Zimbra Releases/10.0.9


Zimbra Collaboration Daffodil 10.0.9 Patch Release

Release Date: September 04, 2024

IMPORTANT: Admin Account authentication now honors zimbraAuthFallbackToLocal when using external/custom authentication. See: https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/

Check out the Security Fixes, What's New, Fixed Issues, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.


IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.

Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.

https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice

You must add your local repository to your RHEL/CentOS Configuration :

Redhat

RHEL7

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7
gpgcheck=1
enabled=1
EOF

RHEL8

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8
gpgcheck=1
enabled=1
EOF
rpm --import https://files.zimbra.com/downloads/security/public.key
yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata
yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins


Ubuntu

UBUNTU18

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
EOF

UBUNTU20

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79
apt-get update

IMPORTANT: Incase above steps are missed for Onlyoffice installation, following is the manual steps for installation.

  • As root user run below commands: (assuming Zimbra is already installed)
$ wget -O /opt/zimbra/bin/zmonlyofficeinstall https://raw.githubusercontent.com/Zimbra/zm-core-utils/10.0.9/src/bin/zmonlyofficeinstall
$ chmod 755 /opt/zimbra/bin/zmonlyofficeinstall
$ /opt/zimbra/bin/zmonlyofficeinstall

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Security Fixes

Summary CVE-ID CVSS Score
A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. CVE-2024-45513 TBD
Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519 TBD
A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518 TBD
A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. CVE-2024-45194 TBD
A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517 TBD
Resolved Cross-Site Scripting (XSS) vulnerability due to inadequate validation of metadata's Content-Type when importing files into the briefcase, preventing arbitrary JavaScript execution. CVE-2024-45515 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516 TBD
A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514 TBD
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD TBD
Fixed a reflected XSS vulnerability in the Briefcase module due to improper sanitization by the OnlyOffice formatter. CVE-2024-45511 TBD
Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. CVE-2024-45512 TBD
Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. CVE-2024-45510 TBD
A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 CVE-2024-38356 Medium

What's New

Modern Web App

General

  • An option to turn off the deletion of appointments for declined meetings has been implemented. Users can now retain appointments in their calendars even if they decline the meeting.
  • A PostCSS line return parsing error has been fixed, improving the stability and reliability of the stylesheet processing in the Modern UI.
  • Implementation of truncated folder names in the Modern UI has been completed. Folder names that are too long will now be truncated appropriately to fit the interface.


Mail

  • The tap-to-read or select functionality in the mobile mail list has been reconfigured to allow larger tap area. This update improves the user experience by making it easier to interact with emails on mobile devices.
  • The formatting of footer and signature elements in mobile views has been adjusted for better readability and presentation.
  • The folder list is no longer shown when composing emails in the Modern UI, reducing cognitive load for user when composing the email and reducing visual clutter.


Admin Web Console

  • Admin Users can now add or remove devices from databases using the admin UI Home → Configure → Global Settings → Mobile.


Fixed Issues

Zimbra Collaboration

  • A file having a file name and contents in Japanese, received as an email attachment is correctly previewed.
  • In ZCS 10, the OnlyOffice repository path has been removed from the installer. Users must now configure the OnlyOffice repository before installation. If this step is missed, the installer will not provide the option to install OnlyOffice. To address this, a new script has been provided for installing OnlyOffice post-installation. The script is compatible with ZCS 10.1. As a root user, execute the script `/opt/zimbra/bin/zmonlyofficeinstall`.
  • Folder names with the + sign were not returned when listing folders through IMAP. The issue has been fixed.
  • When creating a draft in a Web App with the subject and body containing special characters (Č, ć, ž, š, đ), syncing it with Gmail where the user's account is configured using ActiveSync and then editing the draft in Gmail results in unexpected characters (e.g., ?) appearing when syncing back to ZWC. The issue has been fixed and the characters now appear correctly.
  • We have resolved the issue where attempting to view the message headers of an email attachment resulted in a 'javax.servlet.ServletException' error.
  • Even if the commercial certificates were installed on the server, OnlyOffice used self-signed certificates. The issue has been fixed.
  • The issue of a lock failure exception during folder synchronization on Android devices has been resolved. The problem occurred when syncing deleted subfolders and shared mail across multiple devices simultaneously.
  • The issue with ActiveSync has been fixed where folder IDs in the receiving account were overwritten by shared folder mount points during sync. This caused messages to appear in incorrect folders. The problem has been resolved, ensuring folder IDs remain correct and messages stay in their intended folders. Users facing this issue will have to reconfigure their account on the device.
  • The problem where it was not possible to remove a mobile device from the admin console has been addressed. Admins can now successfully remove mobile devices as needed.
  • After upgrading to version 10.0.6, users encountered a "no such object" error. This issue has been fixed, and the error no longer occurs.
  • Fixed an issue where for certain system-generated emails, the hyperlink was getting modified which resulted in an invalid URL.
  • Inline images and PDF files in some specific mails were not getting previewed in Web App. The issue has been fixed.
  • Fixed an issue with Apple Calendar where the attendee's free/busy information was not displayed when creating a new event.
  • Support for zmblobchk has been added to ensure consistency checks for mailboxes using S3 external storage for secondary or primary volumes. Previously, zmblobchk reported "blob not found" errors for messages stored on S3. zmblobchk now correctly handles and verifies data on S3, improving the accuracy of mailbox consistency checks.
  • When using Owasp sanitizer, certain emails were not displayed correctly. The issue has been fixed.
  • An issue has been resolved where file attachments with UTF-8 encoded names sent from Outlook for Mac were not decoded correctly in the Web App.
  • When the Undo Send feature is enabled and a delegate attempts to send an email on behalf of the delegator, an error occurs and email is not sent. This issue has been fixed now.
  • Fixed an issue with logging where the mailbox logs were getting flooded for accounts setup through EWS protocol.

