Zimbra Releases/8.8.15/P25

Revision as of 06:12, 3 September 2021 by Dawood Shaikh (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Zimbra Collaboration Joule 8.8.15 Patch 25 GA Release

Check out the What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.

Hotfix Alert


A fix was delivered in this patch to update the store with the new trusted certificate authorities. It replaced the open JDK ca store at /opt/zimbra/common/etc/java/cacerts after taking the backup of existing certificates in the directory. The backed up certificates were not added again and this resulted in a loss of all custom imported certificates and authorities. The issue has been fixed with the updated packages. Please re-apply the patch to fix the issue.


Security Recommendation

Zimbra would strongly recommend the customer to review whether the Proxy Servlet is configured to allow a particular host (via zimbraProxyAllowedDomains configuration setting on each class of services), please make sure each entry in zimbraProxyAllowedDomains should be a safe and trusted host, there should NOT be any wild card entries like *.webex.com instead use specific host example.webex.com.

Any entry in zimbraProxyAllowedDomains resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly. So we urge our customers to review this configuration setting to ensure that there are no vulnerabilities are introduced.


What's New

Package Upgrades


  • Nginx has been upgraded from 1.19.0 to 1.20.0.
  • Openldap has been upgraded from 2.4.49 to 2.4.59
  • Postfix has been upgraded from 3.5.6 to 3.6.1


Supported Operating Systems

Since Ubuntu 14.04, Oracle Linux 6 and CentOS/RHEL 6 Operating Systems are deprecated, please refer to https://www.zimbra.com/downloads/zimbra-collaboration/ for the list of supported Operating Systems.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Platform

  • Updated openjdk-cacerts from the latest Mozilla certdata.txt. This is needed for the mailbox service to trust more recent root CA certificates, like ISRG Root X1. Without this, the mailbox service won't be able to connect to 3rd party POP3/IMAP/DAV services using Let's Encrypt certificates anymore after September 30, when DST Root CA X3 expires, or to any other 3rd party service with a certificate issued by a recent root CA.

ZCO

  • Users now have an option to switch between the Zimbra Free Busy and Internet-Free Busy Provider. The option can be accessed at Zimbra -> Advanced Settings -> Free-Busy Provider. Please note that Outlook has to be run as an Administrator to view this option. Please refer to Userguide for more details.


Fixed Issues

Platform

  • Apart from zimbra-patch package, amavisd.conf.in config file has also been included in zimbra-mta-patch package.
  • New local config wsdl_use_public_service_hostname has been introduced to decide if the WSDL should use server's default hostname or public service host name set in zimbraPublicServiceHostname attribute. Default value of wsdl_use_public_service_hostname is set to true to use public service host name.
  • Fixed issue wherein Content-Transfer-Encoding 8bit caused corruption of S/MIME signature.
  • If the cos id set for a domain and not for its users, then the cos id was not getting displayed for the user when executing GetAccountRequest. The issue has been fixed. In this case, the domain's cos id will be referred and displayed.
  • OpenLDAP has been upgraded from version 2.4.49 to 2.4.59.
  • Some skin deployments in Classic Web App were failing due to misconfiguration. This is now fixed.

Zimbra Connect

  • "MuteForAll" button has been limited only to moderators. Now only room moderators can mute other people in a group, space, or channel meeting. Please note that Zimbra Connect Video Server is required to use this functionality.
  • With API version 14, the "add member" functionality is limited to groups and restricted only to moderators.
  • Added Snackbar that informs the user that has been muted. Please note that Zimbra Connect Video Server is required to use this functionality.
  • Fixed a bug that prevented the conversations to scroll on receiving new messages while "is writing" bubble is present.
  • Removed margin at the bottom of a connect conversation.
  • When the video server command is executed without any parameters, a list of options with descriptions will be shown as help output.

NG Backup

  • Improved the external restore and the fixShares operations so they can restore shared contacts in groups too.
  • The default value of the skip_domain_provisioning attribute has been set to false. So when restoring an account, all the attributes of that domain will get re-written by default.
  • Now the account restoration logs showing in phases and completion logs at the end.
  • Earlier, while performing an external restore without initializing the backup on the destination server, an error was encountered related to its backup location. The issue has been fixed and no errors are seen when doing an external restore.

NG Mobile

  • Users can now decide which folder to be excluded from syncing to Mobile through Active Sync. In the right-click context menu of the folder, click on *Folder Sync Settings* and uncheck Enable synchronization for this folder option to exclude the folder from syncing. Please note that System Folders cannot be excluded from the sync.

NG General

  • New config commands get,, set and unset has been added which can be used with zxsuite config command for account, cos, domain, server, and global levels. For e.g. zxsuite config get domain command will get all the configuration details for the domain, zxsuite config set cos command can be used to set a config parameter for a cos. zxsuite config unset account command can be used to remove the value of a config parameter for an account.


Known Issues

  • None


Patch Installation

Please refer to the steps below to install 8.8.15 Patch 25 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.

8.8.15 Patch 25 Packages

The package lineup for this release is:

FOSS:

PackageName                     Version                            
zimbra-patch                  ->      8.8.15.1630590486.p25-2
zimbra-mta-patch              ->      8.8.15.1630590486.p25-1
zimbra-mta-components         ->      1.0.14-1zimbra8.8b1
zimbra-proxy-patch            ->      8.8.15.1630590486.p25-1
zimbra-proxy-components       ->      1.0.9-1zimbra8.8b1
zimbra-nginx                  ->      1.20.0-1zimbra8.8b2
zimbra-common-core-jar        ->      8.8.15.1629467494-1
zimbra-common-core-libs       ->      8.8.15.1623913824-1
zimbra-mbox-conf              ->      8.8.15.1568012813-1
zimbra-mbox-service           ->      8.8.15.1568694943-1
zimbra-mbox-store-libs        ->      8.8.15.1626439528-1
zimbra-mbox-war               ->      8.8.15.1618222785-1
zimbra-mbox-admin-console-war ->      8.8.15.1624007059-1
zimbra-mbox-webclient-war     ->      8.8.15.1623920145-1
zimbra-drive                  ->      1.0.13.1576152256-1
zimbra-core-components 	      ->      2.0.12-1zimbra8.8b1
zimbra-openjdk                ->      13.0.1-1zimbra8.8b1
zimbra-openjdk-cacerts        ->      1.0.7-1zimbra8.7b1
zimbra-openssl                ->      1.1.1k-1zimbra8.7b4
zimbra-ldap-components        ->      1.0.12-1zimbra8.8b1
zimbra-postfix                ->      3.6.1-1zimbra8.7b3
zimbra-postfix-logwatch       ->      1.40.03-1zimbra8.7b1
zimbra-clamav                 ->      0.103.2-1zimbra8.8b3
zimbra-perl-mail-spamassassin ->      3.4.5-1zimbra8.8b3
zimbra-spamassassin-rules     ->      1.0.0-1zimbra8.8b4
zimbra-openldap-server        ->      2.4.59-1zimbra8.8b4
zimbra-chat                   ->      3.0.1.1594306000-1

NETWORK:

Package Name                    Version           
zimbra-patch                  ->      8.8.15.1629795088.p25-1
zimbra-mbox-ews-service       ->      8.8.15.1590048861-1
zimbra-drive-ng               ->      3.0.15.1616091166-1
zimbra-network-modules-ng     ->      6.0.26.1625817564-1
zimbra-docs                   ->      3.0.8.1616090809-1
zimbra-connect                ->      1.0.25.1629109359-1
zimbra-zco                    ->      8.8.15.1903.1629120640-1
zimbra-zimlet-auth            ->      1.0.2.1622463729-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-components
  • Restart ldap as zimbra user:
su - zimbra
ldap restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install the package:
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade zimbra-proxy-components on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-proxy-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install the package:
yum install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-components
  • Restart ldap as zimbra user:
su - zimbra
ldap restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade zimbra-proxy-components on Proxy node

  • As root, install package
apt-get install zimbra-proxy-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install package:
apt-get install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Upgraded 3rd Party Packages

