Zimbra Releases/10.1.1

Revision as of 08:16, 26 September 2024 by Dawood Shaikh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Zimbra Daffodil (v10.1.1) Patch Release

Release Date: September 04, 2024

Check out the What's New, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration.

Things to know before you upgrade

Changes to Licensing System

Zimbra Daffodil (v10.1) introduced a new license service with significant changes in licensing management. A new service named License Daemon Service (LDS) has been added and is a required service to support the management of the license. Please refer to Licensing Enhancement section for more details.

NOTE: Please reach out to Support to get your 10.1.0 license before you plan your installation or upgrade. You will not be able to proceed with the upgrade without the new license key.

Security Fixes

Summary CVE-ID CVSS Score
A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. CVE-2024-45513 TBD
Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519 TBD
A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518 TBD
A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. CVE-2024-45194 TBD
A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517 TBD
Resolved Cross-Site Scripting (XSS) vulnerability due to inadequate validation of metadata's Content-Type when importing files into the briefcase, preventing arbitrary JavaScript execution. CVE-2024-45515 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516 TBD
A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD TBD
Fixed a reflected XSS vulnerability in the Briefcase module due to improper sanitization by the OnlyOffice formatter. CVE-2024-45511 TBD
Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. CVE-2024-45512 TBD
Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. CVE-2024-45510 TBD
A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 CVE-2024-38356 Medium

What's New

NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

RHEL 9, Rocky 9, Oracle 9 Support (Beta)

With this release RHEL 9, Rocky 9, Oracle 9 Support (Beta) is available. Watch for the GA announcement in an upcoming patch release.

Ubuntu 22 GA

With this release Ubuntu 22 GA is available.

Note: Ubuntu 22 Pro subscription is required to enable FIPS mode.

Zimbra Collaboration

  • The Hide Alias in GAL feature enables the admin to hide the alias for the users. Admin can control this through a CLI and Admin Console. Please refer to the admin guide section for more information.

Modern Web App

General

  • A new feature has been implemented to ensure that Zimbra Modern UI supports Windows High Contrast mode. This enhancement makes UI elements, including checkboxes, buttons, links, and toast messages, clearly visible and usable for visually impaired users.
  • Functionality to import and export ICS files to and from the calendar has been implemented, allowing for better calendar management and sharing across platforms. This feature has been developed as a zimlet which can be deployed by the administrator for individual users. Zimlet name - zimbra-zimlet-import-export-ics.
  • A new feature allowing users to export and download emails as EML files has been added. This feature has been delivered as a Zimlet which is accessible on the Web app, the desktop app, the tablet as well as the mobile app. Zimlet name - zimbra-zimlet-download-email.
  • Support for custom fonts in the Modern UI client and email composer has been added. Users can now utilize a broader range of fonts on the desktop for their emails. Zimlet name - zimbra-zimlet-custom-fonts.
  • An option to turn off the deletion of appointments for declined meetings has been implemented. Users can now retain appointments in their calendars even if they decline the meeting.
  • A PostCSS line return parsing error has been fixed, improving the stability and reliability of the stylesheet processing in the Modern UI.
  • Implementation of truncated folder names in the Modern UI has been completed. Folder names that are too long will now be truncated appropriately to fit the interface.

Mail

  • The tap-to-read or select functionality in the mobile mail list has been reconfigured to allow larger tap area. This update improves the user experience by making it easier to interact with emails on mobile devices.
  • The formatting of footer and signature elements in mobile views has been adjusted for better readability and presentation.
  • The folder list is no longer shown when composing emails in the Modern UI, reducing cognitive load for user when composing the email and reducing visual clutter.


Please refer user guide here for the new zimlets introduced in 10.1.1

Admin Web Console

  • In Admin Console -> Home → Configure → Global Settings → Mobile, a new button "Remove from list" has been added that will remove devices from the device list and database. Devices using the EAS 16.0 version can only be removed from the list. The device will re-appear in the list if the account re-syncs from the device.

