Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

Search found 35 matches

by mgarbin
Sun Aug 14, 2022 9:37 am
Forum: Administrators
Topic: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Replies: 57
Views: 22408

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

One should wonder why most of the /opt/zimbra tree is owned - and thus writable - by the zimbra user by default. If /opt/zimbra/jetty/webapps/zimbra/public (and the files in it) were owned by root, the impact of this exploit would have been much less, as an attacker then couldn't write any files th...
by mgarbin
Fri Jul 15, 2022 7:42 am
Forum: Administrators
Topic: JAVA not reaping unused LMTP sessions
Replies: 36
Views: 17527

Re: JAVA not reaping unused LMTP sessions

Now the question is what got broken that required that workaround? No idea what changed, but lots of updates in Patch 32 as we know... If I hear specifics from Support I'll post. I written it in this post http://forums.zimbra.org/viewtopic.php?p=305797&sid=c218bede21d2902ec27353dce14246bd#p3057...
by mgarbin
Mon Jul 11, 2022 4:00 pm
Forum: Administrators
Topic: JAVA not reaping unused LMTP sessions
Replies: 36
Views: 17527

Re: JAVA not reaping unused LMTP sessions

Probably they bugged lmtp with this "feature" that allow an admin to add a message like "This email is arriving outside your organization .... " : https://github.com/Zimbra/zm-mailbox/commit/ca7b6a859b78c429b2caba5ad870781bd2f6254c i'm lucky to remain to p31.1... :roll:
by mgarbin
Fri Feb 04, 2022 4:31 pm
Forum: Administrators
Topic: Reported XSS in zimbra publicly disclosed 3rd
Replies: 38
Views: 38491

Re: Reported XSS in zimbra publicly disclosed 3rd

Subscribing to zm-web-client git i've seen a new push for a XSS bug into p30 4 hour ago : https://github.com/Zimbra/zm-web-client ... 8.8.15.p30
by mgarbin
Fri Jan 28, 2022 12:58 pm
Forum: Administrators
Topic: Buff/Cache get full rapidly and Zimbra stops functioning
Replies: 1
Views: 4358

Re: Buff/Cache get full rapidly and Zimbra stops functioning

Hi zimico,
can you share info about your mailboxd_java_heap_size ( zmlocalconfig ) and innodb_buffer_pool_size ( my.cnf into config path )?
What is the service that is going to eat ram while zimbra is running? Can you share a screen of htop/top ordered by mem usage?
by mgarbin
Mon Jan 24, 2022 7:18 pm
Forum: Administrators
Topic: Synacor Support is an infosec nightmare
Replies: 8
Views: 8946

Re: Synacor Support is an infosec nightmare

As you can see they are working on it. Yes, they're now working on log4j because the spotlights are on it. But Zimbra ships dozens of Java libs, perl libs and other 3rd party components that haven't been updated for many (5+, 10+) years, all this is completely unmaintained and containing dozens of ...
by mgarbin
Sun Jan 23, 2022 10:29 am
Forum: Administrators
Topic: Rspamd: Fast, free and open-source spam filtering system
Replies: 225
Views: 3162647

Re: Rspamd: A replacement for Spamassassin & Postscreen

To preserve the nginx custom configuration you need to change template config file. You can modify the nginx template adding this code, it allow to connect to rspamd only from private network : location /rspamd/ { proxy_pass http://YOUR_RSPAMD_IP:11334/; proxy_set_header Host $host; proxy_set_header...
by mgarbin
Sun Jan 23, 2022 10:13 am
Forum: Administrators
Topic: Synacor Support is an infosec nightmare
Replies: 8
Views: 8946

Re: Synacor Support is an infosec nightmare

Hi ArgLex1,
did you search on zimbra commit?

https://github.com/Zimbra/zm-mailbox/pull/1215/files

As you can see they are working on it.
by mgarbin
Wed Jan 12, 2022 3:54 pm
Forum: Administrators
Topic: Error on deploying SSL certificates
Replies: 40
Views: 75743

Re: Error on deploying SSL certificates

[root@mail ~]# free -m total used free shared buff/cache available Mem: 7808 7219 99 425 489 1 Swap: 0 0 0 [root@mail ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.8G 0 3.8G 0% /dev tmpfs 3.9G 0 3.9G 0% /dev/shm tmpfs 3.9G 425M 3.4G 11% /run tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup /de...
by mgarbin
Mon Dec 20, 2021 2:20 pm
Forum: Installation and Upgrade
Topic: Zimbra 8.8.15 Patch 29
Replies: 3
Views: 11746

Re: Zimbra 8.8.15 Patch 29

On the last patch there are no significant fix / patch.
Read the release note https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P29

From p19 to 29 there are a lot of open cve, please upgrade your server as soon as possible.

Go to advanced search