[HN Gopher] Zimbra 0-day used to steal email data from governmen... ___________________________________________________________________ Zimbra 0-day used to steal email data from government organizations Author : hasheddan Score : 88 points Date : 2023-11-16 16:04 UTC (6 hours ago) (HTM) web link (blog.google) (TXT) w3m dump (blog.google) | kstrauser wrote: | Oh, XSS. It's the gift that keeps giving. | j45 wrote: | At some point I'm hoping AI can help with hardening by coming | up with potentially novel security holes. | kstrauser wrote: | Right? Let's see some Hex Color Injection or Retina Inversion | or Bytecode Reversal attacks. I want to see a flatline riding | a black chrome shark into my browser. Enough of this "XSS" | this and "Server-Side Request Forgery" that stuff. | Obscurity4340 wrote: | Is there very much a usecase for using AI to Xray a site and | find all this bullshit in an automated fashion? The opposite | seems so unreliable and unfashionable... | dang wrote: | [stub for offtopicness] | mmoya wrote: | Post deleted, archive.org has it | https://web.archive.org/web/20231116160518/https://blog.goog... | aa_is_op wrote: | Nah. It's live. Their CDN had a hiccup. | kyrra wrote: | Odd, looks like it was deleted? It's on archive.org though. | | https://web.archive.org/web/20231116160518/https://blog.goog... | | EDIT: updated URL here: https://blog.google/threat-analysis- | group/zimbra-0-day-used-... | blakesterz wrote: | I think the URL just changed to | | https://blog.google/threat-analysis-group/zimbra-0-day-used-... | dang wrote: | Fixed now. Submitted URL was https://blog.google/threat- | analysis-group/zimbra-0-day-used-.... Thanks! | dspillett wrote: | This is a timely reminder to anyone still using Zimbra 8.x.x that | is reaches EOL at the end of next month. There is no official | open release of later versions despite much being covered by open | source licenses. If you have not already moved off Zimbra you | need to, ASAP, do one of the following: | | 1. Pay for Zimbra and upgrade that way. | | 2. Try compile up a later version yourself... | | 3. Migrate to one of the forks that sprang up (most of them are | dead though, Zextras/Carbonio is still going but last time I | looked the system requirements were a bit daft for what little | functionality I actually need) | | 4. Migrate to something else entirely. | jsilence wrote: | Not sure what you are talking about. To me it looks like you | can just DL and install 9.0 or 10.0 community release. Am I | missing something? | | https://www.zimbra.com/product/download/zimbra-collaboration... | slipheen wrote: | Looking at the links on that page, the only links for 9.0 or | 10.0 look to be for the network edition (non oss) | | I'm not familiar with the situation, but reading through | https://blog.zimbra.com/2020/05/is-zimbra-open-source-yes- | fa... suggests that they do still provide source for at least | some portions of 9.x, but they no longer provide binaries or | packages. | | It looks like some components may be missing ("Modern UI"), | but I don't know if it's usable without them. | doublerabbit wrote: | I'm one of those who needs to upgrade and the pre sales part is | hell. | | Either your not big enough to get any priority. They never | reply. Or the costs are just too stupid for a personal account | with 5-10 mailboxes. | | I host on-prem too, via colocation which then increases the | cost ten-fold. It's as these companies don't want customers. | | Liked the look to IceWarp suite and yet they've been non- | existence in sales that I end up expecting though out. | willk wrote: | It feels like they waited a long time to post an advisory for an | exploit that was being actively used by threat actors, more than | a week after they pushed a fix to their repositories. Why not | give customers a heads up prior? At least give your users a | fighting chance. ___________________________________________________________________ (page generated 2023-11-16 23:00 UTC)