Zimbra Releases/8.8.15/P33
Zimbra Collaboration Joule 8.8.15 Patch 33 GA Release
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.
Change in upgrade process for 8.8.15 Patch 33
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
Security Fixes
Summary | CVE-ID | CVSS Score | Zimbra Rating |
---|---|---|---|
Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites | CVE-2022-2068 | 9.8 | Low |
RXSS on '/h/search' via title parameter | CVE-2022-37044 | TBD | Low |
RXSS on '/h/search' via onload parameter | CVE-2022-37044 | TBD | Medium |
RXSS on '/h/search' via extra parameter | CVE-2022-37044 | TBD | Medium |
Authentication Bypass in MailboxImportServlet | CVE-2022-37042 | TBD | High |
Proxy Servlet SSRF Vulnerability | CVE-2022-37041 | TBD | Low |
Cyrus SASL package has been upgraded to version 2.1.28 | CVE-2022-24407 | 8.8 | Low |
When using preauth, CSRF tokens are not checked on some post endpoints | CVE-2022-37043 | TBD | Medium |
What's New
Zimbra 8.8.15 is now fully supported on Rocky Linux 8 (GA)
Download the latest Rocky Linux 8 binaries from https://www.zimbra.com/downloads
Package Upgrade
- OpenSSL has been upgraded to version 1.1.1q
- Cyrus SASL package has been upgraded to version 2.1.28
Zimbra Web Client (ZWC)
- In the previous patch release, a local config attribute allow_username_within_password was introduced to restrict user's from using their username in the password in Modern Web App. With this patch release, the feature is available for Classic Web App. It will restrict users from not using their names when resetting or changing the password.
Zimbra Connector for Outlook
- ZCO is now supported on the Windows 11 platform.
- Stale auto-complete cache is now automatically detected when sync occurs, and the user is now prompted with a Yes/No dialog to automatically clear the stale cache when YES is chosen.
- Users could not schedule meeting through MS Teams when clicking the "New Teams Meeting" option. The issue has been fixed.
Fixed Issues
Zimbra Collaboration
- Updated XML declaration to EWS response for clients to consume.
- Spamassassin's zmsaupdate script has been updated to remove the--allowplugins option.
- In the previous patch, a feature was introduced to add an external message warning banner when receiving emails from external domains. In certain scenarios, it caused high CPU usage. The issue has been fixed.
- On Ubuntu 20 OS, restarting zmmailboxdctl service printed a harmless error on the console, The issue has been fixed.
- Due to log4j changes in the previous patch, on a Multi-node environment, the /var/log/messages file was continuously getting updated with INFO logs. The issue has been fixed and the default log level is set to ERROR now.
- Due to log4j changes in the previous patch, the Syslog submission was enabled by default which was updating the /var/log/syslog file continuously. The issue has been fixed and Syslog submission has been disabled.
- In a multi-node environment, if the user has 2FA enabled and set up and selects "Trust this computer" on the login screen, the setting did not persist and the user was asked to enter the OTP. The issue has been fixed.
Zimbra Web Client (ZWC)
- Intermittently, the root folder was getting shared when the user shared a particular folder from Classic Web App. The issue has been fixed.
- If the user has multiple calendars and when viewing the Calendar tab in the day view, double-clicking on the non-default calendar to create an event selects the default calendar. The issue has been fixed.
Zimbra Connector for Outlook
- When the user tries to send an email through a shared email folder having SendAs right, an error was encountered. The issue has been fixed.
NG Auth
- Password change will be no more considered when using application credentials or QR code-based authentication for the apps.
NG Backup
- Fixed a bug that prevented to update the S3 backup volume.
- Improved the error handling when running a purge and the ZxBackup_DataRetentionDays attribute has an invalid value.
- A new attribute backupSkipDLAndDynamicGroups has been added so it is now possible to skip the backup for distribution lists and dynamic groups in order to improve backup time.
- Fixed a bug that caused the metadata of the accounts to be wrongly uploaded to the bucket’s root folder. Now the metadata files are properly uploaded to the accounts folder.
NG HSM
- Fixed a bug that prevented to update the S3 backup volume.Fixed a bug that prevented the blobs to be purged from a centralized volume when moving a mailbox from a server with that centralized volume configured to another server that doesn’t have it.
Known Issues
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Joule-Patch-32 onwards, customers using SSO will need to update
zimbraVirtualHostName
attribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
Patch Installation
Please refer to the steps below to install 8.8.15 Patch 33 on Redhat and Ubuntu platforms:
Before Installing the Patch, consider the following:
- Patches are cumulative.
- A full backup should be performed before any patch is applied. There is no automated roll-back.
- Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
- Only files or Zimlets associated with installed packages will be installed from the patch.
- Switch to
zimbra
user before using ZCS CLI commands. - Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
- Important! Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.
8.8.15 Patch 33 Packages
The package lineup for this release is:
FOSS:
PackageName Version zimbra-patch -> 8.8.15.1658841204.p33-2 zimbra-mta-patch -> 8.8.15.1658841204.p33-1 zimbra-mta-components -> 1.0.15-1zimbra8.8b1 zimbra-proxy-patch -> 8.8.15.1658841204.p33-1 zimbra-proxy-components -> 1.0.10-1zimbra8.8b1 zimbra-php -> 7.4.27-1zimbra8.7b3 zimbra-httpd -> 2.4.53-1zimbra8.7b3 zimbra-apache-components -> 2.0.7-1zimbra8.8b1 zimbra-spell-components -> 2.0.8-1zimbra8.8b1 zimbra-nginx -> 1.20.0-1zimbra8.8b3 zimbra-common-core-jar -> 8.8.15.1658837424-1 zimbra-common-core-libs -> 8.8.15.1654854265-1 zimbra-mbox-conf -> 8.8.15.1568012813-1 zimbra-mbox-service -> 8.8.15.1568694943-1 zimbra-mbox-store-libs -> 8.8.15.1654854265-1 zimbra-mbox-war -> 8.8.15.1655458176-1 zimbra-mbox-admin-console-war -> 8.8.15.1653031987-1 zimbra-mbox-webclient-war -> 8.8.15.1658466576-1 zimbra-drive -> 1.0.13.1576152256-1 zimbra-timezone-data -> 2.0.1.1646993388-1 zimbra-openjdk -> 17.0.2-1zimbra8.8b1 zimbra-openjdk-cacerts -> 1.0.8-1zimbra8.7b1 zimbra-openssl -> 1.1.1q-1zimbra8.7b4 zimbra-cyrus-sasl -> 2.1.28-1zimbra8.7b3 zimbra-openldap-lib -> 2.4.59-1zimbra8.8b5 zimbra-openldap-client -> 2.4.59-1zimbra8.8b5 zimbra-openldap-server -> 2.4.59-1zimbra8.8b5 zimbra-ldap-components -> 1.0.18-1zimbra8.8b1 zimbra-core-components -> 2.0.18-1zimbra8.8b1 zimbra-postfix -> 3.6.1-1zimbra8.7b3 zimbra-postfix-logwatch -> 1.40.03-1zimbra8.7b1 zimbra-clamav -> 0.103.3-1zimbra8.8b3 zimbra-perl-mail-spamassassin -> 3.4.6-1zimbra8.8b3 zimbra-spamassassin-rules -> 1.0.0-1zimbra8.8b5 zimbra-openldap-server -> 2.4.59-1zimbra8.8b5 zimbra-chat -> 3.0.2.1655178187-1
NETWORK:
Package Name Version zimbra-patch -> 8.8.15.1658841204.p33-1 zimbra-mbox-ews-service -> 8.8.15.1657194582-1 zimbra-drive-ng -> 3.0.16.1637855904-1 zimbra-network-modules-ng -> 6.0.35.1657211057-1 zimbra-docs -> 3.0.8.1616090809-1 zimbra-connect -> 1.0.29.1635424238-1 zimbra-zco -> 8.8.15.1922.1658473938-1 zimbra-zimlet-auth -> 1.0.4.1652971904-1
Redhat
Installing Zimbra packages with system package upgrades
- As
root
, first clear the yum cache and check for updates so the server sees there is a newzimbra-patch
package in the patch repository:
yum clean metadata yum check-update
- On mailstore node, install the following packages:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
- Then ask yum to update available packages:
yum update
- Restart ZCS as
zimbra
user:
su - zimbra zmcontrol restart
Installing Zimbra packages individually for NETWORK and FOSS
Upgrade OpenLDAP on LDAP node
- As
root
, install the package:
yum install zimbra-ldap-patch
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart
Install/Upgrade zimbra-proxy-patch
on Proxy node
- As
root
, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata yum check-update yum install zimbra-proxy-patch
- Restart proxy as
zimbra
user:
su - zimbra zmproxyctl restart zmmemcachedctl restart
Install/Upgrade snmp
if it is installed on Proxy node
yum install zimbra-snmp-components
- Restart proxy as
zimbra
user:
su - zimbra zmproxyctl restart
Install/Upgrade zimbra-mta-components
on MTA node
- As
root
, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata yum check-update
- Then install the package:
yum install zimbra-mta-components
- If
dnscache
is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
- If
snmp
is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
- Restart
amavisd
aszimbra
user:
su - zimbra zmamavisdctl restart
Install/Upgrade zimbra-mta-patch
on MTA node
- As
root
, install the package:
yum install zimbra-mta-patch
- Restart
amavisd
aszimbra
user:
su - zimbra zmamavisdctl restart
Install/Upgrade zimbra-patch
on mailstore node
- As
root
, install the package:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs yum install zimbra-patch
- If
apache
is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
- If
spell
is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
- If
snmp
is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
- Restart ZCS as
zimbra
user:
su - zimbra zmcontrol restart
Installing NG packages (NETWORK Only)
Uninstall zimbra-talk
on mailstore node
Starting Zimbra 8.8.15 GA, zimbra-connect
replaces zimbra-talk
. Hence, it is important to remove zimbra-talk
before installing zimbra-connect
.
- As
root
, uninstall the packagezimbra-talk
:
yum remove zimbra-talk
Install/Upgrade zimbra-network-modules-ng
, zimbra-connect
, zimbra-zimlet-auth
, zimbra-docs
and zimbra-drive-ng
on mailstore node
yum install zimbra-network-modules-ng yum install zimbra-connect yum install zimbra-zimlet-auth yum install zimbra-docs yum install zimbra-drive-ng
- Restart Zimbra mailbox service as
zimbra
user:
su - zimbra zmmailboxdctl restart
Install/Upgrade zimbra-chat
for FOSS
- As
root
, install the package:
yum install zimbra-chat
- Restart Zimbra mailbox service as
zimbra
user:
su - zimbra zmmailboxdctl restart
Ubuntu
Installing zimbra packages with system package upgrades
- As
root
, check for updates so the server checks there is a newzimbra-patch
package in the patch repository:
apt-get update
- On mailstore node, install the following packages:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
- Then update available packages:
apt-get upgrade
- Restart ZCS as
zimbra
user:
su - zimbra zmcontrol restart
Installing zimbra packages individually for NETWORK and FOSS
Upgrade OpenLDAP on LDAP node
- As
root
, install the package:
apt-get install zimbra-ldap-patch
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart
Install/Upgrade zimbra-proxy-patch
on Proxy node
- As
root
, install package
apt-get install zimbra-proxy-patch
- Restart proxy as
zimbra
user:
su - zimbra zmproxyctl restart zmmemcachedctl restart
Install/Upgrade snmp
if it is installed on Proxy node
apt-get install zimbra-snmp-components
- Restart proxy as
zimbra
user:
su - zimbra zmproxyctl restart
Install/Upgrade zimbra-mta-components
on MTA node
- As
root
, install package
apt-get install zimbra-mta-components
- If
snmp
is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
- Restart
amavisd
aszimbra
user:
su - zimbra zmamavisdctl restart
Install/Upgrade zimbra-mta-patch
on MTA node
- As
root
, install package
apt-get install zimbra-mta-patch
- If
dnscache
is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
- Restart
amavisd
aszimbra
user:
su - zimbra zmamavisdctl restart
Install/Upgrade zimbra-patch
on mailstore node
- As
root
, check for updates and install package:
apt-get update apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs apt-get install zimbra-patch
- If
apache
is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
- If
spell
is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
- If
snmp
is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
- Restart ZCS as
zimbra
user:
su - zimbra zmcontrol restart
Installing NG packages (NETWORK Only)
Uninstall zimbra-talk
on mailstore node
Starting Zimbra 8.8.15 GA, zimbra-connect
replaces zimbra-talk
. Hence, it is important to remove zimbra-talk
before installing zimbra-connect
.
