Zimbra Releases/10.0.18
Zimbra Daffodil 10.0.18 Patch Release
Release Date: Nov 06, 2025
End of Life Notice - Zimbra 10.0
Zimbra 10.0 will reach End of Life i.e. 31st Dec 2025. Customers using this version are advised to plan their upgrade/migration to the 10.1 version to ensure continued security updates and access to the latest features.
For assistance during this transition, our support team is available to address any inquiries.
NOTE: 10.1 is the active and supported version.
Things to know before you upgrade
IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.
Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.
https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice
You must add your local repository to your RHEL/CentOS Configuration :
Redhat
RHEL7
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7 gpgcheck=1 enabled=1 EOF
RHEL8
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8 gpgcheck=1 enabled=1 EOF
rpm --import https://files.zimbra.com/downloads/security/public.key yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins
Ubuntu
UBUNTU18
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra EOF
UBUNTU20
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79 apt-get update
IMPORTANT: Incase above steps are missed for Onlyoffice installation, following is the manual steps for installation.
- As root user run below commands: (assuming Zimbra is already installed)
$ wget -O /opt/zimbra/bin/zmonlyofficeinstall https://raw.githubusercontent.com/Zimbra/zm-core-utils/10.0.9/src/bin/zmonlyofficeinstall $ chmod 755 /opt/zimbra/bin/zmonlyofficeinstall $ /opt/zimbra/bin/zmonlyofficeinstall
IMPORTANT: Zimbra OpenSSL with default FIPS Configuration
- Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
- From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
- Run below commands to Enable/Disable FIPS providers on all servers.
Disable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Enable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Security Fixes
| Summary | CVE-ID | CVSS Score |
|---|---|---|
| Upgraded AntiSamy to version 1.7.8 and removed legacy @import sanitization logic to address a stored cross-site scripting (XSS) vulnerability | CVE-2025-66376 | TBD |
| Introduced path validation in the ExportAndDeleteItemsRequest API to prevent unsafe file exports | TBD | TBD |
| Addressed a missing CSRF enforcement issue in specific authentication flows | TBD | TBD |
| Addressed an unauthenticated local file inclusion vulnerability in the RestFilter | TBD | TBD |
What's New
Package Upgrade
- The ClamAV package has been upgraded from 1.0.6 to 1.4.3
- The Jetty package has been upgraded from 9.4.46.v20220331 to 9.4.57.v20241219
Packages
Jira ticket:
The package lineup for this release is:
zimbra-common-core-libs -> 10.0.18.1761913021-1 zimbra-mbox-store-libs -> 10.0.18.1761913021-1 zimbra-mbox-admin-console-war -> 10.0.18.1759853062-1 zimbra-common-core-jar -> 10.0.18.1761912330-1 zimbra-mbox-war -> 10.0.18.1760013154-1 zimbra-mbox-webclient-war -> 10.0.18.1759855041-1 zimbra-patch -> 10.0.18.1761926704-2 zimbra-mta-patch -> 10.0.18.1761926704-1 zimbra-ldap-patch -> 10.0.18.1761926704-1 zimbra-proxy-patch -> 10.0.18.1761926704-1 zimbra-onlyoffice-patch -> 10.0.18.1761926704-1 zimbra-modern-ui -> 4.40.2.1759913548-1 zimbra-modern-zimlets -> 4.40.2.1759913548-1 zimbra-zco -> 1949.1760350148-1 zimbra-clamav -> 1.4.3-1zimbra8.8b4 zimbra-clamav-db -> 1.0.0-1zimbra8.7b3 zimbra-mta-components -> 10.0.1-1zimbra8.8b1 zimbra-jetty-distribution -> 9.4.57.v20241219-2
Patch Installation
Please refer to below link to install 10.0.18 (Nov 06 2025):
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build
