Zimbra Releases/10.1.13

Zimbra Daffodil (v10.1.13) Patch Release

Release Date: Nov 06, 2025

Exchange Web Services (EWS) – Support Update

Microsoft has recently announced an extension of Legacy Exchange Web Services (EWS) support until October 2026 (previously October 2025).

In line with this update, Zimbra will continue to support EWS across the currently supported Outlook versions to ensure continued interoperability with Outlook clients that rely on this protocol.

Security Fixes

Summary CVE-ID CVSS Score
Upgraded AntiSamy to version 1.7.8 and removed legacy @import sanitization logic to address a stored cross-site scripting (XSS) vulnerability CVE-2025-66376 TBD
Revoked and removed hardcoded Flickr API credentials from the Flickr Zimlet TBD TBD
Introduced path validation in the ExportAndDeleteItemsRequest API to prevent unsafe file exports TBD TBD
Addressed a missing CSRF enforcement issue in specific authentication flows TBD TBD
Addressed an unauthenticated local file inclusion vulnerability in the RestFilter TBD TBD
The PDF preview option in Classic Web App has been removed to safeguard users from a stored XSS vulnerability associated with PDF attachments. As part of this security enhancement, clicking a PDF file will now directly download it instead of opening it in a new browser tab for preview. This change is intentional and was implemented to ensure a more secure user experience. NA NA
Added input validation and null checks in the PreAuthServlet to prevent internal error disclosure on malformed requests NA NA
Addressed an admin account enumeration issue. NA NA
Upgraded Apache HttpClient library to version 4.5.14 as a proactive security and maintenance measure NA NA

What's New

Package Upgrade

  • The ClamAV package has been upgraded from 1.0.8 to 1.4.3
  • The Jetty package has been upgraded from 9.4.46.v20220331 to 9.4.57.v20241219
  • The OpenSSL package has been upgraded from 3.0.9 to 3.5.1

Zimbra Collaboration

  • External email warning messages now support LDAP configuration. Admins can centrally manage the warning text via LDAP/global settings (instead of local files), simplifying deployment and ensuring consistent warnings across users and domains.


Modern Web App

General

  • The “Recover Deleted Items” option in Modern UI has been enhanced to let users restore not just emails, but also contacts, appointments, and briefcase items directly from Trash, making it easier to recover accidentally deleted content.
  • The Modern Web App now allows users to manage POP and IMAP access directly from the Settings section. Users can easily enable or disable access for external mail clients, with options for both IMAP and POP providing greater flexibility and control.
  • Mail vertical is now equipped with instant email suggestions as you type in the search bar. Quickly find relevant emails without completing your full search term making it faster and easier to locate what you need.
  • The Tag Management interface has been redesigned for a cleaner, more intuitive experience. Creating, editing, and organizing tags is now simpler and more consistent across the app. Enjoy improved visuals, better accessibility, and helpful hover effects making tag management effortless and visually engaging.
  • Folder loading in Mail and Briefcase sections has been optimized to handle accounts with large number of folders more efficiently. The update ensures reduced CPU, memory and network usage which results in faster rendering, providing a noticeably quicker and more responsive experience for users with large folder structures.
  • Users can now easily view the members of a Distribution List (DL) right from the Message Preview pane. This enhancement allows users to quickly expand and see all DL members without switching views, making it easier to verify message recipients and ensure accurate communication.
  • The Modern Web App now boosts visual highlighting across all sections like Mail, Briefcase, and Contacts when dragging and dropping items. The hovered folder or destination is clearly highlighted, helping users easily identify the drop target, prevent mistakes, and enjoy a smoother, more intuitive experience throughout the app.
  • Composing and sharing just got a lot smoother! You can now remove any recipient, whether in To, Cc, Bcc, or invitee fields, with a simple click on the “X” icon next to their name. No more backspacing through long lists. This enhancement brings a sleek and intuitive experience across Mail, Calendar, Briefcase, and Contacts.
  • Smart Conversation Loading brings a significant performance boost when opening large or long email threads, improving load times and responsiveness for a faster and smoother experience in the Modern Web App.
  • A new “Show Original” option has been added to the appointment actions in the Modern Web App Calendar, allowing users to view the original raw content of a calendar event. This enhancement helps with troubleshooting and transparency, making it easier to inspect appointment details
  • Mail section now preserves the user’s last viewed state. When switching between tabs (e.g., moving from Mail to New Message and back), the previously previewed email and folder remain visible to users, so that they can resume their work from where they exactly left.


Calendar

  • The Modern Web App calendar experience has been enhanced with improved accessibility for event actions. Frequently used options such as reply, propose new time, forward, and copy are now conveniently available in the More menu. Additionally, a new Show Original option has been added and the Print icon now appears consistently for all events.
  • Enhanced Modern Web app calendar module now allows organizers to edit cancellation messages for single and recurring meetings, improving clarity for attendees. For recurring events, organizers can choose to cancel one instance or the entire series. A new “Edit Message” option lets users personalize messages before sending.


