Zimbra Releases/10.1.3
Zimbra Daffodil (v10.1.3) Patch Release
Release Date: November 12, 2024
Check out the What's New, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration.
Things to know before you upgrade
Changes to Licensing System
Zimbra Daffodil (v10.1) introduced a new license service with significant changes in licensing management. A new service named License Daemon Service (LDS) has been added and is a required service to support the management of the license. Please refer to Licensing Enhancement section for more details.
NOTE: Please reach out to Support to get your 10.1.0 license before you plan your installation or upgrade. You will not be able to proceed with the upgrade without the new license key.
NOTICE: OpenJDK cacert Package Upgrade
Please follow the instructions:
Install zimbra-core-components before the patch upgrade on the mailstore node. apt-get install zimbra-core-components (For Ubuntu) yum install zimbra-core-components (For RHEL/Centos/Rocky Linux)
While deploying zimlets, if the following error is encountered
Enabling Zimlet zimbra-zimlet-secure-mail ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) *** zimbra-zimlet-secure-mail Installation Completed. *** *** Restart the mailbox service as zimbra user. Run ***
then, redeploy zimlets that are throwing error in the patch upgrade
zmzimletctl -l deploy <zimlet.zip file name>
Security Fixes
Summary | CVE-ID | CVSS Score | |
---|---|---|---|
A Local File Inclusion (LFI) vulnerability in the /h/rest endpoint, allowing authorized remote attackers to access sensitive files in the WebRoot using their valid auth tokens, has been fixed to prevent unauthorized file access. | |||
An XSS vulnerability in the /h/rest endpoint, which allows authorized remote attackers to exploit it using their valid auth tokens, has been fixed to prevent arbitrary JavaScript execution. | |||
The OpenJDK package has been upgraded to version 17.0.12 to fix multiple vulnerabilities | CVE-2023-22067 | ||
The Apache package has been upgraded to version 2.4.62 to fix multiple vulnerabilities | CVE-2023-38709 | ||
The ClamAV package has been upgraded to version 1.0.6 to fix multiple vulnerabilities | CVE-2024-20328 |
What's New
Package Upgrade
- The Apache package has been upgraded from 2.4.57 to 2.4.62
- The ClamAV package has been upgraded from 1.0.1 to 1.0.6
- The OpenJDK package has been upgraded from 17.0.8 to 17.0.12
Zimbra Collaboration
- An active external volume was deleted without any errors/warnings. An error is now given when trying to delete an active external volume.
- A new feature “Ignore/Mute conversation” has been added in version 10.1.3. This feature allows users to mute distracting or irrelevant email threads, and automatically mutes the notifications. Message notifications for ignored threads are disabled by default.
Modern Web App
General
- Dark Mode support implemented in the Modern UI to reduce eye strain. Users can toggle Dark Mode in the settings or allow the UI to follow the OS theme. Available across web, mobile, and tablet interfaces.
- Sync options only appear if mobile sync is enabled, earlier they appeared irrespective of the value of zimbraFeatureMobileSyncEnabled.
- Users are now warned about deceptive URLs using hyperlink validation. If the displayed text does not match the underlying URL, users are warned about it. This feature helps prevent phishing attacks. Users can opt to proceed despite the warning.
- Organization-wide signature templates introduced, allowing administrators to set email signatures for all users. Users can apply and further customize these templates.
- New users of Zimbra Modern UI will now be guided through an interactive tutorial on their first login, introducing key features like navigation, mail management, and settings. The tutorial enhances the onboarding experience and can be skipped at any time.
Fixed Issues
Zimbra Collaboration
- The correct zimbra version is displayed in a multi-node environment when LDS is installed on a standalone node.
- When creating a draft in a Web App with the subject and body containing special characters (Č, ć, ž, š, đ), syncing it with Gmail where the user's account is configured using ActiveSync and then editing the draft in Gmail results in unexpected characters (e.g., ?) appearing when syncing back to ZWC. The issue has been fixed and the characters now appear correctly.
- Autocomplete now displays correct results when typing the initials of the user.
- When using the external warning feature, in some cases the emails were not displayed correctly due to incorrect order of the Content-Type parameter in the email header. The issue has been fixed.
- When using SSDB, the last login details of the user get correctly updated.
- Due to incorrect handling of the "X-Forwarded-For" header, when a repeated login failure occurs, the server suspends the wrong IP address. The issue has been fixed and it now suspends the correct IP address.
Modern Web App
General
- The search tab remains blocked if a user opens a email from search results. The search tab becomes inaccessible until the previously opened email tab is closed. This issue has been resolved.
- Resolved multiple translation issues in Modern UI.
Mail
- "Edit as New," "New Event," and "Print" functionalities do not work when the preview pane is disabled in the Zimbra Modern UI. As a workaround, please enable the preview pane to use these features.
Licensing
- "zmlicense -p" command now displays the license start and end date.
- EML file importing is now working on Zimbra version 10.0.0 and above.
Known Issues
Modern Web App
General
- Currently TinyMCE editor related controls do not change to dark mode even when it is enabled for e.g. table cells, source code and other controls still appear in regular mode.
Packages
The package lineup for this release is:
zimbra-patch -> 10.1.3.1729160523-2 zimbra-lds-patch -> 10.1.3.1728994977-1 zimbra-mta-patch -> 10.1.3.1728994977-1 zimbra-onlyoffice-patch -> 10.1.3.1728994977-1 zimbra-proxy-patch -> 10.1.3.1728994977-1 zimbra-ldap-patch -> 10.1.3.1728994977-1 zimbra-common-core-jar -> 10.1.3.1728626495-1 zimbra-mbox-ews-service -> 10.1.3.1728551924-1 zimbra-license-tools -> 10.1.3.1728561729-1 zimbra-common-mbox-conf-msgs -> 10.1.3.1728626421-1 zimbra-mbox-webclient-war -> 10.1.3.1728575700-1 zimbra-httpd -> 2.4.62-1zimbra8.7b5 zimbra-apache-components -> 2.0.13-1zimbra8.8b1 zimbra-spell-components -> 2.0.14-1zimbra8.8b1 ( RHEL8, RHEL9, UBUNTU20, UBUNTU22 : 2.0.15-1zimbra8.8b1 ) zimbra-clamav -> 1.0.6-1zimbra8.8b4 zimbra-mta-components -> 10.1.0-1zimbra8.8b1 zimbra-openjdk -> 17.0.12-1zimbra8.8b1 zimbra-openjdk-cacerts -> 1.0.11-1zimbra8.7b1 zimbra-core-components -> 10.1.0-1zimbra10.0b1 zimbra-ldap-components -> 10.1.0-1zimbra10.0b1 zimbra-modern-ui -> 4.41.0.1728647465-1 zimbra-modern-zimlets -> 4.41.0.1728647465-1 zimbra-zimlet-attachment-missing-alert -> 1.0.1.1728641497-1 zimbra-zimlet-custom-fonts -> 2.0.0.1728641497-1 zimbra-zimlet-deceptive-link-detector -> 1.0.0.1728641497-1 zimbra-zimlet-preventive-ooo -> 2.0.0.1728641497-1 zimbra-zimlet-additional-signature-setting -> 9.1.2.1728641497-1 zimbra-zimlet-org-chart -> 4.0.0.1728641497-1 zimbra-zimlet-privacy-protector -> 6.0.0.1728641497-1 zimbra-zimlet-secure-mail -> 3.0.0.1728641497-1 zimbra-zimlet-set-default-client -> 11.0.0.1728641497-1 zimbra-zimlet-sideloader -> 9.0.0.1728641497-1 zimbra-zimlet-modern-welcometour -> 6.1.0.1729503979-1 zimbra-zimlet-signature-template -> 1.0.1.1729503979-1 zimbra-zimlet-tlp -> 2.0.1.1729503979-1
Patch Installation
Please refer to below link to install 10.1.3:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build