  • OpenSSL and Postfix TLS 1.3 GA Packages

The packages for RHEL7, UBUNTU14, UBUNTU18 are:

Package Name      Version
zimbra-openssl : 1.1.1k-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b2
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2
zimbra-perl-net-http : 6.09-1zimbra8.7b3
zimbra-perl-libwww : 6.13-1zimbra8.7b3
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3
zimbra-perl-xml-parser : 2.44-1zimbra8.7b3
zimbra-perl-soap-lite : 1.19-1zimbra8.7b3
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3
zimbra-perl-xml-simple : 2.25-1zimbra8.7b2
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b3
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-postfix-logwatch : 1.40.03-1zimbra8.7b1
zimbra-perl : 1.0.5-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.11-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.11-1zimbra8.8b1
  • OpenSSL and Postfix TLS 1.3 Packages

The GA packages for RHEL8 are:

Package Name      Version
zimbra-openssl : 1.1.1k-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b3
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3
zimbra-perl-net-http : 6.09-1zimbra8.7b4
zimbra-perl-libwww : 6.13-1zimbra8.7b4
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4
zimbra-perl-xml-parser : 2.44-1zimbra8.7b4
zimbra-perl-soap-lite : 1.19-1zimbra8.7b4
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4
zimbra-perl-xml-simple : 2.25-1zimbra8.7b3
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b4
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-perl : 1.0.6-1zimbra8.7b1 
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.11-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.11-1zimbra8.8b1

The updated GA packages are:

Package            Old-Version    New-Version
postfix              3.5.6          3.6.1
openssl              1.1.1h         1.1.1k
openldap             2.4.49         2.4.59
nginx                1.19.0          1.20.0
postfix-logwatch     1.40.01        1.40.03
io-socket-ssl	     2.020          2.068
xml-simple           2.20           2.25
crypt-openssl-rsa    0.28           0.31
net-snmp             5.7.3          5.8
dbd-mysql            4.033          4.050
apr-util             1.5.4          1.6.1
unbound              1.5.9          1.11.0
net-ssleay           1.72           1.88
  • Nginx TLS 1.3 Packages

The GA packages for RHEL7, RHEL8, UBUNTU16, UBUNTU18 are:

PackageName                                       Version
zimbra-nginx                               ->     1.20.0-1zimbra8.8b2
zimbra-proxy-components                    ->     1.0.9-1zimbra8.8b1
zimbra-proxy-patch                         ->     8.8.15.1629795088.p25-1

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jira Summary

Jira Tickets fixed in 8.8.15 Patch 25

ZCS-10848 Update openjdk-cacerts from latest Mozilla certdata.txt
ZCS-10829 "MuteForAll" button has been limited only to moderators
ZCS-10828 Limited "add member" functionality to groups only to moderators.
ZCS-10826 Conversation scroll on new messages fixed
ZCS-10825 Margin at the bottom of a conversation removed
ZCS-10824 Video server command help output improved
ZCS-10823 User can define which folder to exclude form Active Sync
ZCS-10822 New config commands
ZCS-10821 External restore operation now restores shared contacts
ZCS-10820 Skip_domain_provisioning on doExternalRestore operation
ZCS-10819 Add an account restored Completed INFO to doExternalRestore logs
ZCS-10818 Handle not initialized backup on external restore.
ZCS-10780 Add unsubscribe system folder as default folder for mailboxes
ZCOMT-2331 Add option in advanced panel to switch between Zimbra Free Busy and Internet-Free Busy Provider
ZBUG-2400 Patch 25 breaks custom imported certs and authorities in the root ca
ZBUG-2379 Fix for ZBUG-1919 does not work in a Multi-Server setup
ZBUG-2360 Option to restore original WSDL behavior before patch 20.
ZBUG-2167 Content-Transfer-Encoding 8bit causes breakage of S/MIME signature
ZBUG-2026 zimbraCoSId not showing when it's inheriting from domain level
ZBUG-1983 Request to upgrade openldap to 2.4.59
ZBUG-1146 Missing Java Class for zmskindeploy
Jump to: navigation, search