at the end of January I discovered another unauthenticated remote denial of
service flaw in the Zarafa Collaboration Platform that got today public and
is named CVE-2014-0079. Please do not mix up with previous CVE-2014-0037!
The security advisory at http://www.etes.de/blog/cve-2014-0079-zarafa/
also again happily provided by my employer. I am not copying in the whole
advisory here as it is supposed to be updated - especially the next days,
public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I nearly two weeks ago
submitted to the testing repositories. And: If you already updated to 7.1.8
from the packages in Fedora or Fedora EPEL the patch for this new issue has
been already included before together with the fix for CVE-2014-0037. These
Zarafa packages in Fedora and Fedora EPEL are going to be pushed to stable
repositories this weekend.
If you did not yet update to Zarafa 7.1.8 you really should do so, please
have a look to my e-mail about two weeks ago for changelog and updating:
When using the official binary RPM packages provided by Zarafa, you are not
affected by this CVE as upstream seems to build their own packages using an
older GLIBC that does not catch all NULL pointer issues. If you are looking
for details please have a look to the security advisory mentioned above.
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (www.etes.de
) who allowed me to
spend time to research this issue and thus to provide a patch to upstream.
The ETES GmbH is a longtime and experienced Zarafa partner - contact us in
case you need any kind of commercial Zarafa or Z-Push support.