Good afternoon,
at the end of January I discovered another unauthenticated remote denial of service flaw in the Zarafa Collaboration Platform that got today public and is named CVE-2014-0079. Please do not mix up with previous CVE-2014-0037!
The security advisory at http://www.etes.de/blog/cve-2014-0079-zarafa/ is also again happily provided by my employer. I am not copying in the whole advisory here as it is supposed to be updated - especially the next days, public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I nearly two weeks ago submitted to the testing repositories. And: If you already updated to 7.1.8 from the packages in Fedora or Fedora EPEL the patch for this new issue has been already included before together with the fix for CVE-2014-0037. These Zarafa packages in Fedora and Fedora EPEL are going to be pushed to stable repositories this weekend.
If you did not yet update to Zarafa 7.1.8 you really should do so, please have a look to my e-mail about two weeks ago for changelog and updating: https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/00004...
When using the official binary RPM packages provided by Zarafa, you are not affected by this CVE as upstream seems to build their own packages using an older GLIBC that does not catch all NULL pointer issues. If you are looking for details please have a look to the security advisory mentioned above.
In case there are any questions regarding this vulnerability feel free to ask them either here on the mailing list or just send me a private e-mail. Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (www.etes.de) who allowed me to spend time to research this issue and thus to provide a patch to upstream. The ETES GmbH is a longtime and experienced Zarafa partner - contact us in case you need any kind of commercial Zarafa or Z-Push support.
Greetings, Robert
zarafa-announce@lists.fedoraproject.org