Zimbra Collaboration Kepler 9.0.0 Patch 30 GA Release
Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues
NOTICE: For PreAuth
A new LC attribute
zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default, the value of the this attribute is blank which means the preauth redirect URL would allow a single URL only from the URL set in
zimbraPublicServiceHostname LDAP attribute. If the preauth redirect URL is different from the URL in
zimbraPublicServiceHostname attribute, then it will allow the URL in
zimbra_allowed_redirect_url. Following are some more details on the LC attribute zimbra_allowed_redirect_url:
1. It accepts a single URL at a time.
2. It allows to redirect the other links under the domain as long as it starts with the domain set in zimbra_allowed_redirect_url attribute. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allows access to https://wiki.zimbra.com/wiki/Zimbra_Releases.
Change in upgrade process for 9.0.0 Patch 30
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.
We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.
Please refer to the Patch Installation steps to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
|Summary||CVE-ID||CVSS Score||Zimbra Rating|
|Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed.||CVE-2023-24031||TBD||Low|
|The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities||CVE-2023-0286||TBD||Low|
|Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities.||CVE-2023-24030||TBD||Low|
|Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations.||CVE-2023-26562||TBD||Medium|
|Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager.||CVE-2023-24032||TBD||Low|
|The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability||CVE-2018-25032||7.5||Low|
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.
- Perl compress zlib package has been upgraded from 2.069 to version 2.103-1
Modern Web App
- Users can now use tag colours for appointments.
- Users can now select year for the Birthday and Anniversary fields in contacts.
- ZCO now supports the use of a partial sync feature during initial and delta/regular sync for Shared Mailbox. An option
-smd <value greater than zero>can be used with the ZmCustomizeMsi.js script. SharedFolderMailCutoffDays
<value greater than zero>attribute is also required to be set in the registry.
- When the timezone is set to ```Asia/Yangon```, the
zmlogswatchctlservices failed to start. The issue has been fixed. ZBUG-3261
- When creating an appointment without a body and sending it to the EWS user, NPE errors were seen and the appointment was not visible to the recipient. The issue has been fixed. ZBUG-3124
- Corrected hardcoded syslog configuration to system defined configuration. ZBUG-3053
- When installing zimbra-patch package, it was redeploying all standard zimlets and overwrote the previously deployed zimlet configurations. The issue has been fixed and the zimlet's are not re-deployed now. ZBUG-2722
Web UX - Classic
- Fixed the issue where external users were not able to login to Classic UI to view shared content.
- Fixed the issue in Classic UI where out of office date was changed when selecting any date in month of February. ZBUG-3252
- Fixed the issue where sometimes appointment dates displayed backwards when calendar appointment is re-opened. ZBUG-2311
Admin Web Console
- User can now add notes on multiple lines in the Admin UI at the path Home > Manage > Accounts > firstname.lastname@example.org > General Information > Notes. ZBUG-3027
- Corrected French translation on Room Finder UI. ZBUG-3002
- The preview is no more offered for documents larger than 10 Mb and images larger than 20 Mb to avoid server resources consumption and possible crashes.
- Now the external restore operation supports the accounts UUID for both the accounts parameter and in an input file.
- The getAvailableAccount command now provides a parameter to generate a file and to choose the headers.
- ExternalRestore follows the order of the accounts provided in the accounts or input_file parameter.
- Underscores have been removed from object storage types such as CustomS3 and ScalityS3. ZCS-12728
- Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
- Fixed a bug that caused the exceptions in recurring calendars to be not synchronized properly via EAS.
- When using NG Mobile, the calendar events were not fully synced to the phone in certain scenarios. The issue has been fixed. ZBUG-3001
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Kepler-Patch-25 onwards, customers using SSO will need to update
zimbraVirtualHostNameattribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
- Changes are not synced to Android devices if attendees of an instance in a recurring appointment are modified. - ZBUG-3133.
