Zimbra Collaboration Kepler 9.0.0 Patch 28 GA Release
Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues
Pre-requisite identified for manual installation of pcre2 package
pcre2 package was identified as a dependent package for apache, spell and converted components. We recommend installing the pcre2 package manually before upgrading to this patch. Following are the instructions:
For Ubuntu, execute the command as a
apt-get install libpcre2-8-0
For RHEL/CentOS, execute the command as a
yum install pcre2
Change in upgrade process for 9.0.0 Patch 28
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.
We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.
Please refer to the Patch Installation steps to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
|Summary||CVE-ID||CVSS Score||Zimbra Rating|
|RCE through ClientUploader from authenticated admin user.||CVE-2022-45912||TBD||Medium|
|XSS can occur via one of attribute in webmail urls, leading to information disclosure.||CVE-2022-45913||TBD||Medium|
|The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities.||CVE-2022-26377||7.5||Medium|
|The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities.||CVE-2022-20770||TBD||Low|
|YUI dependency is removed from WebClient and Admin Console.||TBD||TBD||Medium|
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.
- The date header has been added to the mail notification emails.
- Timezone data has been updated with the latest changes of tzdata2022c.
- ZCO is now supported on Microsoft Outlook 2021.
- NG Tab was not visible in Admin Console on a setup where Zimbra is not installed in the default location. The issue has been fixed - ZBUG-2991.
- The doMoveBlobs operation now ignores accounts deleted after the operation starts.
- Software now throws an exception if a remote root path is to be appended to the bulk deletion files of a remote volume, and skips the append to avoid unwanted loss of data.
- Fixed a bug that caused a single instance of an appointment to be moved to the original time in the organizer’s calendar when the attendee accepts the invitation.
- Fixed a bug that caused the Outlook app synchronization to start looping when using the remote search.
- Fixed a bug that prevented the attendees to receive an update when removing them from an appointment so the appointment was still shown in their calendar.
- Fixed a bug that made the exceptions to recurring events not being synchronized - ZBUG-3011, ZBUG-3016.
- JSESSIONID is now marked with HttpOnly and secure flags as true - ZBUG-2341.
- Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. In the previous patch, a local config
zimbra_strict_unclosed_comment_tagwas introduced which fixed the issue. The default value is true which will not display emails having an unclosed comment tag. The emails with unclosed comment tags will be displayed if set to false - ZBUG-2639, ZBUG-2878.
Web UX - Classic
- Assigning to newly created tag to a selection of files in Briefcase, would result in clearing out the selection. With these release this selection stays even after assigning a newly created tag.
- Tasks section did not work after installing 9.0.0 Kepler-Patch-26. This issue has been fixed - ZBUG-2958.
Web UX - Modern
- When using Zimbra Docs, the documents were not getting previewed. The issue has been fixed - ZBUG-2909.
- When configuring ZCO through the Zimbra profile, the From Address was displayed as "Zimbra Collaboration Server" instead of the configured account name. The issue has been fixed.
- Intermittently, Outlook would not sync emails with large metadata. The issue has been fixed - ZBUG-2984.
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Kepler-Patch-25 onwards, customers using SSO will need to update
zimbraVirtualHostNameattribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
- Changes are not synced to Android devices if attendees of an instance in a recurring appointment are modified. - ZBUG-3133.
The package lineup for this release is:
zimbra-patch -> 184.108.40.2067906330.p28-2 zimbra-mta-patch -> 220.127.116.117906330.p28-1 zimbra-proxy-patch -> 18.104.22.1687906330.p28-1 zimbra-ldap-patch -> 22.214.171.1247906330.p28-1 zimbra-timezone-data -> 126.96.36.1997816334-1 zimbra-mbox-admin-console-war -> 188.8.131.527819958-1 zimbra-mbox-webclient-war -> 184.108.40.2067822297-1 zimbra-common-core-jar -> 220.127.116.117823294-1 zimbra-zco -> 18.104.22.1684.1667892683-1 zimbra-unbound -> 1.11.0-1zimbra8.7b4 zimbra-dnscache-components -> 1.0.4-1zimbra8.7b1 zimbra-httpd -> 2.4.54-1zimbra8.7b3 zimbra-apache-components -> 2.0.8-1zimbra8.8b1 zimbra-spell-components -> 2.0.9-1zimbra8.8b1 zimbra-clamav -> 0.105.1.2-1zimbra8.8b3 zimbra-mta-components -> 1.0.18-1zimbra8.8b1 zimbra-modern-ui -> 22.214.171.1246092865-1 zimbra-modern-zimlets -> 126.96.36.1996092865-1 zimbra-zimlet-ads -> 188.8.131.527807582-1 zimbra-zimlet-date -> 184.108.40.2067807582-1 zimbra-zimlet-secure-mail -> 220.127.116.117807582-1 zimbra-zimlet-briefcase-edit-lool -> 18.104.22.1687807582-1 zimbra-network-modules-ng -> 22.214.171.1247816892-1
Please refer to below link to install Kepler 9.0.0 Patch 28: