Zimbra Releases/10.0.4: Difference between revisions
m (→Security Fixes) |
m (→Security Fixes) |
||
Line 33: | Line 33: | ||
|style="border: solid #ffffff;"| An attacker can gain access of logged-in user’s mailbox through XSS. | |style="border: solid #ffffff;"| An attacker can gain access of logged-in user’s mailbox through XSS. | ||
|style="border: solid #ffffff; text-align: center;"| [https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102] | |style="border: solid #ffffff; text-align: center;"| [https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102] | ||
|style="border: solid #ffffff; text-align: center;"| | |style="border: solid #ffffff; text-align: center;"| 6.1 | ||
|} | |} | ||
Latest revision as of 12:59, 20 November 2024
Zimbra Collaboration Daffodil 10.0.4 Patch Release
Release Date: September 13, 2023
Check out the Security Fixes, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTICE: Guarding Against XSS: Security Update
Zimbra team identified security vulnerabilities in all versions of the Zimbra Collaboration Suite that could potentially allow unauthorised access to Zimbra accounts.
To address this, fixed the insufficient URL parameter sanitisation and removed deprecated file.
For customer's installing the patch on multi-server environment, the changes are applicable only to the Mailstore node. No packages will be installed on other nodes - MTA, Proxy, LDAP. So after applying this patch, the updated patch version will only be displayed for Mailstore node. The other nodes will continue to display previous installed patch version as Release 10.0.2.
Security Fixes
Summary | CVE-ID | CVSS Score |
---|---|---|
XSS on one of the web endpoint via non sanitised input parameter. | CVE-2023-43103 | 6.1 |
An attacker can gain access of logged-in user’s mailbox through XSS. | CVE-2023-43102 | 6.1 |
Things to Know Before Upgrading
Important Upgrade Instructions for Daffodil v10 version older than build 10.0.0_GA_4452
If you are currently using the Beta version build of Daffodil v10 (10.0.0_GA_4452), please follow these upgrade instructions:
- Upgrade to the latest GA Version build 10.0.0_GA_4518: It is crucial to first upgrade to the latest GA version before proceeding with any further updates. This latest GA release includes essential updates, including modifications to the database schema and various other feature improvements.
By following this upgrade path, you ensure that your system is properly updated, incorporating the necessary database schema changes and other critical updates introduced in the latest GA build.
Please review the following information to decide if Zimbra Daffodil (v10) is suitable for you.
- Zimbra Touch Client, Zimbra Mobile Client, and Zimbra HTML (Standard) Client are no longer a part of Zimbra starting from Version 9.0.0.
- A Zimbra Network Edition license is required to use Zimbra Daffodil (v10).
- The customizations implemented for SAML and SPNEGO will be overridden during an upgrade. It is recommended to backup these configurations before upgrading the server.
- In case of rolling upgrades, if some mailstore nodes are upgraded to zimbra-10 and some mailstore nodes are on Zimbra 9.0.x or Zimbra 8.8.15 then,
zimbraReverseProxyUpstreamLoginServers
should only contain the list of Zimbra 10.0.0 mailboxes. If this is not followed then in some cases, users on zimbra-10 mailstore nodes will not be able to see Modern Web App after login. - Zimbra (v10) continues to support two versions of Zimbra Web Client -- Modern and Classic.
- To know more about the highlights of the Modern Web App, please refer to Introducing the Modern Web Application
- The Classic Web App offers the same functionality as the Advanced Web Client in Zimbra version 8.8.15.
- Existing customized themes, logo branding changes, and crontab changes are incompatible with, and hence do not reflect in the Modern Web App. Branding needs to be re-configured to work with the Modern Web App. The Modern Web App does not currently support themes. Please refer to the Customizing Modern Web App section of Admin Guide for more information related to configuration.
- Zimlets are supported on both the Web Clients.
- Zimlets that work with the Classic Web App are incompatible with the Modern Web App. And due to technology changes, there is no way to migrate the Zimlets from the Classic Web App to the Modern Web App or vice-versa.
- For Non-NG setups, recommendations when using mailbox move (through zmmboxmove utility) on Rolling-Upgrade environment:
- Always take full backup *before* doing zmmboxmove.
- If using Storage Management with primary and secondary storage as Internal, then set
zimbraMailboxMoveSkipBlobs
andzimbraMailboxMoveSkipHsmBlobs
attributes to FALSE before doing zmmboxmove. - Always recommended to run HSM and move blobs to current primary/secondary volumes in case of multiple primary/secondary volumes present in the system before doing
zmmboxmove
. zmmboxmove
command should be run from Zimbra (v10) mailbox server.
After you review the tasks in this section, please go to Upgrade Instructions.
Known Issues
Zimbra Collaboration
- On a NG based rolling-upgrade setup, when either sharer or sharee is not moved to zimbra-10 server and the drive data is imported through the NG Migration utility, the drive files sharing information is not available. Hence, the shared files are not available after the import.
Workaround - Before importing the Drive data for the users, move the sharee and sharer from NG server to zimbra-10 server.
- When upgrading to Zimbra 10 using the rolling upgrade mechanism, if a user on Zimbra 10 shares a Briefcase file with a user on Zimbra 9, then while UI will display a 'Permission denied' error to the user on Zimbra 10, the user on Zimbra 9 still ends up receiving an email that the file has been shared. Even though the mail is received by the Zimbra 9 user, they will not be able to access the file, as the file sharing feature is not available in Zimbra 9.
