Zimbra Releases/10.0.11

Zimbra Collaboration Daffodil 10.0.11 Patch Release

Release Date: November 12, 2024


IMPORTANT: Admin Account authentication now honors zimbraAuthFallbackToLocal when using external/custom authentication. See: https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/

Check out the Security Fixes sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.


IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.

Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.

https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice

You must add your local repository to your RHEL/CentOS Configuration :

Redhat

RHEL7

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7
gpgcheck=1
enabled=1
EOF

RHEL8

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8
gpgcheck=1
enabled=1
EOF
rpm --import https://files.zimbra.com/downloads/security/public.key
yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata
yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins


Ubuntu

UBUNTU18

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
EOF

UBUNTU20

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79
apt-get update

IMPORTANT: Incase above steps are missed for Onlyoffice installation, following is the manual steps for installation.

  • As root user run below commands: (assuming Zimbra is already installed)
$ wget -O /opt/zimbra/bin/zmonlyofficeinstall https://raw.githubusercontent.com/Zimbra/zm-core-utils/10.0.9/src/bin/zmonlyofficeinstall
$ chmod 755 /opt/zimbra/bin/zmonlyofficeinstall
$ /opt/zimbra/bin/zmonlyofficeinstall

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

NOTICE: OpenJDK cacert Package Upgrade

Please follow the instructions:

Install zimbra-core-components before the patch upgrade on the mailstore node.
apt-get install zimbra-core-components (For Ubuntu)
yum install zimbra-core-components (For RHEL/Centos/Rocky Linux)

While deploying zimlets, if the following error is encountered

Enabling Zimlet zimbra-zimlet-secure-mail
ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server:  localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to  requested target)
*** zimbra-zimlet-secure-mail Installation Completed. ***
*** Restart the mailbox service as zimbra user. Run ***

then, redeploy zimlets that are throwing error in the patch upgrade

zmzimletctl -l deploy <zimlet.zip file name>


Security Fixes

Summary CVE-ID CVSS Score
A Local File Inclusion (LFI) vulnerability in the /h/rest endpoint, allowing authorized remote attackers to access sensitive files in the WebRoot using their valid auth tokens, has been fixed to prevent unauthorized file access.
An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution.
The OpenJDK package has been upgraded to version 17.0.12 to fix multiple vulnerabilities CVE-2023-22067
The Apache package has been upgraded to version 2.4.62 to fix multiple vulnerabilities CVE-2023-38709
The ClamAV package has been upgraded to version 1.0.6 to fix multiple vulnerabilities CVE-2024-20328

What's New

Package Upgrade

  • The Apache package has been upgraded from 2.4.57 to 2.4.62
  • The ClamAV package has been upgraded from 1.0.1 to 1.0.6
  • The OpenJDK package has been upgraded from 17.0.8 to 17.0.12

Fixed Issues

Zimbra Collaboration

  • When creating a draft in a Web App with the subject and body containing special characters (Č, ć, ž, š, đ), syncing it with Gmail where the user's account is configured using ActiveSync and then editing the draft in Gmail results in unexpected characters (e.g., ?) appearing when syncing back to ZWC. The issue has been fixed and the characters now appear correctly.
  • Autocomplete now displays correct results when typing the initials of the user.
  • When using the external warning feature, in some cases the emails were not displayed correctly due to incorrect order of the Content-Type parameter in the email header. The issue has been fixed.
  • When using SSDB, the last login details of the user get correctly updated.
  • Due to incorrect handling of the "X-Forwarded-For" header, when a repeated login failure occurs, the server suspends the wrong IP address. The issue has been fixed and it now suspends the correct IP address.


Modern Web App

Mail

  • When viewing a message if there are any distribution lists to which the mail is sent to then the distribution list were being displayed twice.


Briefcase

  • If is a new sub-folder is created by the user that sub-folder was displayed twice instead of once. The issue has been resolved.


Packages

The package lineup for this release is:

zimbra-patch                                      ->  10.0.11.1729148286-2
zimbra-mta-patch                                  ->  10.0.11.1728907197-1
zimbra-proxy-patch                                ->  10.0.11.1728907197-1
zimbra-ldap-patch                                 ->  10.0.11.1728907197-1
zimbra-onlyoffice-patch                           ->  10.0.11.1728907197-1
zimbra-mbox-webclient-war                         ->  10.0.11.1728629730-1
zimbra-common-core-jar                            ->  10.0.11.1728587363-1
zimbra-mbox-ews-service                           ->  10.0.11.1728584882-1
zimbra-httpd                                      ->  2.4.62-1zimbra8.7b5
zimbra-apache-components                          ->  2.0.13-1zimbra8.8b1
zimbra-spell-components                           ->  2.0.14-1zimbra8.8b1 ( RHEL8, UBUNTU20: 2.0.15-1zimbra8.8b1 )
zimbra-clamav                                     ->  1.0.6-1zimbra8.8b4
zimbra-mta-components                             ->  10.0.0-1zimbra8.8b1
zimbra-openjdk                                    ->  17.0.12-1zimbra8.8b1
zimbra-openjdk-cacerts                            ->  1.0.11-1zimbra8.7b1
zimbra-core-components                            ->  10.0.0-1zimbra10.0b1
zimbra-ldap-components                            ->  10.0.0-1zimbra10.0b1
zimbra-modern-ui                                  ->  4.40.1.1728630836-1
zimbra-modern-zimlets                             ->  4.40.1.1728630836-1

Patch Installation

Please refer to below link to install 10.0.11:

Patch Installation


Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search