- As
root
, uninstall the packagezimbra-talk
:
apt-get remove zimbra-talk
Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node
- As
root
, check for updates and install packages:
apt-get update apt-get install zimbra-network-modules-ng apt-get install zimbra-connect apt-get install zimbra-zimlet-auth apt-get install zimbra-docs apt-get install zimbra-drive-ng
- Restart Zimbra mailbox service as
zimbra
user:
su - zimbra zmmailboxdctl restart
Install/Upgrade zimbra-chat for FOSS
- As
root
, install package:
apt-get install zimbra-chat
- Restart Zimbra mailbox service as
zimbra
user:
su - zimbra zmmailboxdctl restart
Jira Summary
Jira Tickets fixed in Joule 8.8.15 Patch 33
ZCS-11689 | Upgrade Zimbra OpenSSL to 1.1.1q |
ZCS-11686 | Purge of centralized volumes blobs fixed |
ZCS-11682 | Backup volume handler fixed |
ZCS-11681 | Improved error handling for the purge operation |
ZCS-11680 | Skip backup of distribution lists and dynamic groups |
ZCS-11679 | MustChangePassword not evaluated for the application credentials |
ZCS-11569 | Fix XML missing declaration for EWS |
ZCS-11567 | Remove allowplugins option from zmsaupdate script of Spamassassin. (Ubuntu 16) |
ZCS-11406 | Accounts folder on migrating to external backup fixed |
ZCS-11302 | Classic UI - Users should not be allowed to use username in the password |
ZCS-11202 | RXSS on '/h/search' via 'title' (8.8.15.p30) |
ZCS-11200 | RXSS on '/h/search' via 'onload (8.8.15.p30) |
ZCS-11199 | RXSS on '/h/search' via 'extra' (8.8.15.p30) |
ZCOMT-2485 | ZCO sanity testing on Win 11 platforms |
ZCOMT-2479 | Detect stale auto-complete cache during Sync (with Interval) and prompt the user with a Yes/No message to clear the stale cache entries automatically. |
ZCOMT-2475 | Investigate the problem with scheduling meeting with MS Teams through ZCO. |
ZBUG-2901 | denial of service (high CPU usage) caused by regex even with zimbra_external_email_warning_enabled=false |
ZBUG-2898 | Ubuntu 20, sed expression error |
ZBUG-2865 | Authentication Bypass in MailboxImportServlet |
ZBUG-2849 | /var/log/messages filling after applying the Zimbra 9 P25 (2nd release) |
ZBUG-2841 | Disable Syslog log submission by default in log4j V2. |
ZBUG-2821 | Disable unintended root sharing |
ZBUG-2800 | Proxy Servlet SSRF Vulnerability |
ZBUG-2676 | Upgrade Cyrus SASL to 2.1.28 |
ZBUG-2662 | When using preauth, CSRF tokens are not checked on some post endpoints |
ZBUG-2611 | Wrong default calendar when creating appointment via double click. |
ZBUG-2546 | SendAs not getting honoured in ZCO |
ZBUG-2373 | 2FA - Device not detected as Trusted in ZCS multiserver Environment |
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build