Zimbra Releases/8.8.15/P27

Revision as of 19:42, 25 October 2021 by Dawood Shaikh (talk | contribs) (Created page with "{{WIP}} = Zimbra Collaboration Joule 8.8.15 Patch 27 GA Release = <div class="col-md-9"> Check out the '''Security Fixes''','''What's New...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Zimbra Collaboration Joule 8.8.15 Patch 27 GA Release

Check out the Security Fixes,What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.


Critical Security Fix

This patch contains a critical security fix that affects previous Zimbra 8.8.15 "Joule" patches: Patch-26, Patch-25, Patch-24, Patch-23. We strongly advise that our Partners and Customers immediately upgrade to the latest patch: Zimbra 8.8.15 Patch-27.

To keep your systems secure, Zimbra encourages our Partners and Customers to always keep current with patches. Zimbra releases patch information directly to Partners and Customers via our regular newsletters, website, blog, and social posts, in addition to this wiki.


Security Recommendation

Zimbra would strongly recommend the customer to review whether the Proxy Servlet is configured to allow a particular host (via zimbraProxyAllowedDomains configuration setting on each class of services), please make sure each entry in zimbraProxyAllowedDomains should be a safe and trusted host, there should NOT be any wild card entries like *.webex.com instead use specific host example.webex.com.

Any entry in zimbraProxyAllowedDomains resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly. So we urge our customers to review this configuration setting to ensure that there are no vulnerabilities are introduced.


Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version
Upgraded OpenSSL to 1.1.1l to avoid multiple vulnerabilities. CVE-2021-3711 CVE-2021-3712 9.8 Critical 8.8.15 P27

What's New

NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.


Ubuntu 20 Support (Beta)

We are nearing the end of our extensive QA cycle for this major upgrade. Watch for the GA announcement in an upcoming patch release.


Package Upgrade


  • Openldap has been upgraded from 1.1.1k to 1.1.1l.


Fixed Issues

Web UX - Classic

  • In Classic Web App, when the user tries to set up a weekly recurring appointment by visiting Repeat -> Custom and selects a Day from the dropdown, then revisits the Day dropdown and change the day, then the previous selection was not removed and the checkmark from the previous selection was not removed. The issue has been fixed.
  • When creating an appointment, clicking "Show Equipment" displays the Equipment field. If the user closes the tab, opens it again and clicks on "Show Equipment", the Equipment field was not displayed. Clicking "Show Equipment" for the second time displays the Equipment field. The issue has been fixed.

ZCO

  • When *zimbraMtaMaxMessageSize* was set to zero, ZCO users were not able to send emails. The issue has been fixed.
  • When using mixed ZCO profiles (Exchange and Zimbra), sending an email with an attachment resulted in an error. The issue has been fixed.

NG General

  • *getNotification* core command now supports json output when using *--json* option in the command.
  • Fixed a couple of issues that prevented the mail items to be properly purged in case of centralized volumes and the Drive items to be always purged.

Zimbra Connect

  • Fixed an unexpected behavior that prevented the emoji panel to close when it is opened and a file is dropped in a conversation with the purpose of sending it.
  • Notifications of new meetings have been removed on participating in a meeting from an external tab.
  • Minichat configuration now differentiates the conversations to be displayed. Users can now decide whether to show mini chats or not based on the chat as the configuration differentiates between one-to-one chats, groups and spaces.
  • Fixed *UsersCleanup* command to properly remove deleted users' data from all conversations participants list.
  • Minichats no more open for system messages in conversations such as: Meeting started, Meeting ended, Someone joins the conversation, Someone lefts the conversation, Someone has changed the topic, title, avatar of conversation
  • Now "videoserver" is displayed instead of "video server" in the example of command help "zxsuite team video-server add" or "zxsuite team video-server remove".
  • Fixed the height for bubble messages during meetings in the Safari browser.
  • Fixed a bug that prevented the inserted text from showing in the one-to-one chat textbox on searching for the contact to add.