Modern Web App

General

  • The issue where the "sender address is suspicious" warning was incorrectly triggered due to case differences in the email address has been resolved. The check for suspicious email addresses is now case-insensitive, in compliance with RFC standards
  • An issue where extra body content was being added in the Modern UI mail body under certain conditions has been corrected.
  • An issue in the Modern UI where moving emails in "Conversation view" caused unexpected behavior has been fixed.
  • The issue where email body/text alignment in the Modern UI web app was incorrect has been resolved.
  • Scrolling issues within the Modern UI have been addressed. Users should now experience smooth and consistent scrolling behavior across all supported apps including Zimbra desktop.
  • The problem where S/MIME signing did not work in the Modern UI has been addressed. S/MIME signing functionality is now fully operational.
  • An issue where editing the attendees or the body of a new event would not save the changes correctly has been fixed. All edits are now properly saved.
  • The issue where meeting invitation emails incorrectly displayed a conflict banner for meetings has been resolved. The conflict banner now only shows when there is an actual scheduling conflict.
  • An issue in Zimbra Connector for Outlook (ZCO) where creating a folder of unknown type resulted in errors has been fixed.
  • The issue where there was no save button after searching and editing a contact has been resolved.
  • In the Modern UI, an issue where Zimbra incorrectly showed all folder types in the folder tree has been fixed.
  • An issue where multi-day all-day appointments were truncated to a single day has been fixed. Multi-day all-day events now display correctly across all intended dates.


Mail

  • An issue where wide elements in emails were not displayed correctly when reading on mobile has been addressed. Emails now render properly on mobile devices regardless of content width.
  • The "Edit as new" option was previously unavailable when no predefined signature was set. This issue has been resolved, and the option is now accessible regardless of signature settings.


Calendar

  • The issue where the "Today" button on the calendar print dialog was not working has been fixed. The button now correctly navigates to today's date in the print preview.
  • An issue in the Modern UI where the "New Event" body did not wrap text properly has been resolved. Additionally, the button alignment has been corrected to ensure proper layout.
  • The issue where an error was thrown upon clicking the "Show Availability" button in the calendar has been resolved. Users can now view availability without encountering errors.


Zimbra Connector for Outlook

  • ZCO stops syncing when NO_NAME is encountered in any contacts. The issue has been fixed.
  • Fixed an issue where the tags created in the Web App were getting overwritten with tags created in ZCO.


Known Issues

Modern Web App

Mail

  • When replying to or forwarding an email in plain text with attachments, an error message stating "Failed to Process this request" may appear when the draft is auto-saved. This issue occurs after switching the email format from HTML to plain text, especially when the email contains an image in the signature.
  • When viewing a message if there are any distribution lists to which the mail is sent to then the distribution list are displayed twice.
  • "Edit as New," "New Event," and "Print" functionalities do not work when the preview pane is disabled in the Zimbra Modern UI. As a workaround, please enable the preview pane to use these features.

Briefcase

  • If is a new sub-folder is created by the user that sub-folder is displayed twice instead of once. The issue gets resolved upon refreshing or logging in again to the web client.

Mail

  • EML file importing is not working on Zimbra version 10.0.0 and above.


Packages

Jira ticket:

The package lineup for this release is:

zimbra-patch                                      ->  10.0.9.1724303022-2
zimbra-mta-patch                                  ->  10.0.9.1723819711-1
zimbra-onlyoffice-patch                           ->  10.0.9.1724058507-1
zimbra-mbox-ews-service                           ->  10.0.9.1723795950-1
zimbra-common-core-jar                            ->  10.0.9.1723804604-1
zimbra-mbox-store-libs                            ->  10.0.9.1723804351-1
zimbra-mbox-webclient-war                         ->  10.0.9.1723645398-1
zimbra-zco                                        ->  1944.1723811444-1
zimbra-onlyoffice                                 ->  1.0.1718861068-1
zimbra-modern-ui                                  ->  4.39.0.1724260715-1
zimbra-modern-zimlets                             ->  4.39.0.1724260715-1
zimbra-zimlet-classic-unsupportedbrowser          ->  4.1.1.1723729388-1
zimbra-zimlet-date                                ->  8.0.0.1723729388-1
zimbra-zimlet-restore-contacts                    ->  7.2.1.1723729388-1
zimbra-zimlet-set-default-client                  ->  10.4.1.1723729388-1
zimbra-zimlet-user-feedback                       ->  7.2.1.1723729388-1
zimbra-zimlet-classic-document-editor             ->  2.2.1.1723729388-1
zimbra-zimlet-classic-set-default-client          ->  1.1.0.1723729388-1

Patch Installation

Please refer to below link to install 10.0.9:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search