Zimbra Releases/8.8.15/P40
Zimbra Collaboration Joule 8.8.15 Patch 40 GA Release
Release Date: May 30, 2023
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.
IMPORTANT: Remove Client Uploader
A majority of customers now use other options to distribute packages to the end users. If you want to continue use ClientUploader then follow these manual steps for installation.
Redhat
- As
root, install the package:
yum install zimbra-extension-clientuploader yum install zimbra-zimlet-admin-clientuploader
- Restart
ZCSaszimbrauser:
su - zimbra zmcontrol restart
Ubuntu
- As
root, install the package:
apt-get install zimbra-extension-clientuploader apt-get install zimbra-zimlet-admin-clientuploader
- Restart
ZCSaszimbrauser:
su - zimbra zmcontrol restart
Change in upgrade process for 8.8.15 Patch 40
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation steps to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
Security Fixes
| Summary | CVE-ID | CVSS Score | Zimbra Rating |
|---|---|---|---|
| As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package | CVE-2023-34193 | TBD | Medium |
| Added additional validations for 2FA login | CVE-2023-29381 | TBD | Medium |
| A possible Cross-site Scripting (XSS) security vulnerability has been fixed | CVE-2023-34192 | TBD | High |
| The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities | CVE-2023-25690 | 9.8 | Low |
| Remove unused JSP file which may bypass the Preauth verification | CVE-2023-29382 | TBD | Low |
| The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability | CVE-2022-46364 | 9.8 | Low |
| The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities | CVE-2022-22970 | 5.3 | Low |
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.
What's New
Package Upgrade
- The Apache package has been upgraded from 2.4.54 to 2.4.57
- The Apache CXF package has been upgraded from 3.5.1 to 3.5.5
- The Spring Core package has been upgraded from 5.3.18 to 6.0.8
Zimbra Connector for Outlook
- To better manage storage on Outlook, the Auto Archive feature is now available for users. The settings can be accessed at File -> Options -> Advanced -> AutoArchive. By default the feature is disabled. This feature does not support auto archiving Calendar and Shared Inbox folders but we continue to support them through Manual Archive feature.
Fixed Issues
Zimbra Collaboration
- Users can now add their Google calendar as an External calendar. ZBUG-2802
- When using Load Balancer with a Zimbra Proxy server, if it receives multiple IP addresses in the X-Forwarded-For header, it treated it as one single IP to perform the Whitelist check which resulted in suspending it. The issue has been fixed and now a whitelist check is done on a single IP address even if multiple IP addresses are received. ZBUG-2250
Zimbra Web Client (ZWC)
- Translations have been updated for Arabic, Deutsch (German), French Canadian, Danish, Hindi, Japanese and Español (Spanish).
Zimbra Connector for Outlook
- Changes done to the tags are now updated correctly in the Web App. ZBUG-2067
- The external and public sharing attributes were not honored in ZCO. The issue has been fixed. ZBUG-1380
NG HSM
- To improve the testS3Connection command, a file is now uploaded on the bucket, read and finally deleted to confirm that the bucket is properly working.
NG Mobile
- Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
- Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
- Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
Known Issues
- While deploying zimlets, if the following error is encountered, please refer to the [Installation] page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
... 1 more
- From Kepler-Patch-25 onwards, customers using SSO will need to update
zimbraVirtualHostNameattribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
Packages
The package lineup for this release is:
FOSS:
PackageName -> Version zimbra-patch -> 8.8.15.1684334300.p40-1 zimbra-mta-patch -> 8.8.15.1684436516.p40-1 zimbra-proxy-patch -> 8.8.15.1684222968.p40-1 zimbra-ldap-patch -> 8.8.15.1684222968.p40-1 zimbra-common-core-jar -> 8.8.15.1684213151-1 zimbra-mbox-war -> 8.8.15.1684213151-1 zimbra-common-core-libs -> 8.8.15.1684166581-1 zimbra-mbox-webclient-war -> 8.8.15.1684144101-1 zimbra-httpd -> 2.4.57-1zimbra8.7b4 zimbra-spell-components -> 2.0.11-1zimbra8.8b1 ( RHEL8, UBUNTU20: 2.0.12-1zimbra8.8b1 ) zimbra-apache-components -> 2.0.10-1zimbra8.8b1 zimbra-extension-clientuploader -> 1.0.0.1683611258-1 zimbra-zimlet-admin-clientuploader -> 8.0.0
NETWORK:
PackageName -> Version zimbra-patch -> 8.8.15.1684436516.p40-2 zimbra-mbox-ews-service -> 8.8.15.1684129925-1 zimbra-zco -> 8.8.15.1930.1684419492-1 zimbra-network-modules-ng -> 6.0.40.1684335053-1
Patch Installation
Please refer to below link to install Joule 8.8.15 Patch 40:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build
