Difference between revisions of "Zimbra Releases/8.8.15/P32"

Line 8: Line 8:
  
 
<br/>
 
<br/>
<div style="padding:1%; color:#ff0000;font-size:19px;" >
+
<div style="padding:1%; color:#008000;font-size:19px;" >
'''NOTICE: Please hold off upgrading at this time'''
+
'''NOTICE: Clear to proceed with patch upgrade'''
  
We have identified issues with this patch under certain conditions. We recommend that customers hold off updating to this patch release at this time. We will update the information here as soon as there is more information available or our recommendation changes. Thank you.
+
As of this time, we have addressed the previously identified issues with the patch release, and recommend customers proceed with this upgrade. As always, we recommend following best practices during patch upgrades (including taking backups of key data and config). We apologize for this unfortunate event.
 
</div>
 
</div>
 
<br/>
 
<br/>
 +
== Zimbra Suite Plus not working for FOSS ==
 +
<div style="padding:1%; color:#f68b1f;font-size:18px;" >
 +
We have identified an issue where upgrading to this patch on FOSS build breaks Zimbra Suite Plus (ZSP). For customers using ZSP, it is recommended not to upgrade to this patch till the issue is fixed.
 +
</div>
 +
 +
</div>
  
 
== Change in upgrade process for  8.8.15 Patch 32==  
 
== Change in upgrade process for  8.8.15 Patch 32==  
 
<div style="padding:1%; color:#f68b1f;font-size:18px;" >
 
<div style="padding:1%; color:#f68b1f;font-size:18px;" >
Please note that the install process has changed. Additional steps to install '''zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs''' packages have been included for this patch release. Please refer to the '''[[#Patch Installation|Patch Installation]]''' section to install the packages in its order.  
+
Please note that the install process has changed. Additional steps to install '''zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs''' packages have been included for this patch release.  
 +
 
 +
We have also introduced a new package '''zimbra-ldap-patch''' to be installed only on the LDAP node.
 +
 
 +
Please refer to the '''[[#Patch Installation|Patch Installation]]''' section to install the packages in its order.  
 
</div>
 
</div>
  
Line 182: Line 192:
 
FOSS:
 
FOSS:
 
  '''PackageName'''                          '''Version'''         
 
  '''PackageName'''                          '''Version'''         
  zimbra-patch                  ->      8.8.15.1655187016.p32-2
+
  zimbra-patch                  ->      8.8.15.1655471268.p32-2
  zimbra-mta-patch              ->      8.8.15.1655303181.p32-1
+
  zimbra-mta-patch              ->      8.8.15.1655471268.p32-1
 
  zimbra-mta-components        ->      1.0.15-1zimbra8.8b1
 
  zimbra-mta-components        ->      1.0.15-1zimbra8.8b1
  zimbra-proxy-patch            ->      8.8.15.1655305713.p32-1
+
  zimbra-proxy-patch            ->      8.8.15.1655471268.p32-1
 
  zimbra-proxy-components      ->      1.0.10-1zimbra8.8b1
 
  zimbra-proxy-components      ->      1.0.10-1zimbra8.8b1
 
  zimbra-php                    ->      7.4.27-1zimbra8.7b3
 
  zimbra-php                    ->      7.4.27-1zimbra8.7b3
Line 192: Line 202:
 
  zimbra-spell-components      ->      2.0.8-1zimbra8.8b1
 
  zimbra-spell-components      ->      2.0.8-1zimbra8.8b1
 
  zimbra-nginx                  ->      1.20.0-1zimbra8.8b3
 
  zimbra-nginx                  ->      1.20.0-1zimbra8.8b3
  zimbra-common-core-jar        ->      8.8.15.1654861618-1
+
zimbra-ldap-patch            ->      8.8.15.1655471268.p32-1
 +
  zimbra-common-core-jar        ->      8.8.15.1655458176-1
 
  zimbra-common-core-libs      ->      8.8.15.1654854265-1
 
  zimbra-common-core-libs      ->      8.8.15.1654854265-1
 
  zimbra-mbox-conf              ->      8.8.15.1568012813-1
 
  zimbra-mbox-conf              ->      8.8.15.1568012813-1
 
  zimbra-mbox-service          ->      8.8.15.1568694943-1
 
  zimbra-mbox-service          ->      8.8.15.1568694943-1
 
  zimbra-mbox-store-libs        ->      8.8.15.1654854265-1
 
  zimbra-mbox-store-libs        ->      8.8.15.1654854265-1
  zimbra-mbox-war              ->      8.8.15.1653048361-1
+
  zimbra-mbox-war              ->      8.8.15.1655458176-1
 
  zimbra-mbox-admin-console-war ->      8.8.15.1653031987-1
 
  zimbra-mbox-admin-console-war ->      8.8.15.1653031987-1
 
  zimbra-mbox-webclient-war    ->      8.8.15.1654769776-1
 
  zimbra-mbox-webclient-war    ->      8.8.15.1654769776-1
Line 221: Line 232:
 
