Zimbra Releases/8.8.15/P37
Zimbra Collaboration Joule 8.8.15 Patch 37 GA Release
Release Date: February 21, 2023
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.
NOTICE: For PreAuth
A new LC attribute zimbra_allowed_redirect_url
has been introduced to control the PreAuth RedirectURL. By default, the value of the this attribute is blank which means the preauth redirect URL would allow a single URL only from the URL set in zimbraPublicServiceHostname
LDAP attribute. If the preauth redirect URL is different from the URL in zimbraPublicServiceHostname
attribute, then it will allow the URL in zimbra_allowed_redirect_url
. Following are some more details on the LC attribute zimbra_allowed_redirect_url:
1. It accepts a single URL at a time.
2. It allows to redirect the other links under the domain as long as it starts with the domain set in zimbra_allowed_redirect_url attribute. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allows access to https://wiki.zimbra.com/wiki/Zimbra_Releases.
Change in upgrade process for 8.8.15 Patch 37
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
Security Fixes
Summary | CVE-ID | CVSS Score | Zimbra Rating |
---|---|---|---|
The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. | CVE-2023-0286 | TBD | Low |
Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. | CVE-2023-24030 | TBD | Low |
Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. | CVE-2023-26562 | TBD | Medium |
Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. | CVE-2023-24032 | TBD | Low |
The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability | CVE-2018-25032 | 7.5 | Low |
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.
What's New
Package Upgrade
- Perl compress zlib package has been upgraded from 2.069 to version 2.103-1
ZCO
- ZCO now supports the use of a partial sync feature during initial and delta/regular sync for Shared Mailbox. An option
-smd <value greater than zero>
can be used with the ZmCustomizeMsi.js script. SharedFolderMailCutoffDays<value greater than zero>
attribute is also required to be set in the registry.
Fixed Issues
Platform
- When the timezone is set to ```Asia/Yangon```, the
zmswatch
andzmlogswatchctl
services failed to start. The issue has been fixed. ZBUG-3261 - When creating an appointment without a body and sending it to the EWS user, NPE errors were seen and the appointment was not visible to the recipient. The issue has been fixed. ZBUG-3124
- Corrected hardcoded syslog configuration to system defined configuration. ZBUG-3053
- When installing zimbra-patch package, it was redeploying all standard zimlets and overwrote the previously deployed zimlet configurations. The issue has been fixed and the zimlet's are not re-deployed now. ZBUG-2722
Web UX - Classic
- Fixed the issue in Classic UI where out of office date was changed when selecting any date in month of February. ZBUG-3252
- Fixed the issue where sometimes appointment dates displayed backwards when calendar appointment is re-opened. ZBUG-2311
Admin Web Console
- User can now add notes on multiple lines in the Admin UI at the path Home > Manage > Accounts > user@domain.com > General Information > Notes. ZBUG-3027
ZCO
- Corrected French translation on Room Finder UI. ZBUG-3002
Zimbra Drive
- The preview is no more offered for documents larger than 10 Mb and images larger than 20 Mb to avoid server resources consumption and possible crashes.
NG Backup
- Now the external restore operation supports the accounts UUID for both the accounts parameter and in an input file.
- The getAvailableAccount command now provides a parameter to generate a file and to choose the headers.
- ExternalRestore follows the order of the accounts provided in the accounts or input_file parameter.
NG HSM
- Underscores have been removed from object storage types such as CustomS3 and ScalityS3.
NG Mobile
- Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
- Fixed a bug that caused the exceptions in recurring calendars to be not synchronized properly via EAS.
- When using NG Mobile, the calendar events were not fully synced to the phone in certain scenarios. The issue has been fixed. ZBUG-3001
Known Issues
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Joule-Patch-32 onwards, customers using SSO will need to update
zimbraVirtualHostName
attribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
Packages
The package lineup for this release is:
FOSS:
PackageName -> Version zimbra-patch -> 8.8.15.1676037803.p37-1 zimbra-mta-patch -> 8.8.15.1676037803.p37-1 zimbra-proxy-patch -> 8.8.15.1676037803.p37-1 zimbra-ldap-patch -> 8.8.15.1676037803.p37-1 zimbra-mbox-webclient-war -> 8.8.15.1676019993-1 zimbra-common-core-jar -> 8.8.15.1676020603-1 zimbra-mbox-admin-console-war -> 8.8.15.1676019834-1 zimbra-chat -> 4.0.3.1654677981-1 zimbra-drive -> 1.0.14.1588924560-1 zimbra-perl-compress-raw-zlib -> 2.103-1zimbra8.7b1 zimbra-perl-date-manip -> 6.90-1zimbra8.7b1 zimbra-perl -> 1.0.7-1zimbra8.7b1 (For RHEL8, UBUNTU20 : 1.0.8-1zimbra8.7b1 ) zimbra-openssl -> 1.1.1t-1zimbra8.7b4 zimbra-core-components -> 2.0.22-1zimbra8.8b1 zimbra-ldap-components -> 1.0.22-1zimbra8.8b1
NETWORK:
PackageName -> Version zimbra-patch -> 8.8.15.1676464123.p37-2 zimbra-mbox-ews-service -> 8.8.15.1676296302-1 zimbra-zco -> 8.8.15.1927.1676464022-1 zimbra-talk -> 4.0.3.1673533079-1 zimbra-connect -> 1.0.30.1635424238-1 zimbra-docs -> 3.0.10.1663658159-1 zimbra-drive-ng -> 3.0.17.1637855904-1 zimbra-zimlet-auth -> 1.0.5.1652971904-1 zimbra-network-modules-ng -> 6.0.38.1672292497-1
Patch Installation
Please refer to below link to install Joule 8.8.15 Patch 37:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build