Zimbra Releases/8.8.15/P37

Revision as of 14:32, 16 March 2023 by Deepak.gautam (talk | contribs) (Update for PreAuth Note)

Zimbra Collaboration Joule 8.8.15 Patch 37 GA Release

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.


NOTICE: For PreAuth

A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default, the value of the this attribute is blank which means the preauth redirect URL would allow a single URL only from the URL set in zimbraPublicServiceHostname LDAP attribute. If the preauth redirect URL is different from the URL in zimbraPublicServiceHostname attribute, then it will allow the URL in zimbra_allowed_redirect_url. Following are some more details on the LC attribute zimbra_allowed_redirect_url:

1. It accepts a single URL at a time.

2. It allows to redirect the other links under the domain as long as it starts with the domain set in zimbra_allowed_redirect_url attribute. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allows access to https://wiki.zimbra.com/wiki/Zimbra_Releases.

Change in upgrade process for 8.8.15 Patch 37

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286 TBD Low
Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030 TBD Low
Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562 TBD Medium
Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032 TBD Low
The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability CVE-2018-25032 7.5 Low

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

What's New

Package Upgrade


  • Perl compress zlib package has been upgraded from 2.069 to version 2.103-1


ZCO

  • ZCO now supports the use of a partial sync feature during initial and delta/regular sync for Shared Mailbox. An option -smd <value greater than zero> can be used with the ZmCustomizeMsi.js script. SharedFolderMailCutoffDays <value greater than zero> attribute is also required to be set in the registry.

Fixed Issues

Platform

  • When the timezone is set to ```Asia/Yangon```, the zmswatch and zmlogswatchctl services failed to start. The issue has been fixed. ZBUG-3261
  • When creating an appointment without a body and sending it to the EWS user, NPE errors were seen and the appointment was not visible to the recipient. The issue has been fixed. ZBUG-3124
  • Corrected hardcoded syslog configuration to system defined configuration. ZBUG-3053
  • When installing zimbra-patch package, it was redeploying all standard zimlets and overwrote the previously deployed zimlet configurations. The issue has been fixed and the zimlet's are not re-deployed now. ZBUG-2722

Web UX - Classic

  • Fixed the issue in Classic UI where out of office date was changed when selecting any date in month of February. ZBUG-3252
  • Fixed the issue where sometimes appointment dates displayed backwards when calendar appointment is re-opened. ZBUG-2311

Admin Web Console

  • User can now add notes on multiple lines in the Admin UI at the path Home > Manage > Accounts > user@domain.com > General Information > Notes. ZBUG-3027

ZCO

  • Corrected French translation on Room Finder UI. ZBUG-3002

Zimbra Drive

  • The preview is no more offered for documents larger than 10 Mb and images larger than 20 Mb to avoid server resources consumption and possible crashes.

NG Backup

  • Now the external restore operation supports the accounts UUID for both the accounts parameter and in an input file.
  • The getAvailableAccount command now provides a parameter to generate a file and to choose the headers.
  • ExternalRestore follows the order of the accounts provided in the accounts or input_file parameter.

NG HSM

  • Underscores have been removed from object storage types such as CustomS3 and ScalityS3.

NG Mobile

  • Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
  • Fixed a bug that caused the exceptions in recurring calendars to be not synchronized properly via EAS.
  • When using NG Mobile, the calendar events were not fully synced to the phone in certain scenarios. The issue has been fixed. ZBUG-3001


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Joule-Patch-32 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


Packages

The package lineup for this release is:

FOSS:

PackageName                                       -> Version
zimbra-patch                                      ->  8.8.15.1676037803.p37-1
zimbra-mta-patch                                  ->  8.8.15.1676037803.p37-1
zimbra-proxy-patch                                ->  8.8.15.1676037803.p37-1
zimbra-ldap-patch                                 ->  8.8.15.1676037803.p37-1
zimbra-mbox-webclient-war                         ->  8.8.15.1676019993-1
zimbra-common-core-jar                            ->  8.8.15.1676020603-1
zimbra-mbox-admin-console-war                     ->  8.8.15.1676019834-1
zimbra-chat                                       ->  4.0.3.1654677981-1
zimbra-drive                                      ->  1.0.14.1588924560-1
zimbra-perl-compress-raw-zlib                     ->  2.103-1zimbra8.7b1
zimbra-perl-date-manip                            ->  6.90-1zimbra8.7b1
zimbra-perl                                       ->  1.0.7-1zimbra8.7b1 (For RHEL8, UBUNTU20 : 1.0.8-1zimbra8.7b1 )
zimbra-openssl                                    ->  1.1.1t-1zimbra8.7b4
zimbra-core-components                            ->  2.0.22-1zimbra8.8b1
zimbra-ldap-components                            ->  1.0.22-1zimbra8.8b1

NETWORK:

PackageName                                       -> Version
zimbra-patch                                      ->  8.8.15.1676464123.p37-2
zimbra-mbox-ews-service                           ->  8.8.15.1676296302-1
zimbra-zco                                        ->  8.8.15.1927.1676464022-1
zimbra-talk                                       ->  4.0.3.1673533079-1
zimbra-connect                                    ->  1.0.30.1635424238-1
zimbra-docs                                       ->  3.0.10.1663658159-1
zimbra-drive-ng                                   ->  3.0.17.1637855904-1
zimbra-zimlet-auth                                ->  1.0.5.1652971904-1
zimbra-network-modules-ng                         ->  6.0.38.1672292497-1


Patch Installation

Please refer to below link to install Joule 8.8.15 Patch 37:

Patch Installation


Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search