Zimbra Connector for Outlook

  • Enhanced Zimbra Connector for Outlook (ZCO) to extend PartialSync functionality to shared mailboxes, improving performance for large-scale environments. This update significantly reduces initial sync times by allowing administrators to define sync windows for both primary and shared mailboxes.
  • Zimbra Connector for Outlook (ZCO) now officially supports Microsoft Outlook 2024, bringing an enhanced and seamless experience for users upgrading to the latest Outlook version.


ActiveSync

  • This update enhances calendar collaboration by enabling proper handling of forwarded meeting invitations from iOS devices. When an attendee forwards an invite, the new recipient now receives it correctly, can RSVP (Accept, Decline, Tentative), and the organizer’s attendee list updates automatically across all clients for consistent synchronization.


Chat

  • Chat zimlets and extensions have been updated with the latest improvements. The new chat installer zfzi-2.0.1 has been released. The chat server base version remains 10.2 (unchanged since ZCS 10.1.10), while the customization version has been updated from 10.2.0 to 10.2.1 to include the latest enhancements and fixes.

Fixed Issues

Modern Web App

General

  • Added a warning message in the Classic Web app to notify users when sorting emails is restricted due to disabled Preferences. This ensures consistency with the Modern Web app and Zimbra Desktop.
  • Fixed an issue in the Modern Web app where editing a calendar appointment on mobile browsers (Google Chrome/ Firefox) reset the time to 12:00 AM after changing the date. The appointment time now remains unchanged when the date is modified.
  • Enhanced session handling in the Modern Web app to stop periodic NoOpRequests after a user session expires. Web users are now redirected to the login page upon session expiry, while Desktop Client users retain offline access without triggering failed NoOpRequests.
  • Fixed an issue in the Modern Web app where the compose window background turned black while typing long messages in dark theme.
  • Updated the “Help” button in the Modern Web app to direct users to the latest Zimbra 10 User Guide instead of redirecting to Zimbra 9.0 documentation.
  • Improved the Modern Web app mobile view to allow selecting multiple emails without automatically opening the last clicked email. Emails now remain highlighted for multi-selection as expected.
  • An issue in the Modern Web app where the Sessions and Devices tab did not update session information after a password change has been handled.
  • The Modern Web app now prevents users from creating multiple filters with the same name, ensuring better filter management and avoiding duplicate entries.
  • In the Modern Web app, when composing an email using “Send As” a Distribution List (DL), the selected DL in the “From” field now remains persistent even after navigating away and returning to the compose window.
  • In the Modern Web app, replying to emails with a Reply-To address now works correctly even after canceling and reopening the reply. The reply will always go to the intended Reply-To address instead of switching to the sender’s address.
  • In Zimbra Connector for Outlook (ZCO), organizers can now accept or decline proposed new meeting times directly in Outlook when attendees respond from the Web Client. The “Accept Proposal” options are no longer disabled, ensuring consistent behavior across both platforms.
  • An issue has been resolved in the Modern Web App. Punycode email addresses with double TLDs are now handled correctly, displaying the full domain and allowing successful email sending and contact creation without validation errors.
  • Resolved an issue where expanding hidden messages in long email threads sometimes failed to display the full message history. With this fix, all replies and historical content are now shown completely when expanding hidden sections.


Classic Web App

  • In the Classic Web app, multiple Advanced Chat tabs were appearing when users went offline and came back online or kept the client open for an extended time. The behavior has been corrected to maintain a single consistent Advanced Chat tab.
  • Fixed an issue where overdue tasks were not highlighted in red in the Classic Web App, restoring the visual cue that helps users easily identify overdue tasks.
  • An Issue has been fixed where contact groups were not auto-filling recipients in the “To” field when composing emails with the “Always compose in a new window” option enabled. With this enhancement, group members now populate correctly.


Zimbra Connector for Outlook

  • Fixed an issue in Zimbra Connector for Outlook (ZCO) that caused repeated admin (UAC) prompts for users without admin rights. The installer now uses user-level registry entries to prevent permission issues in restricted environments.
  • Delivery Status Notifications (DSN) are now received when emails were sent from Outlook via ZCO
  • In Zimbra Connector for Outlook (ZCO), when accessing a shared account, an unexpected “Deleted Items” folder appeared alongside “Trash,” causing confusion. This has been corrected so that only the Trash folder is displayed, matching the Web Client behavior.
  • Updated Zimbra Connector for Outlook (ZCO) behavior to correctly display the “Free” or “Busy” status for private events. Outlook users can now see the proper availability distinction in shared calendar views, matching what is shown in the Web Client.
  • Improved Zimbra Connector for Outlook (ZCO) handling when emails exceed the admin defined attachment size limit. Users now receive a proper notification without losing attachments or images and size limit is handled.


ActiveSync

  • Improved meeting response handling in ActiveSync to prevent duplicate response emails when replying to multiple invites, including single or recurring meetings.
  • Resolved an issue where some emails displayed garbled characters on mobile via ActiveSync, despite appearing correctly in Webmail.
  • Resolved an issue where calendar attachments appeared as “zero KB” when opened on iPhones. Attachments in appointments now display and download correctly


Calendar

  • Resolved an issue in the Modern Web app where switching between calendar views (Month, Week, Day, Year, List) displayed a “Permission Denied” error when the Preferences feature was disabled for the user.


HSM

  • Updated the zmpurgeoldmbox behavior to ensure data stored in connected S3 buckets is also removed after an account is moved to another mailbox server using zmmboxmove, ensuring complete data cleanup.


Mail

  • In the Modern Web app, users can now select multiple emails using the Shift key even when the No preview pane option is enabled. The selection behavior is now consistent with other preview pane modes.

Packages

Jira ticket:

The package lineup for this release is: 

zimbra-patch                                      ->  10.1.13.1761924917-2
zimbra-lds-patch                                  ->  10.1.13.1762357665-1
zimbra-mta-patch                                  ->  10.1.13.1761924917-1
zimbra-onlyoffice-patch                           ->  10.1.13.1761924917-1
zimbra-proxy-patch                                ->  10.1.13.1761924917-1
zimbra-ldap-patch                                 ->  10.1.13.1761924917-1
zimbra-common-core-jar                            ->  10.1.13.1761912123-1
zimbra-common-mbox-conf-msgs                      ->  10.1.13.1760016439-1
zimbra-mbox-war                                   ->  10.1.13.1760357419-1
zimbra-common-mbox-conf-attrs                     ->  10.1.13.1760357419-1
zimbra-common-core-libs                           ->  10.1.13.1761912748-1
zimbra-mbox-store-libs                            ->  10.1.13.1761912748-1
zimbra-mbox-ews-service                           ->  10.1.13.1759999151-1
zimbra-license-tools                              ->  10.1.13.1761636666-1
zimbra-license-extension                          ->  10.1.13.1759995036-1
zimbra-mbox-webclient-war                         ->  10.1.13.1759855564-1
zimbra-mbox-admin-console-war                     ->  10.1.13.1759852961-1
zimbra-license-daemon                             ->  1.0.0.1762353026-1
zimbra-zco                                        ->  1949.1760350148-1
zimbra-jetty-distribution                         ->  9.4.57.v20241219-2
zimbra-rsync                                      ->  3.4.1-1zimbra8.7b2
zimbra-core-components                            ->  10.1.5-1zimbra10.0b1
zimbra-ldap-components                            ->  10.1.2-1zimbra10.0b1
zimbra-openssl                                    ->  3.5.1-1zimbra8.8b1
zimbra-openssl-lib                                ->  3.5.1-1zimbra8.8b1
zimbra-mta-components                             ->  10.1.4-1zimbra8.8b1
zimbra-postfix                                    ->  3.6.14-1zimbra8.7b6
zimbra-clamav                                     ->  1.4.3-1zimbra8.8b4
zimbra-clamav-lib                                 ->  1.4.3-1zimbra8.8b4
zimbra-clamav-db                                  ->  1.0.0-1zimbra8.7b3
zimbra-modern-ui                                  ->  4.47.0.1761819399-1
zimbra-modern-zimlets                             ->  4.47.0.1759939764-1
zimbra-extension-chat-proxy                       ->  3.0.0.1760428847-1
zimbra-zimlet-admin-chat                          ->  2.1.0.1759937981-1
zimbra-zimlet-classic-set-default-client          ->  1.4.0.1759937981-1
zimbra-zimlet-download-email                      ->  2.2.0.1759937981-1
zimbra-zimlet-external-setting-links              ->  1.2.0.1759937981-1
zimbra-zimlet-additional-signature-setting        ->  9.6.0.1759937981-1
zimbra-zimlet-calendar-subscription               ->  8.0.0.1759937981-1
zimbra-zimlet-classic-unsupportedbrowser          ->  4.2.0.1759937981-1
zimbra-zimlet-user-feedback                       ->  7.4.0.1759937981-1
zimbra-zimlet-user-sessions-management            ->  10.4.0.1759937981-1
zimbra-zimlet-classic-document-editor             ->  2.4.0.1759937981-1
zimbra-zimlet-document-editor                     ->  13.1.0.1759937981-1
zimbra-zimlet-chat                                ->  12.0.2.1760424188-1
zimbra-zimlet-classic-chat                        ->  2.1.1.1760424188-1

Patch Installation

Please refer to below link to install 10.1.13 (Nov 06 2025):

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Retrieved from "http://wiki.zimbra.com/index.php?title=Zimbra_Releases/10.1.13&oldid=71289"
Jump to: navigation, search