[Zarafa] CVE-2014-0037: Unauthenticated remote denial of service flaw in Zarafa
Robert Scheck
robert at fedoraproject.org
Sat Feb 1 01:34:25 UTC 2014
Good morning,
some time ago I discovered an unauthenticated remote denial of service flaw
in the Zarafa Collaboration Platform that got yesterday public and is named
CVE-2014-0037.
As I discovered this issue during my regular work my employer is happy to
have a security advisory at http://www.etes.de/blog/cve-2014-0037-zarafa/
maintained. I am not copying in the whole advisory here as it is supposed
to be updated - especially the next days, public disclosure just started.
The best solution is to update to Zarafa 7.1.8 that I yesterday submitted
to the testing repositories (and seems to have them reached while typing);
please have a look to my e-mail from yesterday for changelog and updating:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-January/000047.html
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
I finally would like to thank the ETES GmbH (www.etes.de) who allowed me to
spend time to research this issue and thus to provide a patch to upstream.
The ETES GmbH is a longtime and experienced Zarafa partner - contact us in
case you need any kind of commercial Zarafa or Z-Push support.
Greetings,
Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/zarafa-announce/attachments/20140201/0b01d43a/attachment.sig>
More information about the zarafa-announce
mailing list