Licensing

  • The enhancement "Feature in Grace Period" gives information on the features that exceed the licensed limits and enter a 10-day grace period. Please refer to the admin guide section for more information.

Fixed Issues

Zimbra Collaboration

  • The LDS logging mechanism has been enhanced with a rolling policy that manages log files based on size and time. Refer to the admin guide section for more information.
  • A file having a file name and contents in Japanese, received as an email attachment is correctly previewed.
  • In ZCS 10, the OnlyOffice repository path has been removed from the installer. Users must now configure the OnlyOffice repository before installation. If this step is missed, the installer will not provide the option to install OnlyOffice. To address this, a new script has been provided for installing OnlyOffice post-installation. The script is compatible with ZCS 10.1. As a root user, execute the script `/opt/zimbra/bin/zmonlyofficeinstall`.
  • Folder names with the + sign were not returned when listing folders through IMAP. The issue has been fixed.
  • When creating a draft in a Web App with the subject and body containing special characters (Č, ć, ž, š, đ), syncing it with Gmail where the user's account is configured using ActiveSync and then editing the draft in Gmail results in unexpected characters (e.g., ?) appearing when syncing back to ZWC. The issue has been fixed and the characters now appear correctly.
  • Even if the commercial certificates were installed on the server, OnlyOffice used self-signed certificates. The issue has been fixed.
  • The issue of a lock failure exception during folder synchronization on Android devices has been resolved. The problem occurred when syncing deleted subfolders and shared mail across multiple devices simultaneously.
  • The issue with ActiveSync has been fixed where folder IDs in the receiving account were overwritten by shared folder mount points during sync. This caused messages to appear in incorrect folders. The problem has been resolved, ensuring folder IDs remain correct and messages stay in their intended folders. Users facing this issue will have to reconfigure their account on the device.
  • The problem where it was not possible to remove a mobile device from the admin console has been addressed. Admins can now successfully remove mobile devices as needed.
  • After upgrading to version 10.0.6, users encountered a "no such object" error. This issue has been fixed, and the error no longer occurs.
  • Fixed an issue where In a certain scenario, license renewal alerts were sent to all the users using IMAP protocol to access their emails.
  • Fixed an issue with Apple Calendar where the attendee's free/busy information was not displayed when creating a new event.
  • Support for zmblobchk has been added to ensure consistency checks for mailboxes using S3 external storage for secondary or primary volumes. Previously, zmblobchk reported "blob not found" errors for messages stored on S3. zmblobchk now correctly handles and verifies data on S3, improving the accuracy of mailbox consistency checks.
  • When using Owasp sanitizer, certain emails were not displayed correctly. The issue has been fixed.
  • The problem where signature images failed to load with an "Error 401 (unauthorized)" has been fixed. Signature images now load correctly.
  • An issue has been resolved where file attachments with UTF-8 encoded names sent from Outlook for Mac were not decoded correctly in the Web App.
  • When the Undo Send feature is enabled and a delegate attempts to send an email on behalf of the delegator, an error occurs and email is not sent. This issue has been fixed now.
  • The issue where users received "No such message exists" error messages for drafts has been resolved. Draft messages now behave as expected without triggering errors.
  • Fixed an issue with logging where the mailbox logs were getting flooded for accounts setup through EWS protocol.