NETWORK:                                                       
 
NETWORK:                                                       
 
  '''Package Name'''                    '''Version'''           
 
  '''Package Name'''                    '''Version'''           
  zimbra-patch                  ->      8.8.15.1655023762.p32-1
+
  zimbra-patch                  ->      8.8.15.1655471268.p32-2
 
  zimbra-mbox-ews-service      ->      8.8.15.1654977069-1
 
  zimbra-mbox-ews-service      ->      8.8.15.1654977069-1
 
  zimbra-drive-ng              ->      3.0.16.1637855904-1
 
  zimbra-drive-ng              ->      3.0.16.1637855904-1
Line 348: Line 359:
 
  '''PackageName'''                                      '''Version'''
 
  '''PackageName'''                                      '''Version'''
 
  zimbra-nginx                              ->    1.20.0-1zimbra8.8b2
 
  zimbra-nginx                              ->    1.20.0-1zimbra8.8b2
  zimbra-proxy-patch                        ->    8.8.15.1655305713.p32-1
+
  zimbra-proxy-patch                        ->    8.8.15.1655471268.p32-1
 
  zimbra-proxy-components                    ->    1.0.10-1zimbra8.8b1
 
  zimbra-proxy-components                    ->    1.0.10-1zimbra8.8b1
  
Line 499: Line 510:
 
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-1335
 
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-1335
 
|style="border: solid #ffffff;vertical-align:middle;"|log4j-1.2.16.jar is vulnerable reported in CVE-2019-17571
 
|style="border: solid #ffffff;vertical-align:middle;"|log4j-1.2.16.jar is vulnerable reported in CVE-2019-17571
 +
|-
 +
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-2838
 +
|style="border: solid #ffffff;vertical-align:middle;"|Log4j packages are not being updated to V2 for ldap servers in some instances
 +
|-
 +
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-2837
 +
|style="border: solid #ffffff;vertical-align:middle;"|zmconfigd failing on ldap node after updating to the latest patch
 +
|-
 +
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-2835
 +
|style="border: solid #ffffff;vertical-align:middle;"|/var/log/syslog filling after applying the patch 8.8.15 patch 32
 +
|-
 +
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-2834
 +
|style="border: solid #ffffff;vertical-align:middle;"|No INFO logs while redeploying the Zimlets after updated the ZCS v9.0.0 P25.
 +
|-
 +
|style="border: solid #ffffff;vertical-align:middle;"|ZBUG-2831
 +
|style="border: solid #ffffff;vertical-align:middle;"|SMTP authentication failure with 2FA application passcode
 
|-
 
|-
 
|}
 
|}

Revision as of 19:25, 17 June 2022

Zimbra Collaboration Joule 8.8.15 Patch 32 GA Release

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.


NOTICE: Clear to proceed with patch upgrade

As of this time, we have addressed the previously identified issues with the patch release, and recommend customers proceed with this upgrade. As always, we recommend following best practices during patch upgrades (including taking backups of key data and config). We apologize for this unfortunate event.


Zimbra Suite Plus not working for FOSS

We have identified an issue where upgrading to this patch on FOSS build breaks Zimbra Suite Plus (ZSP). For customers using ZSP, it is recommended not to upgrade to this patch till the issue is fixed.

Change in upgrade process for 8.8.15 Patch 32

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation section to install the packages in its order.

</div>

Changes required for SSO setup before patch upgrade

Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778 7.5 Low 8.8.15 P32
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165 7.5 Low 8.8.15 P32
Upgraded mina-core to version 2.1.6 CVE-2019-0231 7.5 Low 8.8.15 P32
Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. TBD TBD Medium 8.8.15 P32
  • Vulnerability in RARLAB UnRAR before 6.12 has been identified CVE-2022-30333 and has a score of 7.5 - HIGH. Zimbra has made configuration changes to use the 7zip package instead of unrar. Customers are requested to remove the unrar package (if installed) and use 7zip instead.

What's New

NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

Rocky Linux 8 Support (Beta)

We are nearing the end of our extensive QA cycle for this major upgrade. Watch for the GA announcement in an upcoming patch release.

Package Upgrade

  • Log4j package has been upgraded to version 2.17.1 which includes CVE-2021-44228, CVE-2021-45105, CVE-2019-17571 fixes. As communicated in earlier patch releases, Zimbra was not impacted by any of these security issues since Zimbra was using an older version of Log4j. Please refer to wiki for changes in the logging options.
  • OpenJDK package has been upgraded to version 17.0.2
  • SpamAssassin package has been upgraded to version 3.4.6.
  • ClamAV package has been upgraded to version 0.103.3.
  • OpenSSL has been upgraded to version 1.1.1n.
  • Jetty has been upgraded to version 9.4.46.
  • Mina-core has been upgraded to version 2.1.6

Platform

  • A new attribute zimbra_gal_fallback_ldap_search_enabled has been introduced to control the AutoComplete request being sent to LDAP server. The default value of the attribute is TRUE. If we have a galsync account, the autocomplete request would be served from the galsync account. In case galsync account is not present, the autocomplete requests will be then served from the LDAP server.
  • Support to add a warning for messages arriving from the external domain is now available. Introduced two new localconfig attributes:
    • zimbra_external_email_warning_enabled - Attribute to enable/disable the feature. Default is disabled.
    • zimbra_external_email_warning_message - Attribute the message to be displayed for external emails.
  • To promote better password security, a new feature has been introduced to restrict users from using their names in the password when changing or resetting it. The feature is controlled by a local config attribute allow_username_within_password. The default value is true. When set to false, users won't be allowed to specify their username in the password when changing or resetting it.

Fixed Issues

Platform

  • In the previous patch, SameSite cookie support was added to enhance security and protect against increasingly commonplace Cross Site Request Forgery ("CSRF") attacks. The default value of the local config variable zimbra_same_site_cookie was set to Strict. For a few of our customers, under certain conditions, it caused pre-auth and webmail login failures. From this patch onwards, the default value of the local config variable zimbra_same_site_cookie has been set to None.
    • For customers who want to use the SameSite cookie, the following is the guidance:
      • If using Pre-auth for logins or Zimbra proxy in both http, https or both modes, and the zimbraPublicServiceHostname attribute is not set, please set it by following the instructions:
        • Check the Zimbra Proxy mode. As a zimbra user, execute these commands:
          • For cos - zmprov gc cos_name zimbraReverseProxyMailMode
          • For server - zmprov gs server_name zimbraReverseProxyMailMode
        • Check if the Public Service hostname is set on global and domain levels:
          • zmprov gcf cos_name zimbraPublicServiceHostname
          • zmprov gd domain_name zimbraPublicServiceHostname
        • Set Public Service hostname. Zimbra recommends setting it on the global level:
          • zmprov mcf zimbraPublicServiceHostname webmail_login_domain_name
      • After making the above changes, the local config variable zimbra_same_site_cookie may be reset first to Lax (for testing) and then to Strict to obtain the highest level of protection available. As a zimbra user, you can run the following command
        • To set it to Lax:
          • zmlocalconfig -e zimbra_same_site_cookie=Lax
        • To set it to Strict:
          • zmlocalconfig -e zimbra_same_site_cookie=Strict
        • Restart services:
          • zmcontrol restart
  • Zimbra's DNS cache service now supports DNSSEC validation.
  • When generating CSR, the preview appeared blank. The issue has been fixed.
  • When the user shares the root level folder with another user and sets zimbraPrefSharedAddrBookAutoCompleteEnabled to TRUE, autocomplete request failed for sharee. The issue has been fixed.
  • Changes made to the zimbraAmavisOutboundDisclaimersOnly attribute did not take effect after restarting the MTA service. The issue has been fixed.
  • When the user enabled 2FA for his account, it was still possible to bypass it and list the Briefcase contents. The issue has been fixed.
  • If the user has added an external IMAP account and creates or edits a Draft, it was not getting synced to the external account. The issue has been fixed.
  • In a multi-node environment, a user has "sendAs" delegation rights of the user situated on another node, if he tries to send an XML file as an attachment, it gets corrupted. The issue has been fixed.
  • When using EWS, if the user had a Common Name (CN) and Display Name(DN) set, the CN was always used when sending a meeting request. The issue has been fixed. If DN and CN are set, then use DN will be used as the Organizer name. If DN is not set and CN is set, then CN will be used as Organizer's name.
  • If an account has multiple aliases, they were not getting displayed in autocomplete when composing a message. The issue has been fixed.
  • Corrected the description of zimbraFeatureMailForwardingInFiltersEnabled attribute from enable end-user mail forwarding to enable end-user mail redirecting.
  • The JDK version 13 contains a bug wherein under certain random conditions (depending on load/memory), the JVM may crash. The issue has been fixed by upgrading the JDK to version 17.

Web UX - Classic

  • Fixed a regression bug that prevented SAML SP initiated log out from working correctly.
  • In the previous patch, the default search folder was set to the shared contact folder instead of the Inbox. The issue has been fixed.
  • Fixed a regression bug that prevented SAML SP initiated log out from working correctly.
  • In the Tasks tab, If the user sets *Subject* as a default sort, it was not maintained after visiting other tabs or reloading the UI. The issue has been fixed.
  • Corrected date format for the Portuguese language.

HSM

  • Now the doMailboxMove operation skips non-local accounts to avoid issues caused by running the command on the wrong server.
  • To make the new volume creation experience simpler for the admins, bucket creation has been split by the volume creation commands. Admins can now create a new bucket and then pass its UUID to the volume creation command.

NG Auth

  • Fixed a bug that made the mobile apps able to bypass the Zimbra Network 2FA.

NG Backup

  • To make the external restore operation more reliable and avoid errors, now the mailboxes quota is removed during the restore operation. The quota is set back once the operation completes successfully.
  • Fixed a bug that prevented the doItemSearch command to work properly. Now the command returns the results according to the given filters.

NG Mobile

  • ABQ API has been reworked to fix a bug that prevented the set command from working with devices not already present in the list.
  • A new abq_enabled_at_startup attribute has been added to the configuration to avoid the ABQ feature being loaded at server startup if not used to save the server’s resources.

NG Modules

  • Firebase-token-renewer-service has been completely removed.
  • Fixed a bug that prevented the right-click from working properly on contacts and calendars folders using Internet Explorer 11 when com_zextras_client zimlet is enabled.

Zimbra Connect

  • Fixed a bug that caused a room to disappear when moved between the servers.
  • Now using internal mode, the resources are kept after the user close the call. The result is that the tab keep the red-dot on the browser’s tab
  • Fixed the issue - if user manually opens the minichat, it works, but if the setting is set to automatically open the minichat for each message, it’s not working automatically.


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With OpenJDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


Patch Installation

Please refer to the steps below to install 8.8.15 Patch 32 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important! Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

8.8.15 Patch 32 Packages

The package lineup for this release is:

FOSS:

PackageName                          Version         
zimbra-patch                  ->      8.8.15.1655471268.p32-2
zimbra-mta-patch              ->      8.8.15.1655471268.p32-1
zimbra-mta-components         ->      1.0.15-1zimbra8.8b1
zimbra-proxy-patch            ->      8.8.15.1655471268.p32-1
zimbra-proxy-components       ->      1.0.10-1zimbra8.8b1
zimbra-php                    ->      7.4.27-1zimbra8.7b3
zimbra-httpd                  ->      2.4.53-1zimbra8.7b3
zimbra-apache-components      ->      2.0.7-1zimbra8.8b1
zimbra-spell-components       ->      2.0.8-1zimbra8.8b1
zimbra-nginx                  ->      1.20.0-1zimbra8.8b3
zimbra-ldap-patch             ->      8.8.15.1655471268.p32-1
zimbra-common-core-jar        ->      8.8.15.1655458176-1
zimbra-common-core-libs       ->      8.8.15.1654854265-1
zimbra-mbox-conf              ->      8.8.15.1568012813-1
zimbra-mbox-service           ->      8.8.15.1568694943-1
zimbra-mbox-store-libs        ->      8.8.15.1654854265-1
zimbra-mbox-war               ->      8.8.15.1655458176-1
zimbra-mbox-admin-console-war ->      8.8.15.1653031987-1
zimbra-mbox-webclient-war     ->      8.8.15.1654769776-1
zimbra-drive                  ->      1.0.13.1576152256-1
zimbra-timezone-data          ->      2.0.1.1646993388-1
zimbra-openjdk                ->      17.0.2-1zimbra8.8b1
zimbra-openjdk-cacerts        ->      1.0.8-1zimbra8.7b1
zimbra-openssl                ->      1.1.1n-1zimbra8.7b4
zimbra-openldap-lib           ->      2.4.59-1zimbra8.8b5
zimbra-openldap-client	      ->      2.4.59-1zimbra8.8b5
zimbra-openldap-server        ->      2.4.59-1zimbra8.8b5
zimbra-ldap-components        ->      1.0.16-1zimbra8.8b1
zimbra-core-components        ->      2.0.16-1zimbra8.8b1
zimbra-postfix                ->      3.6.1-1zimbra8.7b3
zimbra-postfix-logwatch       ->      1.40.03-1zimbra8.7b1
zimbra-clamav                 ->      0.103.3-1zimbra8.8b3
zimbra-perl-mail-spamassassin ->      3.4.6-1zimbra8.8b3
zimbra-spamassassin-rules     ->      1.0.0-1zimbra8.8b5
zimbra-openldap-server        ->      2.4.59-1zimbra8.8b5
zimbra-chat                   ->      3.0.2.1655178187-1
                                                        

NETWORK:

Package Name                    Version           
zimbra-patch                  ->      8.8.15.1655471268.p32-2
zimbra-mbox-ews-service       ->      8.8.15.1654977069-1
zimbra-drive-ng               ->      3.0.16.1637855904-1
zimbra-network-modules-ng     ->      6.0.34.1652960218-1
zimbra-docs                   ->      3.0.8.1616090809-1
zimbra-connect                ->      1.0.29.1635424238-1
zimbra-zco                    ->      8.8.15.1919.1647367453-1
zimbra-zimlet-auth            ->      1.0.4.1652971904-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • On mailstore node, install the following packages:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install the package:
yum install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • On mailstore node, install the following packages:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install package:
apt-get install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Upgraded 3rd Party Packages

  • OpenSSL and Postfix TLS 1.3 GA Packages

The packages for RHEL7, UBUNTU16, UBUNTU18 are:

Package Name      Version
zimbra-openssl : 1.1.1n-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b2
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2
zimbra-perl-net-http : 6.09-1zimbra8.7b3
zimbra-perl-libwww : 6.13-1zimbra8.7b3
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3
zimbra-perl-xml-parser : 2.44-1zimbra8.7b3
zimbra-perl-soap-lite : 1.19-1zimbra8.7b3
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3
zimbra-perl-xml-simple : 2.25-1zimbra8.7b2
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b3
zimbra-httpd : 2.4.53-1zimbra8.7b3
zimbra-php : 7.4.27-1zimbra8.7b3
zimbra-postfix-logwatch : 1.40.03-1zimbra8.7b1
zimbra-perl : 1.0.5-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.7-1zimbra8.8b1
zimbra-spell-components : 2.0.8-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.14-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.14-1zimbra8.8b1
  • OpenSSL and Postfix TLS 1.3 Packages

The GA packages for RHEL8, UBUNTU20 are:

Package Name      Version
zimbra-openssl : 1.1.1n-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b3
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.59-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.103.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3
zimbra-perl-net-http : 6.09-1zimbra8.7b4
zimbra-perl-libwww : 6.13-1zimbra8.7b4
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4
zimbra-perl-xml-parser : 2.44-1zimbra8.7b4
zimbra-perl-soap-lite : 1.19-1zimbra8.7b4
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4
zimbra-perl-xml-simple : 2.25-1zimbra8.7b3
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b4
zimbra-httpd : 2.4.53-1zimbra8.7b3
zimbra-php : 7.4.27-1zimbra8.7b3
zimbra-perl : 1.0.6-1zimbra8.7b1 
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.7-1zimbra8.8b1
zimbra-spell-components : 2.0.9-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components : 2.0.14-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.14-1zimbra8.8b1

The updated GA packages are:

Package            Old-Version    New-Version
postfix              3.5.6          3.6.1
openssl              1.1.1l         1.1.1n
openldap             2.4.49         2.4.59
nginx                1.19.0         1.20.0
postfix-logwatch     1.40.01        1.40.03
io-socket-ssl	     2.020          2.068
xml-simple           2.20           2.25
crypt-openssl-rsa    0.28           0.31
net-snmp             5.7.3          5.8
dbd-mysql            4.033          4.050
apr-util             1.5.4          1.6.1
unbound              1.5.9          1.11.0
net-ssleay           1.72           1.88
PHP                  7.3.25        7.4.27
httpd                2.4.51        2.4.53
  • Nginx TLS 1.3 Packages