- During Rolling Upgrade to Zimbra 10, a user on Zimbra 9 may share a Briefcase folder with a Zimbra 10 user. However, since files were not shared with Zimbra 10 user, the files within the shared folder are not accessible to the Zimbra 10 users.
- During Rolling Upgrade to Zimbra 10 from Zimbra 9/8.x having NG modules installed, when a Zimbra 9/8.x user creates new files from Briefcase, it results in a error "TypeError: g is null".
- During Rolling Upgrade to Zimbra 10, a user on Zimbra 10 may share a file with a Zimbra 9 user. However, Zimbra 9 user will not be able to access the file from the shared URL.
- Zimbra inheritance is followed when setting LDAP attributes. When using Backup & Restore->Message recovery settings from Admin UI, if the value of zimbraDumpsterEnabled attribute is FALSE at COS level and TRUE at Domain level, then the value at COS level will be considered. So the issue here is- adding Domains in the message recovery settings will have no impact on message recovery if the COS level attribute is set to its default value FALSE.
- Backup and Restore - When mail-store server is restored after moving some of its accounts to another mail store, then old mail data like blobs, metadata, etc. of the accounts which have been moved to another mail store, will also get restored. The workaround is to - execute the restore with --ignoreRedoErrors OR with -rf options like zmrestore -a all --ignoreRedoErrors
- When user clicks on a file in Briefcase, a preview is displayed for the supported file formats. User can also edit these files in a separate window. The changes take a long time to be reflected in the preview, and sometimes user might need to click on the file multiple times to view the changes.
- When editing documents from Briefcase, the documents are opened in a separate browser window in which users can edit the document. However, the updated contents are not reflected in the Briefcase file, unless the separate browser window is not closed by the user.
- User is not able to search files in the "Files shared with me" folder, within Briefcase.
- Re-sending a file share for a Briefcase document throws the error, "A network service error has occurred".
Web UX - Admin
- In Admin UI, if two users are assigned the Administrator privilege followed by "Assign default domain administrator views and rights", there is an error displayed for the second user, and the request is not completed. This happens due to a caching issue, and flushing the cache of the mail-store resolves this issue.
Mobile Sync
- On iOS Native App, if the Mail, Calendar, and Contacts folders are shared with the user, the shares are not displayed on the App.Similarly, for Windows Outlook and Windows Native Contacts App, if the Contacts folder is shared with the user, the shares are not displayed on the App.
Workaround - The user will have to reconfigure his account on the device to get the shares mounted on the device.
- Exchange ActiveSync protocol currently does not support Read-Only permission sharing. It is recommended not to enable Sharing for the users having shares with Read-Only permission.
- In a Rolling-upgrade environment, if a zimbra-9 user shares a calendar with zimbra-10 user, the events are not synced.
Workaround - For the Rolling-Upgrade environment involving the NG mailbox server, due to technical differences between the NG Mobile feature and Zimbra (v10) Mobile Sync feature, it is recommended to use Sharing feature after moving all the accounts to zimbra-10 mailbox server.
- For Windows Mail App, the Sent folder emails are not displayed after blocking and unblocking the user.
Workaround - The user can remove and reconfigure the account on the app.
- When using iOS Outlook App, Out of Office settings are not synced to the user's account in Web App.
- When the organizer and attendee use the Outlook app, if the organizer cancels an instance from a recurring meeting, the same is not reflected on the attendee's calendar.
Backup Restore
- When using backup and restore to move data from source 9.x NG server to destination 10.x server, if both the source and destination, primary volumes are 'External', and zimbraBackupSkipBlobs is set to True, then emails moved secondary volume throw 'Missing Blob for item' error.
- When an account is restored using backup data from NG external secondary volume, the account is displaying garbled data for emails on the destination server.
- When we schedule backup using zmschedulebackup command, backup is getting scheduled in crontab and LDAP attributes are updated with appropriate values.
Packages
The package lineup for this release is:
PackageName -> Version zimbra-patch -> 10.0.4.1694193513-2 zimbra-mbox-webclient-war -> 10.0.4.1694175766-1
Patch Installation
Please refer to the steps below to install Daffodil 10.0.4 Patch on Redhat and Ubuntu platforms:
Before Installing the Patch, consider the following:
- Patches are cumulative.
- A full backup should be performed before any patch is applied. There is no automated roll-back.
- Switch to
zimbra
user before using ZCS CLI commands. - Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
- Important Note for ZCS Setup with Local ZCS repository: Customers who have set up local ZCS repository should first update the local repository by following instructions in wiki
If you have patch 10.0.1 or an older version installed, then follow below link to install Daffodil Patch 10.0.4:
Patch Installation link : https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.0/patch_installation
If you have patch 10.0.2 or patch 10.0.3 installed, then follow below instructions to apply this patch only on mailbox node:
Redhat
Install/Upgrade zimbra-patch
on Mailbox node
- As
root
, install the package:
yum install zimbra-patch
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart
Ubuntu
Install/Upgrade zimbra-patch
on Mailbox node
- As
root
, install package
apt-get install zimbra-patch
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart