Zimbra Releases/10.0.14
Zimbra Collaboration Daffodil 10.0.14 Patch Release
Release Date: May 15, 2025
End of Life (EOL) Notice - ZCS 10.0
ZCS 10.0 is set to reach End of General Support on June 30, 2025. No further updates will be provided after this date. Customers using these versions are advised to plan their migration to the 10.1 version to ensure continued security updates and access to the latest features.
For assistance during this transition, our support team is available to address any inquiries.
10.1 is the active and supported version.
Things to know before you upgrade
Changes to SOAP API
There are changes in ChangePassword SOAP API. Please refer to API reference documentation. If you have custom auth implementation with ChangePassword, please incorporate changes to support new API changes.
IMPORTANT: Admin Account authentication now honors zimbraAuthFallbackToLocal when using external/custom authentication. See: https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
Check out the Security Fixes sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.
Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.
https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice
You must add your local repository to your RHEL/CentOS Configuration :
Redhat
RHEL7
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7 gpgcheck=1 enabled=1 EOF
RHEL8
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8 gpgcheck=1 enabled=1 EOF
rpm --import https://files.zimbra.com/downloads/security/public.key yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins
Ubuntu
UBUNTU18
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra EOF
UBUNTU20
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79 apt-get update
IMPORTANT: Incase above steps are missed for Onlyoffice installation, following is the manual steps for installation.
- As root user run below commands: (assuming Zimbra is already installed)
$ wget -O /opt/zimbra/bin/zmonlyofficeinstall https://raw.githubusercontent.com/Zimbra/zm-core-utils/10.0.9/src/bin/zmonlyofficeinstall $ chmod 755 /opt/zimbra/bin/zmonlyofficeinstall $ /opt/zimbra/bin/zmonlyofficeinstall
IMPORTANT: Zimbra OpenSSL with default FIPS Configuration
- Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
- From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
- Run below commands to Enable/Disable FIPS providers on all servers.
Disable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Enable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Security Fixes
| Summary | CVE-ID | CVSS Score |
|---|---|---|
| Addressed a denial of service (DoS) vulnerability that could lead to service disruptions. A new local config attribute, ajax_uri_max_assets_requests_allowed has been added. |
Fixed Issues
Zimbra Collaboration
- Fixed an issue where CardDAV contacts created/modified in the web client did not sync to the Thunderbird client.
ActiveSync
- On the IOS Calendar app, when an attendee updated their response to a meeting invite, the update notification was mistakenly sent to all attendees instead of only the organizer. The issue has been fixed and the invite updates are sent only to the intended recipient.
- On an iOS device, multiple response email is sent to the organizer when a user deletes the meeting invite from Inbox and Trash, and tries to accept the meeting from the Calendar app. The issue has been fixed.
Backup Restore
- When restoring users whose data resided on S3 storage when it was backed up, the blobs were restored to incorrect paths and displayed "missing blobs" errors when viewing emails in Web App. The issue has been fixed and the blobs now restore to their correct locations, ensuring data integrity after a successful restore.
- Fixed an issue where zmmboxmove operations would fail when migrating mailboxes larger than 2 GB from S3-backed storage to block storage. Mailbox moves now complete successfully for all mailbox sizes across S3 or Block storage setups.
- Slowness is observed in backup speed when the user's data is on external storage. Introduced a new localconfig attribute "backup_copy_blob_parallelism_level" to enable parallel processing of the data. The default value is set to 5 but it can be increased to 15 depending upon the hardware resources and available network bandwidth. The parallel processing resulted in improvement of backup speed by over 70% for S3.
Packages
The package lineup for this release is:
zimbra-patch -> 10.0.14.1745596452-2 zimbra-common-core-jar -> 10.0.14.1745483805-1 zimbra-mbox-webclient-war -> 10.0.14.1737655305-1
Patch Installation
Please refer to below link to install 10.0.14 (May 15 2025):
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build
