Particle,
I do understand your frustrations as I am in the same boat. However.....
Actually, we paid Mitel a lot of money back in the day. After all the updates over the last year, I did not expect these vulnerabilities to still exist on this platform. Apologies for any bad feeling.
That was when Mitel 'owned' and ran it. That was a long time ago, and before v7, v8 and v9.
That vulnerabilities exist in these particular parts of the platform is not entirely our responsibility.
Unfortunately, we are bound mainly by what comes down from upstream. Remember that SME v8 is based on RHEL/CentOS 5 and SME v9 on RHEL/CentOS 6. It is a pile of code that sits on top of someone elses core distribution to make it easier to manage that core. We try to touch the actual core as little as possible.
I don't mind supporting people like Daniel who have provided a rock star response (see tip jar). But pointing fault with people who are responsibly updating clients by incremental minor versions (which is what caused this) is just preposterous. Otherwise you're basically saying that SME will only work with old vulnerable software.
Dan is one of the most important people around here. Without him and his work there would barely BE a SME server !!! Remember that he, like all of us, are unpaid volunteers. We do it because we want too, not because we get paid to.
No one was pointing fault at you for updating your software - they did point out that the SME server is open source, and essentially free to use, and with no guarantees.
If you want those then you need to look at a system with commercial support
And even then you may not get the answer you want - my guess is RHEL would advise you to upgrade to RHEL 7.
The point is that a vulnerability has been discovered in a protocol in software originally provided by RHEL. The client program then refuses to use that protocol. Upstream have no updates. SME is built on top of a platform that does not currently have a solution. The people to really complain to are RHEL.
Now, we could try and look at building our own packages etc (we have just started doing that for clamav to make sure it stays more up to date) BUT, that depends on manpower, and we just don't have anywhere near enough. It is a struggle to keep up things as they are, let alone running off and building our own stuff. We would then also leave ourselves exposed to the risks of running more up to date versions that have not gone through such rigorous checking as they would if they come from RHEL/CentOS.
Many people use SME because they want stability, not bleeding edge. Unfortunately this is one isolated area that we are really stuck on and there are no easy answers to it.
Caught between a rock and a hard place.....
Yes, we could go and try to update to RHEL/CentOS 7 but that is going to take a massive effort, and unless more people come forward to help, it won't happen for some while yet.
Note I am not trying to have a go, but trying to point out situation that we are in for you, and others ...... sometimes we just can't win !
B. Rgds
John
President, Koozali Foundation Inc.
20 Replies
14318 Views