Zarafa 7.1.8 (re-released) has been submitted to updates-testing
by Robert Scheck
Good evening,
Zarafa 7.1.8 (re-released) has been submitted to updates-testing (Fedora
EPEL 5 and 6, Fedora 19, 20 and Rawhide. Here is the full list of changes
in Zarafa 7.1.8 (re-released) [44004]:
Zarafa Collaboration Platform 7.1.8 (re-released) [44004]
=========================================================
General
-------
This release is an emergency release. The main focus of this release is the
menory leak in the Zarafa-search service. This issue has been address by
this release. Alongside upstream also included two other fixes.
Backend
-------
- ZCP-12062: Search memory leak introduced in 7.1.8
- ZCP-12019: Dagent creates much more fallback deliveries than in 7.1.7
Archiver
--------
- ARCH-333: Za-aclsync and za-aclset utilities are broken and give
tracebacks
You should be able to update to Zarafa 7.1.8 (re-released) by using
something like:
yum update --enablerepo=updates-testing 'zarafa*'
on all Fedora releases and for Fedora EPEL you should use the following:
yum update --enablerepo=epel-testing 'zarafa*'
After testing, please add positive or negative karma to the Zarafa packages
in Bodhi:
https://admin.fedoraproject.org/updates/zarafa
And if you should find bugs or issues, please fill a bug report in Red Hat
Bugzilla as described here:
http://fedoraproject.org/wiki/Zarafa#Bugs
Your feedback is very much appreciated.
Greetings,
Robert
9 years, 7 months
CVE-2014-0079: Unauthenticated remote denial of service flaw in Zarafa
by Robert Scheck
Good afternoon,
at the end of January I discovered another unauthenticated remote denial of
service flaw in the Zarafa Collaboration Platform that got today public and
is named CVE-2014-0079. Please do not mix up with previous CVE-2014-0037!
The security advisory at http://www.etes.de/blog/cve-2014-0079-zarafa/ is
also again happily provided by my employer. I am not copying in the whole
advisory here as it is supposed to be updated - especially the next days,
public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I nearly two weeks ago
submitted to the testing repositories. And: If you already updated to 7.1.8
from the packages in Fedora or Fedora EPEL the patch for this new issue has
been already included before together with the fix for CVE-2014-0037. These
Zarafa packages in Fedora and Fedora EPEL are going to be pushed to stable
repositories this weekend.
If you did not yet update to Zarafa 7.1.8 you really should do so, please
have a look to my e-mail about two weeks ago for changelog and updating:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/00...
When using the official binary RPM packages provided by Zarafa, you are not
affected by this CVE as upstream seems to build their own packages using an
older GLIBC that does not catch all NULL pointer issues. If you are looking
for details please have a look to the security advisory mentioned above.
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (www.etes.de) who allowed me to
spend time to research this issue and thus to provide a patch to upstream.
The ETES GmbH is a longtime and experienced Zarafa partner - contact us in
case you need any kind of commercial Zarafa or Z-Push support.
Greetings,
Robert
9 years, 7 months
CVE-2014-0037: Unauthenticated remote denial of service flaw in Zarafa
by Robert Scheck
Good morning,
some time ago I discovered an unauthenticated remote denial of service flaw
in the Zarafa Collaboration Platform that got yesterday public and is named
CVE-2014-0037.
As I discovered this issue during my regular work my employer is happy to
have a security advisory at http://www.etes.de/blog/cve-2014-0037-zarafa/
maintained. I am not copying in the whole advisory here as it is supposed
to be updated - especially the next days, public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I yesterday submitted
to the testing repositories (and seems to have them reached while typing);
please have a look to my e-mail from yesterday for changelog and updating:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/00...
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (www.etes.de) who allowed me to
spend time to research this issue and thus to provide a patch to upstream.
The ETES GmbH is a longtime and experienced Zarafa partner - contact us in
case you need any kind of commercial Zarafa or Z-Push support.
Greetings,
Robert
9 years, 7 months