Zimbra Releases/10.0.9
Zimbra Collaboration Daffodil 10.0.9 Patch Release
Release Date: September 04, 2024
IMPORTANT: Admin Account authentication now honors zimbraAuthFallbackToLocal when using external/custom authentication. See: https://blog.zimbra.com/2024/04/admin-account-authentication-now-honors-zimbraauthfallbacktolocal/
Check out the Security Fixes, What's New, Fixed Issues, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.
Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.
https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice
You must add your local repository to your RHEL/CentOS Configuration :
Redhat
RHEL7
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7 gpgcheck=1 enabled=1 EOF
RHEL8
$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF [zimbra-onlyoffice] name=Zimbra Onlyoffice RPM Repository baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8 gpgcheck=1 enabled=1 EOF
rpm --import https://files.zimbra.com/downloads/security/public.key yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins
Ubuntu
UBUNTU18
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra EOF
UBUNTU20
$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79 apt-get update
IMPORTANT: Incase above steps are missed for Onlyoffice installation, following is the manual steps for installation.
- As root user run below commands: (assuming Zimbra is already installed)
$ wget -O /opt/zimbra/bin/zmonlyofficeinstall https://raw.githubusercontent.com/Zimbra/zm-core-utils/10.0.9/src/bin/zmonlyofficeinstall $ chmod 755 /opt/zimbra/bin/zmonlyofficeinstall $ /opt/zimbra/bin/zmonlyofficeinstall
IMPORTANT: Zimbra OpenSSL with default FIPS Configuration
- Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
- From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
- Run below commands to Enable/Disable FIPS providers on all servers.
Disable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Enable FIPS provider:
As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart
Security Fixes
Summary | CVE-ID | CVSS Score |
---|---|---|
A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. | CVE-2024-45513 | TBD |
Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. | CVE-2024-45519 | TBD |
A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. | CVE-2024-45518 | TBD |
A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. | CVE-2024-45194 | TBD |
A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. | CVE-2024-45517 | TBD |
Resolved Cross-Site Scripting (XSS) vulnerability due to inadequate validation of metadata's Content-Type when importing files into the briefcase, preventing arbitrary JavaScript execution. | CVE-2024-45515 | TBD |
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. | CVE-2024-45516 | TBD |
A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. | CVE-2024-45514 | TBD |
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. | TBD | TBD |
Fixed a reflected XSS vulnerability in the Briefcase module due to improper sanitization by the OnlyOffice formatter. | CVE-2024-45511 | TBD |
Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. | CVE-2024-45512 | TBD |
Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. | CVE-2024-45510 | TBD |
A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 | CVE-2024-38356 | Medium |
What's New
Modern Web App
General
- An option to turn off the deletion of appointments for declined meetings has been implemented. Users can now retain appointments in their calendars even if they decline the meeting.
- A PostCSS line return parsing error has been fixed, improving the stability and reliability of the stylesheet processing in the Modern UI.
- Implementation of truncated folder names in the Modern UI has been completed. Folder names that are too long will now be truncated appropriately to fit the interface.
Mail
- The tap-to-read or select functionality in the mobile mail list has been reconfigured to allow larger tap area. This update improves the user experience by making it easier to interact with emails on mobile devices.
- The formatting of footer and signature elements in mobile views has been adjusted for better readability and presentation.
- The folder list is no longer shown when composing emails in the Modern UI, reducing cognitive load for user when composing the email and reducing visual clutter.
Admin Web Console
- Admin Users can now add or remove devices from databases using the admin UI Home → Configure → Global Settings → Mobile.
Fixed Issues
Zimbra Collaboration
- A file having a file name and contents in Japanese, received as an email attachment is correctly previewed.
- In ZCS 10, the OnlyOffice repository path has been removed from the installer. Users must now configure the OnlyOffice repository before installation. If this step is missed, the installer will not provide the option to install OnlyOffice. To address this, a new script has been provided for installing OnlyOffice post-installation. The script is compatible with ZCS 10.1. As a root user, execute the script `/opt/zimbra/bin/zmonlyofficeinstall`.
- Folder names with the + sign were not returned when listing folders through IMAP. The issue has been fixed.
- When creating a draft in a Web App with the subject and body containing special characters (Č, ć, ž, š, đ), syncing it with Gmail where the user's account is configured using ActiveSync and then editing the draft in Gmail results in unexpected characters (e.g., ?) appearing when syncing back to ZWC. The issue has been fixed and the characters now appear correctly.
- We have resolved the issue where attempting to view the message headers of an email attachment resulted in a 'javax.servlet.ServletException' error.
- Even if the commercial certificates were installed on the server, OnlyOffice used self-signed certificates. The issue has been fixed.
- The issue of a lock failure exception during folder synchronization on Android devices has been resolved. The problem occurred when syncing deleted subfolders and shared mail across multiple devices simultaneously.
- The issue with ActiveSync has been fixed where folder IDs in the receiving account were overwritten by shared folder mount points during sync. This caused messages to appear in incorrect folders. The problem has been resolved, ensuring folder IDs remain correct and messages stay in their intended folders. Users facing this issue will have to reconfigure their account on the device.
- The problem where it was not possible to remove a mobile device from the admin console has been addressed. Admins can now successfully remove mobile devices as needed.
- After upgrading to version 10.0.6, users encountered a "no such object" error. This issue has been fixed, and the error no longer occurs.
- Fixed an issue where for certain system-generated emails, the hyperlink was getting modified which resulted in an invalid URL.
- Inline images and PDF files in some specific mails were not getting previewed in Web App. The issue has been fixed.
- Fixed an issue with Apple Calendar where the attendee's free/busy information was not displayed when creating a new event.
- Support for zmblobchk has been added to ensure consistency checks for mailboxes using S3 external storage for secondary or primary volumes. Previously, zmblobchk reported "blob not found" errors for messages stored on S3. zmblobchk now correctly handles and verifies data on S3, improving the accuracy of mailbox consistency checks.
- When using Owasp sanitizer, certain emails were not displayed correctly. The issue has been fixed.
- An issue has been resolved where file attachments with UTF-8 encoded names sent from Outlook for Mac were not decoded correctly in the Web App.
- When the Undo Send feature is enabled and a delegate attempts to send an email on behalf of the delegator, an error occurs and email is not sent. This issue has been fixed now.
- Fixed an issue with logging where the mailbox logs were getting flooded for accounts setup through EWS protocol.
Modern Web App
General
- The issue where the "sender address is suspicious" warning was incorrectly triggered due to case differences in the email address has been resolved. The check for suspicious email addresses is now case-insensitive, in compliance with RFC standards
- An issue where extra body content was being added in the Modern UI mail body under certain conditions has been corrected.
- An issue in the Modern UI where moving emails in "Conversation view" caused unexpected behavior has been fixed.
- The issue where email body/text alignment in the Modern UI web app was incorrect has been resolved.
- Scrolling issues within the Modern UI have been addressed. Users should now experience smooth and consistent scrolling behavior across all supported apps including Zimbra desktop.
- The problem where S/MIME signing did not work in the Modern UI has been addressed. S/MIME signing functionality is now fully operational.
- An issue where editing the attendees or the body of a new event would not save the changes correctly has been fixed. All edits are now properly saved.
- The issue where meeting invitation emails incorrectly displayed a conflict banner for meetings has been resolved. The conflict banner now only shows when there is an actual scheduling conflict.
- An issue in Zimbra Connector for Outlook (ZCO) where creating a folder of unknown type resulted in errors has been fixed.
- The issue where there was no save button after searching and editing a contact has been resolved.
- In the Modern UI, an issue where Zimbra incorrectly showed all folder types in the folder tree has been fixed.
- An issue where multi-day all-day appointments were truncated to a single day has been fixed. Multi-day all-day events now display correctly across all intended dates.
Mail
- An issue where wide elements in emails were not displayed correctly when reading on mobile has been addressed. Emails now render properly on mobile devices regardless of content width.
- The "Edit as new" option was previously unavailable when no predefined signature was set. This issue has been resolved, and the option is now accessible regardless of signature settings.
Calendar
- The issue where the "Today" button on the calendar print dialog was not working has been fixed. The button now correctly navigates to today's date in the print preview.
- An issue in the Modern UI where the "New Event" body did not wrap text properly has been resolved. Additionally, the button alignment has been corrected to ensure proper layout.
- The issue where an error was thrown upon clicking the "Show Availability" button in the calendar has been resolved. Users can now view availability without encountering errors.
Zimbra Connector for Outlook
- ZCO stops syncing when NO_NAME is encountered in any contacts. The issue has been fixed.
- Fixed an issue where the tags created in the Web App were getting overwritten with tags created in ZCO.
Known Issues
Modern Web App
- When replying to or forwarding an email in plain text with attachments, an error message stating "Failed to Process this request" may appear when the draft is auto-saved. This issue occurs after switching the email format from HTML to plain text, especially when the email contains an image in the signature.
- When viewing a message if there are any distribution lists to which the mail is sent to then the distribution list are displayed twice.
- "Edit as New," "New Event," and "Print" functionalities do not work when the preview pane is disabled in the Zimbra Modern UI. As a workaround, please enable the preview pane to use these features.
Briefcase
- If is a new sub-folder is created by the user that sub-folder is displayed twice instead of once. The issue gets resolved upon refreshing or logging in again to the web client.
- EML file importing is not working on Zimbra version 10.0.0 and above.
Packages
Jira ticket:
The package lineup for this release is:
zimbra-patch -> 10.0.9.1724303022-2 zimbra-mta-patch -> 10.0.9.1723819711-1 zimbra-onlyoffice-patch -> 10.0.9.1724058507-1 zimbra-mbox-ews-service -> 10.0.9.1723795950-1 zimbra-common-core-jar -> 10.0.9.1723804604-1 zimbra-mbox-store-libs -> 10.0.9.1723804351-1 zimbra-mbox-webclient-war -> 10.0.9.1723645398-1 zimbra-zco -> 1944.1723811444-1 zimbra-onlyoffice -> 1.0.1718861068-1 zimbra-modern-ui -> 4.39.0.1724260715-1 zimbra-modern-zimlets -> 4.39.0.1724260715-1 zimbra-zimlet-classic-unsupportedbrowser -> 4.1.1.1723729388-1 zimbra-zimlet-date -> 8.0.0.1723729388-1 zimbra-zimlet-restore-contacts -> 7.2.1.1723729388-1 zimbra-zimlet-set-default-client -> 10.4.1.1723729388-1 zimbra-zimlet-user-feedback -> 7.2.1.1723729388-1 zimbra-zimlet-classic-document-editor -> 2.2.1.1723729388-1 zimbra-zimlet-classic-set-default-client -> 1.1.0.1723729388-1
Patch Installation
Please refer to below link to install 10.0.9:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build