The GA packages for RHEL7, RHEL8, UBUNTU16, UBUNTU18, UBUNTU20 are:

PackageName                                       Version
zimbra-nginx                               ->     1.20.0-1zimbra8.8b2
zimbra-proxy-patch                         ->     8.8.15.1655471268.p32-1
zimbra-proxy-components                    ->     1.0.10-1zimbra8.8b1

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jira Summary

Jira Tickets fixed in 8.8.15 Patch 32

ZCS-11416 Move room fixed
ZCS-11415 Red dot of camera is kept after meetings on internal mode
ZCS-11414 Minichat are not opening on Suite
ZCS-11412 Firebase-token-renewer-service has been completely removed
ZCS-11411 Mailbox move skips non-local accounts
ZCS-11410 Splitted volumes and buckets creation
ZCS-11409 ABQ set commands fixed
ZCS-11408 ABQ disabled at startup
ZCS-11407 Right-click on contact and calendar folders fixed for IE11
ZCS-11405 External restore operation quota override
ZCS-11404 doItemSearch command fixed
ZCS-11403 Zimbra Network 2FA honoured by mobile apps
ZCS-11349 Toggle off direct searches for autocomplete and galsync against Zimbra LDAP
ZCS-11344 Set the default value zimbra_same_site_cookie to Empty
ZCS-11116 Update Java JRE Version
ZCS-11096 Implementation - milter to add a warning message when a email came from outside our organisation
ZCS-10678 Server Side work to Force users not to use username in the password
ZBUG-2807 Attacker got access to user's email.
ZBUG-2781 SAML SP-initiated logout does not work - zimbraWebClientLogoutURL (8.8.15)
ZBUG-2772 [Security] Vulnerability in Unrar leading to Pre-Auth RCE in Zimbra
ZBUG-2762 In Webclient the search bar is set to search in a shared contact folder instead of a inbox folder
ZBUG-2738 Create a hash of the key in Nginx instead of raw value
ZBUG-2734 webmail login not work when proxy set to accept both http and https request.
ZBUG-2732 View mail admin feature no longer working in latest patch ZCS 9 P24
ZBUG-2723 dnscache service does not support DNSSEC validation
ZBUG-2713 Zimbra OpenSSL needs to update to 1.1.1n for CVE-2022-0778
ZBUG-2666 No information for CSR review operation from ZimbraWebAdmin
ZBUG-2633 DoS Zimbra is vulnerable to CVE-2021-28165- Jetty pins when large TLS packet is sent
ZBUG-2627 (JDK-8228811) JVM/mailboxd can crash endlessly with JDK 13.0.1
ZBUG-2588 Autocomplete bug with "/" shares
ZBUG-2583 mina-core-2.0.4.jar is vulnerable; CVE-2019-0231, CVE-2019-0231
ZBUG-2578 CVE-2021-45105
ZBUG-2571 "RCE 0-day exploit vulnerability found in log4j "
ZBUG-2569 Attribute zimbraAmavisOutboundDisclaimersOnly does not work after restarting MTA service
ZBUG-2477 Upgrade ClamAV to latest version 0.103.3
ZBUG-2426 SAML SP-initiated logout does not work - zimbraWebClientLogoutURL
ZBUG-2390 Briefcase content accessible without 2FA
ZBUG-2361 Modified Draft not synced to external imap account
ZBUG-2322 Task not getting sorted
ZBUG-2233 SA Version 3.4.5 issues
ZBUG-2207 Update Java JRE Version
ZBUG-2119 Xml attachment truncated if sent from account with "sendAs" delegation
ZBUG-1975 Portuguese, Date format showing wrong
ZBUG-1860 Wrong encoding of organizer with ios mail client
ZBUG-1838 Auto complete displaying single email address from matching account
ZBUG-1455 zimbraFeatureMailForwardingInFiltersEnabled, Attribute funtionality is wrong
ZBUG-1335 log4j-1.2.16.jar is vulnerable reported in CVE-2019-17571
ZBUG-2838 Log4j packages are not being updated to V2 for ldap servers in some instances
ZBUG-2837 zmconfigd failing on ldap node after updating to the latest patch
ZBUG-2835 /var/log/syslog filling after applying the patch 8.8.15 patch 32
ZBUG-2834 No INFO logs while redeploying the Zimlets after updated the ZCS v9.0.0 P25.
ZBUG-2831 SMTP authentication failure with 2FA application passcode
Jump to: navigation, search