Modern Web App

General

  • The issue where the "sender address is suspicious" warning was incorrectly triggered due to case differences in the email address has been resolved. The check for suspicious email addresses is now case-insensitive, in compliance with RFC standards
  • An issue where extra body content was being added in the Modern UI mail body under certain conditions has been corrected.
  • An issue in the Modern UI where moving emails in "Conversation view" caused unexpected behavior has been fixed.
  • The issue where email body/text alignment in the Modern UI web app was incorrect has been resolved.
  • Scrolling issues within the Modern UI have been addressed. Users should now experience smooth and consistent scrolling behavior across all supported apps including Zimbra desktop.
  • The problem where S/MIME signing did not work in the Modern UI has been addressed. S/MIME signing functionality is now fully operational.
  • An issue where editing the attendees or the body of a new event would not save the changes correctly has been fixed. All edits are now properly saved.
  • The issue where meeting invitation emails incorrectly displayed a conflict banner for meetings has been resolved. The conflict banner now only shows when there is an actual scheduling conflict.
  • An issue in Zimbra Connector for Outlook (ZCO) where creating a folder of unknown type resulted in errors has been fixed.
  • The issue where there was no save button after searching and editing a contact has been resolved.
  • In the Modern UI, an issue where Zimbra incorrectly showed all folder types in the folder tree has been fixed.
  • An issue where multi-day all-day appointments were truncated to a single day has been fixed. Multi-day all-day events now display correctly across all intended dates.


Mail

  • An issue where wide elements in emails were not displayed correctly when reading on mobile has been addressed. Emails now render properly on mobile devices regardless of content width.
  • The "Edit as new" option was previously unavailable when no predefined signature was set. This issue has been resolved, and the option is now accessible regardless of signature settings.


Calendar

  • The issue where the "Today" button on the calendar print dialog was not working has been fixed. The button now correctly navigates to today's date in the print preview.
  • An issue in the Modern UI where the "New Event" body did not wrap text properly has been resolved. Additionally, the button alignment has been corrected to ensure proper layout.
  • The issue where an error was thrown upon clicking the "Show Availability" button in the calendar has been resolved. Users can now view availability without encountering errors.


Classic Web App

  • If user has selected classic UI as the default UI, the user would get redirected to the classic UI even on the mobile browser. This issue has been fixed, and user would now get redirected to the modern UI on mobile devices irrespective of the selection of the default UI.
  • If change password option was disabled for a user that would also disable the preferences tab for that user.
  • The issue where the compose window would throw an error when adding attachments after the initial attachment was removed has been fixed.
  • An issue where emails with attachments would fail to send when saved as drafts has been resolved.
  • The issue where the compose window would throw an error after a draft is deleted has been fixed.
  • The issue where the compose tab for an email 'Forward' action was overwritten by another draft has been resolved. Each compose action now opens in its own separate tab without interference.


Admin Web Console

  • The issue where the "Control+A" shortcut was not working to select all text in the Search bar of the Zimbra Admin Panel has been resolved. This fix now allows users to correctly use "Control+A" to select text in the search field across supported browsers.
  • The issue where a member with a one-letter sub-domain in their email address could not be added has been resolved. Members with such email addresses can now be added without issues.
  • The problem where email addresses with a one-letter sub-domain failed to send has been corrected. Emails with such addresses now send successfully.


Zimbra Connector for Outlook

  • ZCO stops syncing when NO_NAME is encountered in any contacts. The issue has been fixed.
  • Fixed an issue where the tags created in the Web App were getting overwritten with tags created in ZCO.

Infrastructure

  • When using self-signed certificated on Ubuntu22 and RHEL9 OS, Kerberos authentication does not work and gives a certificate error. Ubuntu22 and RHEL9 use the latest gsasl package version. Following are the ways to get Kerberos authentication working with self-signed certificates: (Use any one of them)

i. Using System Trust Settings: Adding a zimbra self-signed certificate to the "trusted list"

ii. Specify --x509-ca-file as '--x509-ca-file="path"'

iii. Ignoring Certificate Verification Errors: Use --x509-ca-file with the empty string ("") as a file name to use the old behavior to not abort on server certificate verification failures. There is no issue if the commercial certificate is set up on the server.

