Zimbra Security Advisories: Difference between revisions

No edit summary
m (minor cleanup, prefer https)
Line 7: Line 7:
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p>
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p>
<ul>
<ul>
<li>Zimbra Collaboration - Network Edition: http://www.zimbra.com/downloads/ne-downloads.html#latest_8_release</li>
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li>
<li>Zimbra Collaboration - Open-Source Edition: http://www.zimbra.com/downloads/os-downloads.html</li>
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li>
</ul>
</ul>
===Zimbra Collaboration - Security Vulnerability Advisories===
===Zimbra Collaboration - Security Vulnerability Advisories===
<p><span style="font-size: medium;"><em>(beginning with ZCS 7.1.3)</em></span></p>
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p>
<div class="col-md-12">
<div class="col-md-12">
     <table class="table table-striped table-condensed">
     <table class="table table-striped table-condensed">
Line 26: Line 26:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
<td>6.8</td>
<td>6.8</td>
<td>Major</td>
<td>Major</td>
Line 35: Line 35:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160]</td>
<td>5.0</td>
<td>5.0</td>
<td>Major</td>
<td>Major</td>
Line 44: Line 44:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
<td>Upgrade to OpenSSL 1.0.1f</td>
<td>Upgrade to OpenSSL 1.0.1f</td>
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353]<br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449]<br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
<td>4.3<br />4.3<br />5.8</td>
<td>4.3<br />4.3<br />5.8</td>
<td>Major</td>
<td>Major</td>
Line 53: Line 53:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>Critical Vulnerability</td>
<td>Critical Vulnerability</td>
<td>[http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>10.0<br /> [http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>10.0<br /> [https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>Critical</td>
<td>Critical</td>
<td>7.2.2_Patch3<br /> 7.2.3_Patch<br /> 7.2.4_Patch2<br /> 7.2.5_Patch<br /> 7.2.6<br /> 8.0.3_Patch3<br /> 8.0.4_Patch2<br /> 8.0.5_Patch<br /> 8.0.6</td>
<td>7.2.2_Patch3<br /> 7.2.3_Patch<br /> 7.2.4_Patch2<br /> 7.2.5_Patch<br /> 7.2.6<br /> 8.0.3_Patch3<br /> 8.0.4_Patch2<br /> 8.0.5_Patch<br /> 8.0.6</td>
Line 63: Line 63:
<td>XSS vulnerability in message view</td>
<td>XSS vulnerability in message view</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
Line 74: Line 74:
<td>Local root privilege escalation</td>
<td>Local root privilege escalation</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
Line 82: Line 82:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
<td>Patch nginx for CVE-2013-4547</td>
<td>Patch nginx for CVE-2013-4547</td>
<td>[http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
<td>7.5</td>
<td>7.5</td>
<td>Major</td>
<td>Major</td>
Line 91: Line 91:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445]<br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]</td>
<td>Upgrade to JDK 1.6 u41<br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
<td>Upgrade to JDK 1.6 u41<br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
<td>2.6</td>
<td>2.6</td>
<td>Minor</td>
<td>Minor</td>
Line 100: Line 100:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>Local file inclusion via skin/branding feature</td>
<td>Local file inclusion via skin/branding feature</td>
<td>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>5.0</td>
<td>5.0</td>
<td>Critical</td>
<td>Critical</td>
Line 110: Line 110:
<td>Separate keystore for CAs used for X509 authentication</td>
<td>Separate keystore for CAs used for X509 authentication</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
<td>Major</td>
<td>Major</td>
<td>8.0.7</td>
<td>8.0.7</td>
Line 118: Line 118:
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
<td>Upgrade to Clamav 0.97.5</td>
<td>Upgrade to Clamav 0.97.5</td>
<td>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458]<br /> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457]<br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458]<br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
<td>4.3<br />4.3<br />4.3</td>
<td>4.3<br />4.3<br />4.3</td>
<td>Minor</td>
<td>Minor</td>
Line 128: Line 128:
<td>Do not allow HTTP GET for login</td>
<td>Do not allow HTTP GET for login</td>
<td>-</td>
<td>-</td>
<td>[http://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td>
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td>
<td>Major</td>
<td>Major</td>
<td>7.1.3_Patch<br />7.1.4</td>
<td>7.1.3_Patch<br />7.1.4</td>

Revision as of 18:27, 11 December 2015

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

(going back to ZCS 7.1.3)

Bug Number Summary CVE ID CVSS Score Zimbra Rating Classification Fix Release or Patch Version Reporter
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 CVE-2014-0224 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7+Patch
Upstream
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 CVE-2014-0160 5.0 Major 8.0.3+ Patch
8.0.4+ Patch
8.0.5+ Patch
8.0.6+ Patch
8.0.7+ Patch
8.0.7
Upstream
85499 Upgrade to OpenSSL 1.0.1f CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
4.3
4.3
5.8
Major 8.0.7 Upstream
84547 Critical Vulnerability CVE-2013-7217 10.0
6.4
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7

Alban Diquet of iSEC Partners

85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 CVE-2013-4547 7.5 Major 7.2.7
8.0.7
Upstream
80450
80131
80445
80132
Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d
CVE-2013-0169 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream
80338 Local file inclusion via skin/branding feature CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
4.3
4.3
4.3
Minor 7.2.1 Upstream
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search