Known Issues

Platform

  • The /opt/zimbra/.saveconfig directory permissions are not updated correctly by zmfixperms command. Due to this, upgrading zimbra-openjdk-cacerts package fails.

Workaround:- Before upgrading the package, change the permissions of /opt/zimbra/.saveconfig directory manually by executing the command chown zimbra:zimbra /opt/zimbra/.saveconfig/.


Patch Installation

Please refer to the steps below to install 8.8.15 Patch 27 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.

8.8.15 Patch 27 Packages

The package lineup for this release is:

FOSS:

PackageName                     Version
zimbra-patch                  ->      8.8.15.1634924656.p27-2
zimbra-mta-patch              ->      8.8.15.1634924656.p27-1
zimbra-mta-components         ->      1.0.14-1zimbra8.8b1
zimbra-proxy-patch            ->      8.8.15.1634196512.p27-1
zimbra-proxy-components       ->      1.0.9-1zimbra8.8b1
zimbra-nginx                  ->      1.20.0-1zimbra8.8b2
zimbra-common-core-jar        ->      8.8.15.1634917408-1
zimbra-common-core-libs       ->      8.8.15.1623913824-1
zimbra-mbox-conf              ->      8.8.15.1568012813-1
zimbra-mbox-service           ->      8.8.15.1568694943-1
zimbra-mbox-store-libs        ->      8.8.15.1626439528-1
zimbra-mbox-war               ->      8.8.15.1618222785-1
zimbra-mbox-admin-console-war ->      8.8.15.1624007059-1
zimbra-mbox-webclient-war     ->      8.8.15.1634208998-1
zimbra-drive                  ->      1.0.13.1576152256-1
zimbra-core-components        ->      2.0.14-1zimbra8.8b1
zimbra-openjdk                ->      13.0.1-1zimbra8.8b1
zimbra-openjdk-cacerts        ->      1.0.8-1zimbra8.7b1
zimbra-openssl                ->      1.1.1l-1zimbra8.7b4
zimbra-openldap-lib           ->      2.4.59-1zimbra8.8b5
zimbra-openldap-client	      ->      2.4.59-1zimbra8.8b5
zimbra-openldap-server        ->      2.4.59-1zimbra8.8b4
zimbra-ldap-components        ->      1.0.14-1zimbra8.8b1
zimbra-core-components        ->      2.0.14-1zimbra8.8b1
zimbra-postfix                ->      3.6.1-1zimbra8.7b3
zimbra-postfix-logwatch       ->      1.40.03-1zimbra8.7b1
zimbra-clamav                 ->      0.103.2-1zimbra8.8b3
zimbra-perl-mail-spamassassin ->      3.4.5-1zimbra8.8b3
zimbra-spamassassin-rules     ->      1.0.0-1zimbra8.8b4
zimbra-openldap-server        ->      2.4.59-1zimbra8.8b5
zimbra-chat                   ->      3.0.1.1594306000-1
                                                        

NETWORK:

Package Name                    Version           
zimbra-patch                  ->      8.8.15.1634924656.p27-1
zimbra-mbox-ews-service       ->      8.8.15.1590048861-1
zimbra-drive-ng               ->      3.0.15.1616091166-1
zimbra-network-modules-ng     ->      6.0.28.1630655972-1
zimbra-docs                   ->      3.0.8.1616090809-1
zimbra-connect                ->      1.0.27.1632228204-1
zimbra-zco                    ->      8.8.15.1907.1634723247-1
zimbra-zimlet-auth            ->      1.0.2.1622463729-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-components
  • Restart ldap as zimbra user:
su - zimbra
ldap restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install the package:
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade zimbra-proxy-components on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-proxy-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install the package:
yum install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-components
  • Restart ldap as zimbra user:
su - zimbra
ldap restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade zimbra-proxy-components on Proxy node

