Zimbra Releases/9.0.0/P28

Zimbra Collaboration Kepler 9.0.0 Patch 28 GA Release

Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Pre-requisite identified for manual installation of pcre2 package

pcre2 package was identified as a dependent package for apache, spell and converted components. We recommend installing the pcre2 package manually before upgrading to this patch. Following are the instructions:

For Ubuntu, execute the command as a root user:

apt-get install libpcre2-8-0

For RHEL/CentOS, execute the command as a root user:

yum install pcre2

Change in upgrade process for 9.0.0 Patch 28

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
XSS can occur in Classic UI login page by injecting arbitrary javascript code CVE-2022-45911 TBD Low
RCE through ClientUploader from authenticated admin user. CVE-2022-45912 TBD Medium
XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913 TBD Medium
The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377 7.5 Medium
The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770


YUI dependency is removed from WebClient and Admin Console. TBD TBD Medium

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

What's New


  • The date header has been added to the mail notification emails.
  • Timezone data has been updated with the latest changes of tzdata2022c.


  • ZCO is now supported on Microsoft Outlook 2021.

Fixed Issues

NG Admin

  • NG Tab was not visible in Admin Console on a setup where Zimbra is not installed in the default location. The issue has been fixed - ZBUG-2991.


  • The doMoveBlobs operation now ignores accounts deleted after the operation starts.
  • Software now throws an exception if a remote root path is to be appended to the bulk deletion files of a remote volume, and skips the append to avoid unwanted loss of data.

NG Mobile

  • Fixed a bug that caused a single instance of an appointment to be moved to the original time in the organizer’s calendar when the attendee accepts the invitation.
  • Fixed a bug that caused the Outlook app synchronization to start looping when using the remote search.
  • Fixed a bug that prevented the attendees to receive an update when removing them from an appointment so the appointment was still shown in their calendar.
  • Fixed a bug that made the exceptions to recurring events not being synchronized - ZBUG-3011, ZBUG-3016.


  • JSESSIONID is now marked with HttpOnly and secure flags as true - ZBUG-2341.
  • Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. In the previous patch, a local config zimbra_strict_unclosed_comment_tag was introduced which fixed the issue. The default value is true which will not display emails having an unclosed comment tag. The emails with unclosed comment tags will be displayed if set to false - ZBUG-2639, ZBUG-2878.

Web UX - Classic

  • Assigning to newly created tag to a selection of files in Briefcase, would result in clearing out the selection. With these release this selection stays even after assigning a newly created tag.
  • Tasks section did not work after installing 9.0.0 Kepler-Patch-26. This issue has been fixed - ZBUG-2958.

Web UX - Modern

  • When using Zimbra Docs, the documents were not getting previewed. The issue has been fixed - ZBUG-2909.


  • When configuring ZCO through the Zimbra profile, the From Address was displayed as "Zimbra Collaboration Server" instead of the configured account name. The issue has been fixed.
  • Intermittently, Outlook would not sync emails with large metadata. The issue has been fixed - ZBUG-2984.

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart

NG Mobile

  • Changes are not synced to Android devices if attendees of an instance in a recurring appointment are modified. - ZBUG-3133.


The package lineup for this release is:

zimbra-patch                                      ->
zimbra-mta-patch                                  ->
zimbra-proxy-patch                                ->
zimbra-ldap-patch                                 ->
zimbra-timezone-data                              ->
zimbra-mbox-admin-console-war                     ->
zimbra-mbox-webclient-war                         ->
zimbra-common-core-jar                            ->
zimbra-zco                                        ->
zimbra-unbound                                    -> 1.11.0-1zimbra8.7b4
zimbra-dnscache-components                        -> 1.0.4-1zimbra8.7b1
zimbra-httpd                                      -> 2.4.54-1zimbra8.7b3
zimbra-apache-components                          -> 2.0.8-1zimbra8.8b1
zimbra-spell-components                           -> 2.0.9-1zimbra8.8b1
zimbra-clamav                                     ->
zimbra-mta-components                             -> 1.0.18-1zimbra8.8b1
zimbra-modern-ui                                  ->
zimbra-modern-zimlets                             ->
zimbra-zimlet-ads                                 ->
zimbra-zimlet-date                                ->
zimbra-zimlet-secure-mail                         ->
zimbra-zimlet-briefcase-edit-lool                 ->
zimbra-network-modules-ng                         ->



Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 28:

Patch Installation

Jump to: navigation, search