[Zarafa] CVE-2014-0037: Unauthenticated remote denial of service flaw in Zarafa

Good morning, some time ago I discovered an unauthenticated remote denial of service flaw in the Zarafa Collaboration Platform that got yesterday public and is named CVE-2014-0037. As I discovered this issue during my regular work my employer is happy to have a security advisory at http://www.etes.de/blog/cve-2014-0037-zarafa/ maintained. I am not copying in the whole advisory here as it is supposed to be updated - especially the next days, public disclosure just started. The best solution is to update to Zarafa 7.1.8 that I yesterday submitted to the testing repositories (and seems to have them reached while typing); please have a look to my e-mail from yesterday for changelog and updating: https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/00... In case there are any questions regarding this vulnerability feel free to ask them either here on the mailing list or just send me a private e-mail. Same applies of course also for all Zarafa related questions or issues ;-) I finally would like to thank the ETES GmbH (www.etes.de) who allowed me to spend time to research this issue and thus to provide a patch to upstream. The ETES GmbH is a longtime and experienced Zarafa partner - contact us in case you need any kind of commercial Zarafa or Z-Push support. Greetings, Robert