[Users] Zimbra Critical Security Patch Update Now

Enrico Weigelt, metux IT consult info at metux.net
Tue Oct 26 17:49:40 CEST 2021 

On 26.10.21 08:10, Barry de Graaff wrote:

> Hello All,

Barry, didn't I tell you (as as well as the support) weeks ago that this
openssl version is vulnerable and must be upgraded ?

Yet again it took *two month* to deliver a fix, which we would have had
almost immediately if Zimbra would just use the distro's openssl
version.

Yes, I'm really angry!

Remember the Heartbleed incident: the mainline distros had the fix out
and *deployed* in the field within few hours from the point the issue
got known. (in that case we had to *manually* replace the library
binaries on all affected machines, thus breaking package management
integrity, and it took several more weeks until an actual update
package was available).

This is an old bug, actually a fundamental misdesign, which I've
already raised almost a decade ago. Nobody listened, or just silly
excuses like that would be necessary for supporting older distros.

No, this is NOT at all necessary - for the really ancient distros just
provide a new openssl package, period. On the (few) supported distros,
openssl v1.0 vs v1.1 are separate packages anyways, so no risk of
conflicts - a simple and straightforward backport. Maybe the actual
problem is that your devs just don't understand the concept of
package management - look at the ridiculous build system and installer,
how it abuses low level tools that aren't supposed to be called directly
by usual packages - and look at the insane way the "patch" packages are
done, doing hard overwrites of files belonging to other packages within
the postinst scripts. Back then I tried to teach your devs, but nobody
listened.

Oh, and you told me you guys have no interest in fixing my long list
of mostly already aeons old bugs and suggest to fork. Guess what, I
did it, and cleaning up all this mess (starting with an actually
reliable and auditable build process). Once that's up and running,
I'll make it container-native and reimplement NE features like
zmmboxmove. All new code here is AGPv3 and I'll never ever sign over a
single line of my IPR.

Good luck with your attitude of punching your paying customers and the
integration experts in the face. Same story like we had w/ soffice, and
we know how it ended.


--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info at metux.net -- +49-151-27565287

More information about the Users mailing list