Good morning,
some time ago I discovered an unauthenticated remote denial of service flaw
in the Zarafa Collaboration Platform that got yesterday public and is named
CVE-2014-0037.
As I discovered this issue during my regular work my employer is happy to
have a security advisory at
http://www.etes.de/blog/cve-2014-0037-zarafa/
maintained. I am not copying in the whole advisory here as it is supposed
to be updated - especially the next days, public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I yesterday submitted
to the testing repositories (and seems to have them reached while typing);
please have a look to my e-mail from yesterday for changelog and updating:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/00...
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (
www.etes.de) who allowed me to
spend time to research this issue and thus to provide a patch to upstream.
The ETES GmbH is a longtime and experienced Zarafa partner - contact us in
case you need any kind of commercial Zarafa or Z-Push support.
Greetings,
Robert