Known Issues

Modern Web App

Mail

  • When replying to or forwarding an email in plain text with attachments, an error message stating "Failed to Process this request" may appear when the draft is auto-saved. This issue occurs after switching the email format from HTML to plain text, especially when the email contains an image in the signature.
  • When viewing a message if there are any distribution lists to which the mail is sent to then the distribution list are displayed twice.
  • "Edit as New," "New Event," and "Print" functionalities do not work when the preview pane is disabled in the Zimbra Modern UI. As a workaround, please enable the preview pane to use these features.
  • Users have reported encountering a “TypeError: r.querySelectorAll is not a function” error when trying to read emails in Zimbra Modern UI and Zimbra Desktop 4.39.0. This error prevents users from reading their emails. The issue appears to be specific to Zimbra Modern UI version 4.39.0 which was released with ZCS 10.1.1 release.
    • Workaround:
      • Clear Browser Cache - Ensure that the browser is not loading an older cached version of Modern UI. Clear the cache or try accessing the Modern UI in incognito mode.
      • Zimlet Reinstallation - For users experiencing this issue, re-deploying the zimbra-zimlet-date Zimlet may resolve the problem. Here are the steps:
su - zimbra
cd /opt/zimbra/zimlets-deployed
zmzimletctl undeploy zimbra-zimlet-datecd /opt/zimbra/zimlets-network/
cd /opt/zimbra/zimlets-network/
zmzimletctl deploy zimbra-zimlet-date.zip

- Restart the mailbox service

zmmailboxdctl restart

Briefcase

  • If is a new sub-folder is created by the user that sub-folder is displayed twice instead of once. The issue gets resolved upon refreshing or logging in again to the web client.

Mail

  • EML file importing is not working on Zimbra version 10.0.0 and above.


Packages

Jira ticket:

The package lineup for this release is:

zimbra-patch                                      ->  10.1.1.1724988106-2
zimbra-mta-patch                                  ->  10.1.1.1724761277-1
zimbra-onlyoffice-patch                           ->  10.1.1.1724761277-1
zimbra-lds-patch                                  ->  10.1.1.1724908948-1
zimbra-proxy-patch                                ->  10.1.1.1724761277-1
zimbra-ldap-patch                                 ->  10.1.1.1724761277-1
zimbra-common-core-jar                            ->  10.1.1.1724061993-1
zimbra-common-mbox-conf-msgs                      ->  10.1.1.1724051548-1
zimbra-mbox-ews-service                           ->  10.1.1.1724052257-1
zimbra-mbox-webclient-war                         ->  10.1.1.1723653022-1
zimbra-mbox-admin-console-war                     ->  10.1.1.1723652473-1
zimbra-license-extension                          ->  10.1.1.1724051264-1
zimbra-license-tools                              ->  10.1.1.1724050637-1
zimbra-mbox-store-libs                            ->  10.1.1.1724942484-1
zimbra-license-daemon                             ->  1.0.0.1724710964-1
zimbra-onlyoffice                                 ->  1.0.1718861068-1
zimbra-zco                                        ->  1944.1723811444-1
zimbra-nalpeiron-offline-daemon                   ->  1.0.0.1723222673-1
zimbra-modern-ui                                  ->  4.39.0.1724260715-1
zimbra-modern-zimlets                             ->  4.39.0.1724260715-1
zimbra-zimlet-classic-unsupportedbrowser          ->  4.1.1.1723729388-1
zimbra-zimlet-date                                ->  8.0.0.1723729388-1
zimbra-zimlet-restore-contacts                    ->  7.2.1.1723729388-1
zimbra-zimlet-set-default-client                  ->  10.4.1.1723729388-1
zimbra-zimlet-user-feedback                       ->  7.2.1.1723729388-1
zimbra-zimlet-classic-document-editor             ->  2.2.1.1723729388-1
zimbra-zimlet-classic-set-default-client          ->  1.1.0.1723729388-1
zimbra-zimlet-custom-fonts                        ->  1.0.0.1723729388-1
zimbra-zimlet-download-email                      ->  1.0.0.1723729388-1
zimbra-zimlet-import-export-ics                   ->  1.0.0.1723729388-1

Patch Installation

Please refer to below link to install 10.1.0:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search