  • As root, install package
apt-get install zimbra-proxy-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install package:
apt-get install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Upgraded 3rd Party Packages

  • OpenSSL and Postfix TLS 1.3 GA Packages

The packages for RHEL6, RHEL7, UBUNTU14, UBUNTU16, UBUNTU18 are:

Package Name      Version
zimbra-openssl : 1.1.1l-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b2
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2
zimbra-perl-net-http : 6.09-1zimbra8.7b3
zimbra-perl-libwww : 6.13-1zimbra8.7b3
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3
zimbra-perl-xml-parser : 2.44-1zimbra8.7b3
zimbra-perl-soap-lite : 1.19-1zimbra8.7b3
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3
zimbra-perl-xml-simple : 2.25-1zimbra8.7b2
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b3
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-postfix-logwatch : 1.40.03-1zimbra8.7b1
zimbra-perl : 1.0.5-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.14-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.14-1zimbra8.8b1
  • OpenSSL and Postfix TLS 1.3 Packages

The GA packages for RHEL8 are:

Package Name      Version
zimbra-openssl : 1.1.1l-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b3
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3
zimbra-perl-net-http : 6.09-1zimbra8.7b4
zimbra-perl-libwww : 6.13-1zimbra8.7b4
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4
zimbra-perl-xml-parser : 2.44-1zimbra8.7b4
zimbra-perl-soap-lite : 1.19-1zimbra8.7b4
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4
zimbra-perl-xml-simple : 2.25-1zimbra8.7b3
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b4
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-perl : 1.0.6-1zimbra8.7b1 
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.14-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.14-1zimbra8.8b1

The updated GA packages are:

Package            Old-Version    New-Version
postfix              3.5.6          3.6.1
openssl              1.1.1k         1.1.1l
openldap             2.4.49         2.4.59
nginx                1.19.0          1.20.0
postfix-logwatch     1.40.01        1.40.03
io-socket-ssl	     2.020          2.068
xml-simple           2.20           2.25
crypt-openssl-rsa    0.28           0.31
net-snmp             5.7.3          5.8
dbd-mysql            4.033          4.050
apr-util             1.5.4          1.6.1
unbound              1.5.9          1.11.0
net-ssleay           1.72           1.88
  • Nginx TLS 1.3 Packages

The GA packages for RHEL6, RHEL7, RHEL8, UBUNTU14, UBUNTU16, UBUNTU18 are:

PackageName                                       Version
zimbra-nginx                               ->     1.20.0-1zimbra8.8b2
zimbra-proxy-patch                         ->     8.8.15.1634196512.p27-1
zimbra-proxy-components                    ->     1.0.9-1zimbra8.8b1

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jira Summary

Jira Tickets fixed in 8.8.15 Patch 27

ZCS-10992 Hide Emoji panel on dropping file
ZCS-10991 Remove new meeting notification on meeting external tab
ZCS-10990 Minichat configuration now differentiates the conversations to show
ZCS-10987 Fixed UsersCleanup command to correctly remove deleted users' data from participants listof all conversations
ZCS-10984 Avoid opening the minichat when a system message arrives
ZCS-10983 Fixed video-server string on command help
ZCS-10982 Fix bubble messages on meeting conversation for Safari
ZCS-10980 Input textbox on creating one to one chats fixed
ZCS-10978 getNotification core command doesn’t support --json output
ZCS-10974 Store purge operation bugs fixed
ZCS-10917 Checkmark in custom weekly repeat does not work on Classic UI
ZCS-10909 Show Equipment does not work sometimes
ZBUG-2434 If the zimbraMtaMaxMessageSize is set 0 and it is Stop sending email after upgrade ZCO 9.0.0.1903
ZBUG-2389 OpenSSL 1.1.1k is vulnerable and needs to be upgraded to 1.1.1l version
ZBUG-2357 [ZCO]+Exchange profile: Error when send attacments.
Jump to: navigation, search