Upgrading to Kopano Groupware Core 8.5.8 - containing important security fix
An new version of Kopano Groupware Core, 8.5.8 is released on April 19th, which contains a resolution for two vulnerabilities, and updating requires some extra attention, as the update is not a regular one, it can require some extra steps to upgrade your installation from any previous version to this new release.
About the issues
These issues were discovered while investigating a report by a customer that a server became slower after an upgrade. Our developers discovered that the issue was caused by an unexpectedly large number of items in one of the database tables (the 'names' table). Further investigation made clear that this is a vulnerability which in some cases has a small chance to cause a corruption or data loss in the Kopano Server database. These vulnerabilities have been identified in all previous versions of the software, going back even before the 8.0 release (pre-Kopano).
Aside from the fixing of the issue in question, the discovery led to the registration of vulnerability identifiers. The vulnerabilities have been identified as CVE-2018-8950 and CVE-2018-8951. Note that these vulnerabilities have not yet been published - but will be soon after the release of the version that contains the fix.
Applying the fix
This new release resolves the issue in code, but it also requires a database schema change. In some cases, this database schema can not be applied because the Kopano Server has found unexpected entries in the names table. This needs to be resolved with the new kopano-dbadm utility (built specifically to resolve this issue). We strongly recommend you to create a dump of the database before applying the fix (sqldump).
While applying the fix with kopano-dbadm can take some time in larger environments, you can also 'ignore' the schema upgrade by starting the Kopano Server with a special flag. If you choose to do so, we recommend to plan running the script to fix the issue as soon as possible in order to prevent future corruption of data.
More information about the upgrade and fixes can be found here:
- Kopano Groupware Core 8.5.7 release blog
- Check if upgrading kopano-server to 8.5.7 and up will succeed
- kopano-server no longer starts after upgrading - K-1216
- kopano-dbadm k-1216 troubleshooting
- Autoresponder fails on Kopano
- kopano-dagent crashes on a certain email.
- Kopano Outlook Extension
- Kopano WebMeetings
- K-XXXX log entries
- MAPI error codes
- WebApp and DeskApp