Zimbra Collaboration Joule 8.8.15 Patch 35 GA Release
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.
Pre-requisite identified for manual installation of pcre2 package
pcre2 package was identified as a dependent package for apache, spell and converted components. We recommend installing the pcre2 package manually before upgrading to this patch. Following are the instructions:
For Ubuntu, execute the command as a
apt-get install libpcre2-8-0
For RHEL/CentOS, execute the command as a
yum install pcre2
Change in upgrade process for 8.8.15 Patch 35
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
|Summary||CVE-ID||CVSS Score||Zimbra Rating|
|RCE through ClientUploader from authenticated admin user.||TBD||TBD||Medium|
|XSS can occur via one of attribute in webmail urls, leading to information disclosure||TBD||TBD||Medium|
|The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerbilities.||CVE-2022-26377||7.5||Medium|
|The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities.||CVE-2022-20770||TBD||Low|
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.
- The date header has been added to the mail notification emails.
- Timezone data has been updated with the latest changes of tzdata2022c
- ZCO is now supported on Microsoft Outlook 2021.
- NG Tab was not visible in Admin Console on a setup where Zimbra is not installed in the default location. The issue has been fixed - ZBUG-2991.
- The doMoveBlobs operation now ignores accounts deleted after the operation starts.
- Software now throws an exception if a remote root path is to be appended to the bulk deletion files of a remote volume, and skips the append to avoid unwanted loss of data.
- Fixed a bug that caused a single instance of an appointment to be moved to the original time in the organizer’s calendar when the attendee accepts the invitation.
- Fixed a bug that caused the Outlook app synchronization to start looping when using the remote search.
- Fixed a bug that prevented the attendees to receive an update when removing them from an appointment so the appointment was still shown in their calendar.
- Fixed a bug that made the exceptions to recurring events not being synchronized - ZBUG-3011.
- JSESSIONID is now marked with HttpOnly and secure flags as true - ZBUG-2341.
- Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. In the previous patch, a local config
zimbra_strict_unclosed_comment_tagwas introduced which fixed the issue. The default value is true which will not display emails having an unclosed comment tag. The emails with unclosed comment tags will be displayed if set to false - ZBUG-2639, ZBUG-2878.
Web UX - Classic
- Assigning to newly created tag to a selection of files in Briefcase, would result in clearing out the selection. With these release this selection stays even after assigning a newly created tag.
- Tasks section did not work after installing 8.8.15 Joule-Patch-33. This issue has been fixed - ZBUG-2958.
- When configuring ZCO through the Zimbra profile, the From Address was displayed as "Zimbra Collaboration Server" instead of the configured account name. The issue has been fixed.
- Intermittently, Outlook would not sync emails with large metadata. The issue has been fixed - ZBUG-2984.
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Joule-Patch-32 onwards, customers using SSO will need to update
zimbraVirtualHostNameattribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
- Changes are not synced to Android devices if attendees of an instance in a recurring appointment are modified. - ZBUG-3133.
The package lineup for this release is:
PackageName -> Version zimbra-patch -> 220.127.116.118607279.p35-1 zimbra-mta-patch -> 18.104.22.1687900843.p35-1 zimbra-proxy-patch -> 22.214.171.1247900843.p35-1 zimbra-ldap-patch -> 126.96.36.1997900843.p35-1 zimbra-timezone-data -> 188.8.131.527816429-1 zimbra-mbox-webclient-war -> 184.108.40.2068517206-1 zimbra-common-core-jar -> 220.127.116.117823299-1 zimbra-unbound -> 1.11.0-1zimbra8.7b4 zimbra-dnscache-components -> 1.0.4-1zimbra8.7b1 zimbra-httpd -> 2.4.54-1zimbra8.7b3 zimbra-apache-components -> 2.0.8-1zimbra8.8b1 zimbra-spell-components -> 2.0.9-1zimbra8.8b1 zimbra-clamav -> 0.105.1.2-1zimbra8.8b3 zimbra-mta-components -> 1.0.18-1zimbra8.8b1
PackageName -> Version zimbra-patch -> 18.104.22.1688607279.p35-2 zimbra-zco -> 22.214.171.1244.1667892795-1 zimbra-network-modules-ng -> 126.96.36.1997816723-1
Please refer to below link to install Joule 8.8.15 Patch 35: