Zimbra Releases/10.0.2

Zimbra Collaboration Daffodil 10.0.2 Patch Release

Release Date: July 26, 2023

Check out the Security Fixes, What's New, Fixed Issues, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.


IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.

Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included by default in upcoming Zimbra Daffodil version.

https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice

You must add your local repository to your RHEL/CentOS Configuration :

Redhat

RHEL7

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7
gpgcheck=1
enabled=1
EOF

RHEL8

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8
gpgcheck=1
enabled=1
EOF
yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata
yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins


Ubuntu

UBUNTU18

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
EOF

UBUNTU20

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
EOF
apt-get update

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run the below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Deprecation of Zimbra Server on Ubuntu 18.04

Ubuntu 18.04 End of life occurred on May 31, 2023. Zimbra will deprecate Daffodil (v10) support for Ubuntu 18.04 as of November 30, 2023. At this date, there will no longer be any patch release for Zimbra Daffofil (v10) on Ubuntu 18.04 operating system. We encourage all our new customer's to use Ubuntu 20.04 for all their new installations.

After November 30, 2023, Zimbra Support will provide best-effort support for the last patch release on the Ubuntu 18.04 operating system. However, any known or existing bugs will not be addressed and Zimbra Support encourages all customers to follow our recommended upgrade path to a supported OS version at your earliest convenience to ensure no interruption in your support services.

We will be soon providing support for Ubuntu 22.04 operating system on the upcoming Daffodil version.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Security Fixes

Summary CVE-ID CVSS Score
OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464 TBD
The Amavis package has been upgraded to 2.13.0 version. TBD TBD
A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750 TBD


What's New

Package Upgrade

  • The OpenSSL package has been upgraded from 1.1.1t to 3.0.9
  • The Amavis package has been upgraded from 2.10.1 to 2.13.0
  • The Clamav package has been upgraded from 0.105.2 to 1.0.1
  • The Crypt::OpenSSL::RSA package has been upgraded from 0.31 to 0.33
  • The IO::Socket::SSL package has been upgraded from 2.068 to 2.083
  • The LWP::Protocol::https package has been upgraded from 6.06 to 6.10
  • The Mail::DKIM package has been upgraded from 0.40 to 0.43
  • The Net::SSLeay package has been upgraded from 1.88 to 1.92
  • The Unbound package has been upgraded from 1.11 to 1.17.1

Zimbra Connector for Outlook

  • The Zimbra Free Busy provider has been set as a default Free Busy provider. It will now display the correct status color for Busy, Tentative, and Out Of Office meetings. Earlier, it was set to Internet Free Busy provider.

Modern Web App

General

  • Changes have been made to simplify and clarify the email forwarding settings. For example, the label for "Access your email elsewhere" has been updated, and "Forward: Your mail is forwarded to the specified address, so you can check it there." has been modified to "Enable email forwarding".
  • The 'Advanced Paste' for Modern UI composer, which previously handled copy/pasting from various applications such as Word, Excel, PowerPoint, PDF, Websites, Paint, etc., is no longer available. The feature has been removed due to its technical complexity and dependencies on third-party libraries that didn't meet Zimbra's standards.
  • Users can now specify and book equipment when composing a calendar event.

Calendar

  • "Equipment" option in Calendar is hidden when zimbraFeatureGroupCalendarEnabled is FALSE.

Fixed Issues

Zimbra Collaboration

  • License re-activation is not needed when applying a patch on Zimbra Daffodil (v10) version.
  • On NG based rolling-upgrade setup and before migrating the Internal Storage data to zimbra-10 server using the NG Migration utility, disable the Compression for volumes on zimbra-10 server.
  • When using an external storage provider for Secondary storage, please exclude the Documents from the policy as it appears garbled after it is moved to external storage.
  • When exporting the Drive data to Zimbra Daffodil (v10) version through the zmmodulesport utility, the command became unresponsive and the data was not migrated. The issue has been fixed. ZBUG-3476
  • When setting the zimbraFileUploadMaxSize value to more than 2GB (2146483647 bytes), the Web App and Admin Console became unresponsive. The issue has been fixed. ZBUG-3204
  • The faulty X-Forwarded-For header which handles the IPv6 client logged an incorrect OIP field. The issue has been fixed. Please note the following requirements has to be fulfilled when adding the IPv6 IP address to the zimbraMailTrustedIP attribute:


Classic Web App

  • NextCloud zimlet on Classic Web App is now available with Zimbra Daffodil (v10). ZBUG-3450


Zimbra Connector for Outlook

  • In the Auto-Complete cache, a parsing problem was identified in a particular scenario. The full cache will now be parsed, and the user will be prompted to remove the bad cache. ZBUG-3456
  • In case the ZCO registry keys are broken due to a Microsoft upgrade, the installer fixes such registry keys. ZBUG-3047
  • Fixed an issue that results in Outlook crashing when sending the OneNote document as a PDF attachment. ZBUG-2776
  • When the Free Busy provider is set to Internet Free Busy, the *Tentative* meeting status gets displayed as *Busy*. Changed the default Free Busy provider to Zimbra which also displays the correct status color for Busy, Tentative, and Out Of Office meetings. ZBUG-2278


Things to Know Before Upgrading

Important Upgrade Instructions for Daffodil v10 version older than build 10.0.0_GA_4452

If you are currently using the Beta version build of Daffodil v10 (10.0.0_GA_4452), please follow these upgrade instructions:

  • Upgrade to the latest GA Version build 10.0.0_GA_4518: It is crucial to first upgrade to the latest GA version before proceeding with any further updates. This latest GA release includes essential updates, including modifications to the database schema and various other feature improvements.
  • Upgrade to 10.0.2 Patch: Once you have successfully upgraded to the latest GA version build 10.0.0_GA_4518, you can proceed with the upgrade to the 10.0.2 patch. This patch release addresses specific issues and introduces further enhancements.

By following this upgrade path, you ensure that your system is properly updated, incorporating the necessary database schema changes and other critical updates introduced in the latest GA build.

Please review the following information to decide if Zimbra Daffodil (v10) is suitable for you.

  • Zimbra Touch Client, Zimbra Mobile Client, and Zimbra HTML (Standard) Client are no longer a part of Zimbra starting from Version 9.0.0.
  • A Zimbra Network Edition license is required to use Zimbra Daffodil (v10).
  • The customizations implemented for SAML and SPNEGO will be overridden during an upgrade. It is recommended to backup these configurations before upgrading the server.
  • In case of rolling upgrades, if some mailstore nodes are upgraded to zimbra-10 and some mailstore nodes are on Zimbra 9.0.x or Zimbra 8.8.15 then, zimbraReverseProxyUpstreamLoginServers should only contain the list of Zimbra 10.0.0 mailboxes. If this is not followed then in some cases, users on zimbra-10 mailstore nodes will not be able to see Modern Web App after login.
  • Zimbra (v10) continues to support two versions of Zimbra Web Client -- Modern and Classic.
    • To know more about the highlights of the Modern Web App, please refer to Introducing the Modern Web Application
    • The Classic Web App offers the same functionality as the Advanced Web Client in Zimbra version 8.8.15.
    • Existing customized themes, logo branding changes, and crontab changes are incompatible with, and hence do not reflect in the Modern Web App. Branding needs to be re-configured to work with the Modern Web App. The Modern Web App does not currently support themes. Please refer to the Customizing Modern Web App section of Admin Guide for more information related to configuration.
    • Zimlets are supported on both the Web Clients.
    • Zimlets that work with the Classic Web App are incompatible with the Modern Web App. And due to technology changes, there is no way to migrate the Zimlets from the Classic Web App to the Modern Web App or vice-versa.
  • For Non-NG setups, recommendations when using mailbox move (through zmmboxmove utility) on Rolling-Upgrade environment:
    • Always take full backup *before* doing zmmboxmove.
    • If using Storage Management with primary and secondary storage as Internal, then set zimbraMailboxMoveSkipBlobs and zimbraMailboxMoveSkipHsmBlobs attributes to FALSE before doing zmmboxmove.
    • Always recommended to run HSM and move blobs to current primary/secondary volumes in case of multiple primary/secondary volumes present in the system before doing zmmboxmove.
    • zmmboxmove command should be run from Zimbra (v10) mailbox server.

After you review the tasks in this section, please go to Upgrade Instructions.


Known Issues

Zimbra Collaboration

  • On a NG based rolling-upgrade setup, when either sharer or sharee is not moved to zimbra-10 server and the drive data is imported through the NG Migration utility, the drive files sharing information is not available. Hence, the shared files are not available after the import.

Workaround - Before importing the Drive data for the users, move the sharee and sharer from NG server to zimbra-10 server.

  • When upgrading to Zimbra 10 using the rolling upgrade mechanism, if a user on Zimbra 10 shares a Briefcase file with a user on Zimbra 9, then while UI will display a 'Permission denied' error to the user on Zimbra 10, the user on Zimbra 9 still ends up receiving an email that the file has been shared. Even though the mail is received by the Zimbra 9 user, they will not be able to access the file, as the file sharing feature is not available in Zimbra 9.
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 9 may share a Briefcase folder with a Zimbra 10 user. However, since files were not shared with Zimbra 10 user, the files within the shared folder are not accessible to the Zimbra 10 users.
  • During Rolling Upgrade to Zimbra 10 from Zimbra 9/8.x having NG modules installed, when a Zimbra 9/8.x user creates new files from Briefcase, it results in a error "TypeError: g is null".
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 10 may share a file with a Zimbra 9 user. However, Zimbra 9 user will not be able to access the file from the shared URL.
  • Zimbra inheritance is followed when setting LDAP attributes. When using Backup & Restore->Message recovery settings from Admin UI, if the value of zimbraDumpsterEnabled attribute is FALSE at COS level and TRUE at Domain level, then the value at COS level will be considered. So the issue here is- adding Domains in the message recovery settings will have no impact on message recovery if the COS level attribute is set to its default value FALSE.
  • Backup and Restore - When mail-store server is restored after moving some of its accounts to another mail store, then old mail data like blobs, metadata, etc. of the accounts which have been moved to another mail store, will also get restored. The workaround is to - execute the restore with --ignoreRedoErrors OR with -rf options like zmrestore -a all --ignoreRedoErrors
  • When user clicks on a file in Briefcase, a preview is displayed for the supported file formats. User can also edit these files in a separate window. The changes take a long time to be reflected in the preview, and sometimes user might need to click on the file multiple times to view the changes.
  • When editing documents from Briefcase, the documents are opened in a separate browser window in which users can edit the document. However, the updated contents are not reflected in the Briefcase file, unless the separate browser window is not closed by the user.
  • User is not able to search files in the "Files shared with me" folder, within Briefcase.
  • Re-sending a file share for a Briefcase document throws the error, "A network service error has occurred".

Web UX - Admin

  • In Admin UI, if two users are assigned the Administrator privilege followed by "Assign default domain administrator views and rights", there is an error displayed for the second user, and the request is not completed. This happens due to a caching issue, and flushing the cache of the mail-store resolves this issue.

Mobile Sync

  • On iOS Native App, if the Mail, Calendar, and Contacts folders are shared with the user, the shares are not displayed on the App.Similarly, for Windows Outlook and Windows Native Contacts App, if the Contacts folder is shared with the user, the shares are not displayed on the App.

Workaround - The user will have to reconfigure his account on the device to get the shares mounted on the device.

  • Exchange ActiveSync protocol currently does not support Read-Only permission sharing. It is recommended not to enable Sharing for the users having shares with Read-Only permission.
  • In a Rolling-upgrade environment, if a zimbra-9 user shares a calendar with zimbra-10 user, the events are not synced.

Workaround - For the Rolling-Upgrade environment involving the NG mailbox server, due to technical differences between the NG Mobile feature and Zimbra (v10) Mobile Sync feature, it is recommended to use Sharing feature after moving all the accounts to zimbra-10 mailbox server.

  • For Windows Mail App, the Sent folder emails are not displayed after blocking and unblocking the user.

Workaround - The user can remove and reconfigure the account on the app.

  • When using iOS Outlook App, Out of Office settings are not synced to the user's account in Web App.
  • When the organizer and attendee use the Outlook app, if the organizer cancels an instance from a recurring meeting, the same is not reflected on the attendee's calendar.

Backup Restore

  • When using backup and restore to move data from source 9.x NG server to destination 10.x server, if both the source and destination, primary volumes are 'External', and zimbraBackupSkipBlobs is set to True, then emails moved secondary volume throw 'Missing Blob for item' error.
  • When an account is restored using backup data from NG external secondary volume, the account is displaying garbled data for emails on the destination server.
  • When we schedule backup using zmschedulebackup command, backup is getting scheduled in crontab and LDAP attributes are updated with appropriate values.

Packages

The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                      ->  10.0.2.1688917154-2
zimbra-mta-patch                                  ->  10.0.2.1688917154-1
zimbra-proxy-patch                                ->  10.0.2.1688917154-1
zimbra-ldap-patch                                 ->  10.0.2.1688917154-1
zimbra-common-core-jar                            ->  10.0.2.1688733263-1
zimbra-mbox-webclient-war                         ->  10.0.2.1688663906-1
zimbra-license-tools                              ->  10.0.2.1688641195-1
zimbra-common-core-libs                           ->  10.0.2.1683869264-1
zimbra-zco                                        ->  9.0.0.1933.1688639704-1
zimbra-modern-ui                                  ->  4.33.0.1688725065-1
zimbra-modern-zimlets                             ->  4.33.0.1688725065-1
zimbra-zimlet-ads                                 ->  9.1.0.1688647815-1
zimbra-zimlet-user-sessions-management            ->  10.1.0.1688647815-1
zimbra-zimlet-org-chart                           ->  3.1.0.1688647815-1
zimbra-zimlet-additional-signature-setting        ->  9.0.0.1688647815-1
zimbra-zimlet-restore-contacts                    ->  7.1.0.1688647815-1
zimbra-zimlet-sideloader                          ->  8.1.0.1688647815-1
zimbra-zimlet-set-default-client                  ->  10.2.0.1688647815-1
zimbra-zimlet-date                                ->  7.1.0.1688647815-1
zimbra-zimlet-privacy-protector                   ->  5.2.0.1688647815-1
zimbra-zimlet-classic-unsupportedbrowser          ->  4.1.0.1688647815-1
zimbra-zimlet-install-pwa                         ->  7.1.0.1688647815-1
zimbra-zimlet-emptysubject                        ->  3.1.0.1688647815-1
zimbra-zimlet-duplicate-contacts                  ->  6.2.0.1688647815-1
zimbra-zimlet-secure-mail                         ->  2.3.0.1688647815-1
zimbra-zimlet-web-search                          ->  5.1.0.1688647815-1
zimbra-zimlet-user-feedback                       ->  7.1.0.1688647815-1
zimbra-zimlet-calendar-subscription               ->  7.1.0.1688647815-1
zimbra-zimlet-document-editor                     ->  11.1.0.1688647815-1
zimbra-zimlet-classic-document-editor             ->  2.2.0.1688647815-1
zimbra-modules-porter                             ->  1.0.0.1688711471-1
zimbra-zimlet-nextcloud                           ->  1.0.14.1689672362-1
zimlet-nextcloud-talk                             ->  1.0.0.1689672460-1
zimbra-openssl                                    ->  3.0.9-1zimbra8.8b1
zimbra-heimdal                                    ->  1.5.3-1zimbra8.7b4
zimbra-perl-net-ssleay                            ->  1.92-1zimbra8.8b1
zimbra-curl                                       ->  7.49.1-1zimbra8.7b4
zimbra-unbound                                    ->  1.17.1-1zimbra8.8b1
zimbra-apr-util                                   ->  1.6.1-1zimbra8.7b3
zimbra-perl-dbd-mysql                             ->  4.050-1zimbra8.7b5
zimbra-perl-crypt-openssl-random                  ->  0.11-1zimbra8.7b4
zimbra-perl-crypt-openssl-rsa                     ->  0.33-1zimbra8.8b1
zimbra-cyrus-sasl                                 ->  2.1.28-1zimbra8.7b4
zimbra-openldap                                   ->  2.4.59-1zimbra8.8b6
zimbra-postfix                                    ->  3.6.1-1zimbra8.7b4
zimbra-opendkim                                   ->  2.10.3-1zimbra8.7b6
zimbra-clamav                                     ->  1.0.1-1zimbra8.8b4
zimbra-clamav-db                                  ->  1.0.0-1zimbra8.7b2
zimbra-amavisd                                    ->  2.13.0-1zimbra8.7b2
zimbra-net-snmp                                   ->  5.8-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 5.8-1zimbra8.7b4)
zimbra-perl-io-socket-ssl                         ->  2.083-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 2.083-1zimbra8.7b4)
zimbra-perl-net-http                              ->  6.09-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 6.09-1zimbra8.7b5)
zimbra-perl-libwww                                ->  6.13-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 6.13-1zimbra8.7b5)
zimbra-perl-lwp-protocol-https                    ->  6.10-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 6.10-1zimbra8.7b4)
zimbra-perl-xml-parser                            ->  2.44-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 2.44-1zimbra8.7b5)
zimbra-perl-soap-lite                             ->  1.19-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 1.19-1zimbra8.7b5)
zimbra-perl-xml-sax-expat                         ->  0.51-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 0.51-1zimbra8.7b5)
zimbra-perl-xml-simple                            ->  2.25-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 2.25-1zimbra8.7b4)
zimbra-perl-mail-dkim                             ->  0.43-1zimbra8.8b1
zimbra-perl-mail-spamassassin                     ->  3.4.6-1zimbra8.8b4 (For RHEL8,UBUNTU20 - 3.4.6-1zimbra8.8b5)
zimbra-spamassassin-rules                         ->  1.0.0-1zimbra8.8b6 (For RHEL8,UBUNTU20 - 1.0.0-1zimbra8.8b7)
zimbra-perl-innotop                               ->  1.9.1-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 1.9.1-1zimbra8.7b5)
zimbra-httpd                                      ->  2.4.57-1zimbra8.7b5
zimbra-perl-net-ldapapi                           ->  3.0.3-1zimbra8.7b2
zimbra-perl                                       ->  1.0.8-1zimbra8.7b1 (For RHEL8,UBUNTU20 - 1.0.9-1zimbra8.7b1)
zimbra-nginx                                      ->  1.20.0-1zimbra8.8b4
zimbra-erlang                                     ->  25.0.3-1zimbra8.8b2
zimbra-rabbitmq-server                            ->  3.10.7-1zimbra8.8b2
zimbra-osl                                        ->  3.0.0-1zimbra10.0b1
zimbra-core-components                            ->  4.0.0-1zimbra10.0b1
zimbra-ldap-components                            ->  3.0.0-1zimbra10.0b1
zimbra-proxy-components                           ->  1.0.11-1zimbra8.8b1
zimbra-mta-components                             ->  1.0.22-1zimbra8.8b1
zimbra-apache-components                          ->  2.0.11-1zimbra8.8b1
zimbra-dnscache-components                        ->  1.0.5-1zimbra8.7b1
zimbra-snmp-components                            ->  1.0.4-1zimbra8.7b1 (For RHEL8,UBUNTU20 - 1.0.5-1zimbra8.7b1)
zimbra-spell-components                           ->  2.0.12-1zimbra8.8b1 (For RHEL8,UBUNTU20 - 2 .0.13-1zimbra8.8b1)


Patch Installation

Please refer to below link to install 10.0.2 patch :

Patch Installation

Jump to: navigation, search