Zimbra Releases/9.0.0/P30

Revision as of 14:28, 16 March 2023 by Deepak.gautam (talk | contribs) (Update PreAuth Notes)

Zimbra Collaboration Kepler 9.0.0 Patch 30 GA Release

Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

NOTICE: For PreAuth

A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default, the value of the this attribute is blank which means the preauth redirect URL would allow a single URL only from the URL set in zimbraPublicServiceHostname LDAP attribute. If the preauth redirect URL is different from the URL in zimbraPublicServiceHostname attribute, then it will allow the URL in zimbra_allowed_redirect_url. Following are some more details on the LC attribute zimbra_allowed_redirect_url:

1. It accepts a single URL at a time.

2. It allows to redirect the other links under the domain as long as it starts with the domain set in zimbra_allowed_redirect_url attribute. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allows access to https://wiki.zimbra.com/wiki/Zimbra_Releases.

Change in upgrade process for 9.0.0 Patch 30

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. CVE-2023-24031 TBD Low
The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities CVE-2023-0286 TBD Low
Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030 TBD Low
Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562 TBD Medium
Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032 TBD Low
The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability CVE-2018-25032 7.5 Low

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

What's New

Package Upgrade

  • Perl compress zlib package has been upgraded from 2.069 to version 2.103-1

Modern Web App


  • Users can now use tag colours for appointments.


  • Users can now select year for the Birthday and Anniversary fields in contacts.


  • ZCO now supports the use of a partial sync feature during initial and delta/regular sync for Shared Mailbox. An option -smd <value greater than zero> can be used with the ZmCustomizeMsi.js script. SharedFolderMailCutoffDays <value greater than zero> attribute is also required to be set in the registry.

Fixed Issues


  • When the timezone is set to ```Asia/Yangon```, the zmswatch and zmlogswatchctl services failed to start. The issue has been fixed. ZBUG-3261
  • When creating an appointment without a body and sending it to the EWS user, NPE errors were seen and the appointment was not visible to the recipient. The issue has been fixed. ZBUG-3124
  • Corrected hardcoded syslog configuration to system defined configuration. ZBUG-3053
  • When installing zimbra-patch package, it was redeploying all standard zimlets and overwrote the previously deployed zimlet configurations. The issue has been fixed and the zimlet's are not re-deployed now. ZBUG-2722

Web UX - Classic

  • Fixed the issue where external users were not able to login to Classic UI to view shared content.
  • Fixed the issue in Classic UI where out of office date was changed when selecting any date in month of February. ZBUG-3252
  • Fixed the issue where sometimes appointment dates displayed backwards when calendar appointment is re-opened. ZBUG-2311

Admin Web Console

  • User can now add notes on multiple lines in the Admin UI at the path Home > Manage > Accounts > user@domain.com > General Information > Notes. ZBUG-3027


  • Corrected French translation on Room Finder UI. ZBUG-3002

Zimbra Drive

  • The preview is no more offered for documents larger than 10 Mb and images larger than 20 Mb to avoid server resources consumption and possible crashes.

NG Backup

  • Now the external restore operation supports the accounts UUID for both the accounts parameter and in an input file.
  • The getAvailableAccount command now provides a parameter to generate a file and to choose the headers.
  • ExternalRestore follows the order of the accounts provided in the accounts or input_file parameter.


  • Underscores have been removed from object storage types such as CustomS3 and ScalityS3. ZCS-12728

NG Mobile

  • Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
  • Fixed a bug that caused the exceptions in recurring calendars to be not synchronized properly via EAS.
  • When using NG Mobile, the calendar events were not fully synced to the phone in certain scenarios. The issue has been fixed. ZBUG-3001

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart

NG Mobile

  • Changes are not synced to Android devices if attendees of an instance in a recurring appointment are modified. - ZBUG-3133.


The package lineup for this release is:

zimbra-patch                                      ->
zimbra-mta-patch                                  ->
zimbra-proxy-patch                                ->
zimbra-ldap-patch                                 ->
zimbra-mbox-webclient-war                         ->
zimbra-common-core-jar                            ->
zimbra-mbox-admin-console-war                     ->
zimbra-mbox-ews-service                           ->
zimbra-modern-ui                                  ->
zimbra-modern-zimlets                             ->
zimbra-zco                                        ->
zimbra-network-modules-ng                         ->
zimbra-zimlet-nextcloud                           ->
zimbra-chat                                       ->
zimbra-drive                                      ->
zimbra-talk                                       ->
zimbra-connect                                    ->
zimbra-connect-modern                             ->
zimbra-docs                                       ->
zimbra-docs-modern                                ->
zimbra-drive-ng                                   ->
zimbra-drive-modern                               ->
zimbra-zimlet-auth                                ->
zimbra-zimlet-email-templates                     ->
zimbra-zimlet-signature-template                  ->
zimbra-zimlet-voice-message                       ->
zimbra-zimlet-webex                               ->
zimbra-zimlet-rocketchat                          ->
zimbra-zimlet-ads                                 ->
zimbra-zimlet-user-sessions-management            ->
zimbra-zimlet-org-chart                           ->
zimbra-zimlet-additional-signature-setting        ->
zimbra-zimlet-restore-contacts                    ->
zimbra-zimlet-sideloader                          ->
zimbra-zimlet-set-default-client                  ->
zimbra-zimlet-date                                ->
zimbra-zimlet-privacy-protector                   ->
zimbra-zimlet-classic-unsupportedbrowser          ->
zimbra-zimlet-install-pwa                         ->
zimbra-zimlet-emptysubject                        ->
zimbra-zimlet-duplicate-contacts                  ->
zimbra-zimlet-secure-mail                         ->
zimbra-zimlet-web-search                          ->
zimbra-zimlet-user-feedback                       ->
zimbra-zimlet-calendar-subscription               ->
zimbra-zimlet-briefcase-edit-lool                 ->
zimbra-zimlet-jitsi                               ->
zimbra-zimlet-google-drive                        ->
zimbra-zimlet-onedrive                            ->
zimbra-zimlet-slack                               ->
zimbra-zimlet-collaboration-list                  ->
zimbra-zimlet-video-call-preferences              ->
zimbra-zimlet-zoom                                ->
zimbra-zimlet-migration                           ->
zimbra-zimlet-dropbox                             ->
zimbra-perl-compress-raw-zlib                     ->  2.103-1zimbra8.7b1
zimbra-perl-date-manip                            ->  6.90-1zimbra8.7b1
zimbra-perl                                       ->  1.0.7-1zimbra8.7b1 (For RHEL8, UBUNTU20 : 1.0.8-1zimbra8.7b1 )
zimbra-openssl                                    ->  1.1.1t-1zimbra8.7b4
zimbra-core-components                            ->  3.0.18-1zimbra8.8b1
zimbra-ldap-components                            ->  2.0.12-1zimbra8.8b1

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 30:

Patch Installation

Jump to: navigation, search