.4
(2.3)

Major 8.6.0 Patch5 Fortinet's FortiGuard Labs

101559 100133 99854 99914 96973

- CVE-2015-2249 3.5 Minor 8.6.0 Patch5 -
99236 XSS Vuln in YUI components in ZCS CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
4.3 Minor 8.6.0 Patch5 Upstream

98358 98216 98215

Non-Persistent XSS [CWE-79] CVE-2015-2249 4.3 Minor 8.6.0 Patch2 Cure53
97625 Reflected XSS [CWE-79] CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation [CWE-20] CVE-2014-8563 5.8 Major

8.0.9
8.5.1
8.6.0

-
83547 CSRF Vulnerability [CWE-352] CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream

87412 92825 92833 92835

XSS Vulnerabilities [CWE-79]
(8.0.7 Patch
contains 87412)

CVE-2014-5500 4.3 Minor

8.0.8
8.5.0

-
83550 Session Fixation [CWE-384] CVE-2013-5119 5.8 Major 8.5.0 -
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 CVE-2014-0224 6.8 Major

8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch

Upstream
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 CVE-2014-0160 5.0 Major

8.0.3+ Patch
8.0.4+ Patch
8.0.5+ Patch
8.0.6+ Patch
8.0.7+ Patch
8.0.7

Upstream
85499 Upgrade to OpenSSL 1.0.1f CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
4.3
4.3
5.8
Major 8.0.7 Upstream
84547 Critical Vulnerability CVE-2013-7217 10.0
6.4
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7

Alban Diquet
of iSEC Partners

85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 CVE-2013-4547 7.5 Major 7.2.7
8.0.7
Upstream

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d

CVE-2013-0169 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream
80338 Local file inclusion via skin/branding feature CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5

CVE-2012-1457
CVE-2012-1458
CVE-2012-1459

4.3
4.3
4.3
Minor 7.2.1 Upstream
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search