Hello
Looks like the last patch is 28. Will patch 33 be released? Zimbra has a lot of security vulnerabilities.
Latest Version:Β 9.0.0p28
This shows the difficulty when a company such as Zimbra doesn't fully support open source. Fortunately, it is now trivial to build with Ian Walkers script and he also builds versions for all the supported platforms with every patch release. Eventually, as a community we will need to come up with a proper patch/update cycle so that we are not doing install.sh and builds after every patch release. I am assuming this is how it works currently as while I have built 8.8.15 and 9.0 tar balls; I have never run them in production nor had to update them to a newer patch version. I run the commercial version here which has it's own limitations for patch updates. πΒ Β
Recently, I have started investigating modsecurity 3 with the complete OWASP core rule sets enabled and some specific zimbra rules on my 8.8.15 platformΒ (should also work with 9.0 or 10.0).Β Results have been good thus far. This might be a longer term solution when patches are not readily available or someone wants to stay at a version and update or add rules vs patching for future security exploits. As for 8.8.15P40 or 9.0.P33Β identified CVE's, I have not been able to reverse engineer what those exploits are yet to see if this would have offered any protection without the need to patch.
Ref: https://github.com/ianw1974/zimbra-build-scripts
One thing that isn't clear to me is what happens to the zextra's stuff. I would love to stay at 8.8.15 with their modules and support but I gather they are leaving the zimbra space for carbonio. I have also been testing carbonio CE but it has a ways to go before I see it as a replacement for Zimbra. Really nice product nonetheless but I have to Dec 31 to decide what we are going to do here.
Jim
Thank you very much for the information. I tested Carbonio as soon as it came out, but there were a few problems. That's why I went back to Zimbra again. Of course, I don't know the latest status. I'm sure it has progressed. I hope it gets better.
One thing that isn't clear to me is what happens to the zextra's stuff. I would love to stay at 8.8.15 with their modules and support but I gather they are leaving the zimbra space for carbonio. I have also been testing carbonio CE but it has a ways to go before I see it as a replacement for Zimbra. Really nice product nonetheless but I have to Dec 31 to decide what we are going to do here.