Difference between revisions of "Zimbra Releases/8.8.15/P33"

(Created page with "{{WIP}} = Zimbra Collaboration Joule 8.8.15 Patch 33 GA Release = <div class="col-md-9"> Check out the '''Security Fixes''', '''What's New...")
 
Line 1: Line 1:
{{WIP}}
 
 
= Zimbra Collaboration Joule 8.8.15 Patch 33 GA Release =
 
= Zimbra Collaboration Joule 8.8.15 Patch 33 GA Release =
  

Revision as of 18:25, 28 July 2022

Zimbra Collaboration Joule 8.8.15 Patch 33 GA Release

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.

Change in upgrade process for 8.8.15 Patch 33

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites CVE-2022-2068 9.8 Low
RXSS on '/h/search' via title parameter TBD TBD Low
RXSS on '/h/search' via onload parameter TBD TBD Medium
RXSS on '/h/search' via extra parameter TBD TBD Medium
Authentication Bypass in MailboxImportServlet TBD TBD Medium
Proxy Servlet SSRF Vulnerability TBD TBD Low
Cyrus SASL package has been upgraded to version 2.1.28 CVE-2022-24407 8.8 Low
When using preauth, CSRF tokens are not checked on some post endpoints TBD TBD Medium


What's New


Zimbra 8.8.15 is now fully supported on Rocky Linux 8 (GA)

Download the latest Rocky Linux 8 binaries from https://www.zimbra.com/downloads


Package Upgrade

  • OpenSSL has been upgraded to version 1.1.1q
  • Cyrus SASL package has been upgraded to version 2.1.28

Zimbra Web Client (ZWC)

  • In the previous patch release, a local config attribute allow_username_within_password was introduced to restrict user's from using their username in the password in Modern Web App. With this patch release, the feature is available for Classic Web App. It will restrict users from not using their names when resetting or changing the password.


Zimbra Connector for Outlook

  • ZCO is now supported on the Windows 11 platform.
  • Stale auto-complete cache is now automatically detected when sync occurs, and the user is now prompted with a Yes/No dialog to automatically clear the stale cache when YES is chosen.
  • Users could not schedule meeting through MS Teams when clicking the "New Teams Meeting" option. The issue has been fixed.


Fixed Issues

Zimbra Collaboration

  • Updated XML declaration to EWS response for clients to consume.
  • Spamassassin's zmsaupdate script has been updated to remove the--allowplugins option.
  • In the previous patch, a feature was introduced to add an external message warning banner when receiving emails from external domains. In certain scenarios, it caused high CPU usage. The issue has been fixed.
  • On Ubuntu 20 OS, restarting zmmailboxdctl service printed a harmless error on the console, The issue has been fixed.
  • Due to log4j changes in the previous patch, on a Multi-node environment, the /var/log/messages file was continuously getting updated with INFO logs. The issue has been fixed and the default log level is set to ERROR now.
  • Due to log4j changes in the previous patch, the Syslog submission was enabled by default which was updating the /var/log/syslog file continuously. The issue has been fixed and Syslog submission has been disabled.
  • In a multi-node environment, if the user has 2FA enabled and set up and selects "Trust this computer" on the login screen, the setting did not persist and the user was asked to enter the OTP. The issue has been fixed.


Zimbra Web Client (ZWC)

  • Intermittently, the root folder was getting shared when the user shared a particular folder from Classic Web App. The issue has been fixed.
  • If the user has multiple calendars and when viewing the Calendar tab in the day view, double-clicking on the non-default calendar to create an event selects the default calendar. The issue has been fixed.


Zimbra Connector for Outlook

  • When the user tries to send an email through a shared email folder having SendAs right, an error was encountered. The issue has been fixed.


NG Auth

  • Password change will be no more considered when using application credentials or QR code-based authentication for the apps.


NG Backup

  • Fixed a bug that prevented to update the S3 backup volume.
  • Improved the error handling when running a purge and the ZxBackup_DataRetentionDays attribute has an invalid value.
  • A new attribute backupSkipDLAndDynamicGroups has been added so it is now possible to skip the backup for distribution lists and dynamic groups in order to improve backup time.
  • Fixed a bug that caused the metadata of the accounts to be wrongly uploaded to the bucket’s root folder. Now the metadata files are properly uploaded to the accounts folder.


NG HSM

  • Fixed a bug that prevented to update the S3 backup volume.Fixed a bug that prevented the blobs to be purged from a centralized volume when moving a mailbox from a server with that centralized volume configured to another server that doesn’t have it.


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Joule-Patch-32 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


Patch Installation

Please refer to the steps below to install 8.8.15 Patch 33 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important! Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

8.8.15 Patch 33 Packages

The package lineup for this release is:

FOSS:

PackageName			           	Version
zimbra-patch				->	8.8.15.1658841204.p33-2
zimbra-mta-patch			->	8.8.15.1658841204.p33-1
zimbra-mta-components			->	1.0.15-1zimbra8.8b1
zimbra-proxy-patch			-> 	8.8.15.1658841204.p33-1
zimbra-proxy-components			->	1.0.10-1zimbra8.8b1
zimbra-php				->	7.4.27-1zimbra8.7b3
zimbra-httpd				->	2.4.53-1zimbra8.7b3
zimbra-apache-components		->	2.0.7-1zimbra8.8b1
zimbra-spell-components			->	2.0.8-1zimbra8.8b1
zimbra-nginx				->	1.20.0-1zimbra8.8b3
zimbra-common-core-jar			->	8.8.15.1658837424-1
zimbra-common-core-libs			->	8.8.15.1654854265-1
zimbra-mbox-conf			->	8.8.15.1568012813-1
zimbra-mbox-service			->	8.8.15.1568694943-1
zimbra-mbox-store-libs			->	8.8.15.1654854265-1
zimbra-mbox-war				->	8.8.15.1655458176-1
zimbra-mbox-admin-console-war	        ->	8.8.15.1653031987-1
zimbra-mbox-webclient-war		->	8.8.15.1658466576-1
zimbra-drive				->	1.0.13.1576152256-1
zimbra-timezone-data			->	2.0.1.1646993388-1
zimbra-openjdk				->	17.0.2-1zimbra8.8b1
zimbra-openjdk-cacerts			->	1.0.8-1zimbra8.7b1
zimbra-openssl				->	1.1.1q-1zimbra8.7b4
zimbra-cyrus-sasl			->	2.1.28-1zimbra8.7b3
zimbra-openldap-lib			->	2.4.59-1zimbra8.8b5
zimbra-openldap-client			->	2.4.59-1zimbra8.8b5
zimbra-openldap-server			->	2.4.59-1zimbra8.8b5
zimbra-ldap-components			->	1.0.18-1zimbra8.8b1
zimbra-core-components			->	2.0.18-1zimbra8.8b1
zimbra-postfix				->	3.6.1-1zimbra8.7b3
zimbra-postfix-logwatch			->	1.40.03-1zimbra8.7b1
zimbra-clamav				->	0.103.3-1zimbra8.8b3
zimbra-perl-mail-spamassassin	        ->	3.4.6-1zimbra8.8b3
zimbra-spamassassin-rules		->	1.0.0-1zimbra8.8b5
zimbra-openldap-server			->	2.4.59-1zimbra8.8b5
zimbra-chat				->	3.0.2.1655178187-1

NETWORK:

Package Name			           	Version
zimbra-patch				->	8.8.15.1658841204.p33-1
zimbra-mbox-ews-service			->	8.8.15.1657194582-1
zimbra-drive-ng				->	3.0.16.1637855904-1
zimbra-network-modules-ng		->	6.0.35.1657211057-1
zimbra-docs				->	3.0.8.1616090809-1
zimbra-connect				->	1.0.29.1635424238-1
zimbra-zco				->	8.8.15.1922.1658473938-1
zimbra-zimlet-auth			->	1.0.4.1652971904-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • On mailstore node, install the following packages:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install the package:
yum install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • On mailstore node, install the following packages:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually for NETWORK and FOSS

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages (NETWORK Only)

Uninstall zimbra-talk on mailstore node

Starting Zimbra 8.8.15 GA, zimbra-connect replaces zimbra-talk. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Install/Upgrade zimbra-chat for FOSS

  • As root, install package:
apt-get install zimbra-chat
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Jira Summary

Jira Tickets fixed in Joule 8.8.15 Patch 33

ZCS-11689 Upgrade Zimbra OpenSSL to 1.1.1q
ZCS-11686 Purge of centralized volumes blobs fixed
ZCS-11682 Backup volume handler fixed
ZCS-11681 Improved error handling for the purge operation
ZCS-11680 Skip backup of distribution lists and dynamic groups
ZCS-11679 MustChangePassword not evaluated for the application credentials
ZCS-11569 Fix XML missing declaration for EWS
ZCS-11567 Remove allowplugins option from zmsaupdate script of Spamassassin. (Ubuntu 16)
ZCS-11406 Accounts folder on migrating to external backup fixed
ZCS-11302 Classic UI - Users should not be allowed to use username in the password
ZCS-11202 RXSS on '/h/search' via 'title' (8.8.15.p30)
ZCS-11200 RXSS on '/h/search' via 'onload (8.8.15.p30)
ZCS-11199 RXSS on '/h/search' via 'extra' (8.8.15.p30)
ZCOMT-2485 ZCO sanity testing on Win 11 platforms
ZCOMT-2479 Detect stale auto-complete cache during Sync (with Interval) and prompt the user with a Yes/No message to clear the stale cache entries automatically.
ZCOMT-2475 Investigate the problem with scheduling meeting with MS Teams through ZCO.
ZBUG-2901 denial of service (high CPU usage) caused by regex even with zimbra_external_email_warning_enabled=false
ZBUG-2898 Ubuntu 20, sed expression error
ZBUG-2865 Authentication Bypass in MailboxImportServlet
ZBUG-2849 /var/log/messages filling after applying the Zimbra 9 P25 (2nd release)
ZBUG-2841 Disable Syslog log submission by default in log4j V2.
ZBUG-2821 Disable unintended root sharing
ZBUG-2800 Proxy Servlet SSRF Vulnerability
ZBUG-2676 Upgrade Cyrus SASL to 2.1.28
ZBUG-2662 When using preauth, CSRF tokens are not checked on some post endpoints
ZBUG-2611 Wrong default calendar when creating appointment via double click.
ZBUG-2546 SendAs not getting honoured in ZCO
ZBUG-2373 2FA - Device not detected as Trusted in ZCS multiserver Environment

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search