The package lineup for this release is:
zimbra-patch -> 18.104.22.1686464095.p30-2 zimbra-mta-patch -> 22.214.171.1246044118.p30-1 zimbra-proxy-patch -> 126.96.36.1996044118.p30-1 zimbra-ldap-patch -> 188.8.131.526044118.p30-1 zimbra-mbox-webclient-war -> 184.108.40.2066019954-1 zimbra-common-core-jar -> 220.127.116.116020564-1 zimbra-mbox-admin-console-war -> 18.104.22.1686019859-1 zimbra-mbox-ews-service -> 22.214.171.1246296399-1 zimbra-modern-ui -> 126.96.36.1996380551-1 zimbra-modern-zimlets -> 188.8.131.526380551-1 zimbra-zco -> 184.108.40.2067.1676463975-1 zimbra-network-modules-ng -> 220.127.116.112292651-1 zimbra-zimlet-nextcloud -> 18.104.22.1686031012-1 zimbra-chat -> 22.214.171.1244677981-1 zimbra-drive -> 126.96.36.1998924560-1 zimbra-talk -> 188.8.131.523533079-1 zimbra-connect -> 184.108.40.2065424388-1 zimbra-connect-modern -> 220.127.116.115424388-1 zimbra-docs -> 18.104.22.1683658601-1 zimbra-docs-modern -> 22.214.171.1242998065-1 zimbra-drive-ng -> 126.96.36.1997855796-1 zimbra-drive-modern -> 188.8.131.527855796-1 zimbra-zimlet-auth -> 184.108.40.2062971904-1 zimbra-zimlet-email-templates -> 220.127.116.114020393-1 zimbra-zimlet-signature-template -> 18.104.22.1684021232-1 zimbra-zimlet-voice-message -> 22.214.171.1244021803-1 zimbra-zimlet-webex -> 126.96.36.1994022197-1 zimbra-zimlet-rocketchat -> 188.8.131.524022495-1 zimbra-zimlet-ads -> 184.108.40.2066372360-1 zimbra-zimlet-user-sessions-management -> 220.127.116.116372360-1 zimbra-zimlet-org-chart -> 18.104.22.1686372360-1 zimbra-zimlet-additional-signature-setting -> 22.214.171.1246372360-1 zimbra-zimlet-restore-contacts -> 126.96.36.1996372360-1 zimbra-zimlet-sideloader -> 188.8.131.526372360-1 zimbra-zimlet-set-default-client -> 184.108.40.2066372360-1 zimbra-zimlet-date -> 220.127.116.116372360-1 zimbra-zimlet-privacy-protector -> 18.104.22.1686372360-1 zimbra-zimlet-classic-unsupportedbrowser -> 22.214.171.1246372360-1 zimbra-zimlet-install-pwa -> 126.96.36.1996372360-1 zimbra-zimlet-emptysubject -> 188.8.131.526372360-1 zimbra-zimlet-duplicate-contacts -> 184.108.40.2066372360-1 zimbra-zimlet-secure-mail -> 220.127.116.116372360-1 zimbra-zimlet-web-search -> 18.104.22.1686372360-1 zimbra-zimlet-user-feedback -> 22.214.171.1246372360-1 zimbra-zimlet-calendar-subscription -> 126.96.36.1996372360-1 zimbra-zimlet-briefcase-edit-lool -> 188.8.131.526372360-1 zimbra-zimlet-jitsi -> 184.108.40.2064201804-1 zimbra-zimlet-google-drive -> 220.127.116.114201804-1 zimbra-zimlet-onedrive -> 18.104.22.1684201804-1 zimbra-zimlet-slack -> 22.214.171.1244201804-1 zimbra-zimlet-collaboration-list -> 126.96.36.1994201804-1 zimbra-zimlet-video-call-preferences -> 188.8.131.524201804-1 zimbra-zimlet-zoom -> 184.108.40.2064201804-1 zimbra-zimlet-migration -> 220.127.116.114201804-1 zimbra-zimlet-dropbox -> 18.104.22.1684201804-1 zimbra-perl-compress-raw-zlib -> 2.103-1zimbra8.7b1 zimbra-perl-date-manip -> 6.90-1zimbra8.7b1 zimbra-perl -> 1.0.7-1zimbra8.7b1 (For RHEL8, UBUNTU20 : 1.0.8-1zimbra8.7b1 ) zimbra-openssl -> 1.1.1t-1zimbra8.7b4 zimbra-core-components -> 3.0.18-1zimbra8.8b1 zimbra-ldap-components -> 2.0.12-1zimbra8.8b1
Please refer to below link to install Kepler 9.0.0 Patch 30: