Zimbra Releases/8.8.15/P46

Revision as of 15:08, 13 September 2024 by Klug (talk | contribs) (→‎Known Issues)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Zimbra Collaboration Joule 8.8.15 Patch 46 GA Release

Release Date: September 04, 2024

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.

Security Fixes

Summary CVE-ID CVSS Score
Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519 TBD
A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518 TBD
A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516 TBD
A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD TBD
A reflected XSS vulnerability in the calendar endpoint has been addressed. TBD TBD
Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter CVE-2024-33535 TBD
An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter CVE-2024-33536 TBD
An XSS vulnerability in a Calendar invite has been resolved CVE-2024-27443 TBD

Known Issues

Breaks touch client on Network Edition - see this thread: https://forums.zimbra.org/viewtopic.php?t=72960

Packages

Jira ticket:

The package lineup for this release is:

FOSS:

PackageName                                       -> Version
zimbra-patch                                      ->  8.8.15.1723777774.p46-1
zimbra-mta-patch                                  ->  8.8.15.1723777774.p46-1
zimbra-common-core-jar                            ->  8.8.15.1723726984-1
zimbra-mbox-webclient-war                         ->  8.8.15.1723641096-1
zimbra-mbox-admin-console-war                     ->  8.8.15.1723635850-1

NETWORK:

PackageName                                       -> Version
zimbra-patch                                      ->  8.8.15.1723777774.p46-2

Patch Installation

Please refer to below link to install Joule 8.8.15 Patch 46:

Patch Installation


Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search