Zimbra Releases/10.1.4

Zimbra Daffodil (v10.1.4) Patch Release

Release Date: December 17, 2024

Check out the What's New, Things to Know Before Upgrading sections for this version of Zimbra Collaboration.

Things to know before you upgrade

Important change for zimbraLowestSupportedAuthVersion

Zimbra has deprecated the support for "zimbraLowestSupportedAuthVersion < 2" globalconfig attribute. This change addresses the issue of authentication tokens being insecure when lower versions were allowed.

As a result, Zimbra now enforces "zimbraLowestSupportedAuthVersion = 2" as the minimum supported value. This change may impact in an increase in LDAP write operations for newly issued auth tokens, impacting LDAP performance, particularly in environments with a large user base where the globalconfig attribute zimbraLowestSupportedAuthVersion was set to 1.

Before performing patch upgrade, consider updating "zimbraLowestSupportedAuthVersion = 2" on each mailbox server in a staged manner, one at a time. Follow below guidelines for upgrade:

- Update zimbraLowestSupportedAuthVersion = 2 on mailbox server
  zmprov ms <mailbox server host> zimbraLowestSupportedAuthVersion 2
- Monitor LDAP server load utilisation and wait for LDAP resources to be stable
- Once LDAP utilisation is stable, proceed with next mailbox server
- After all mailbox servers are updated and LDAP utilisation is stable proceed for latest patch upgrade.

Changes to SOAP API

There are changes in ChangePassword SOAP API. Please refer to API reference documentation. If you have custom auth implementation with ChangePassword, please incorporate changes to support new API changes.

Changes to Licensing System

To upgrade to version 10.1.4, it is important to ensure that you are using the latest version of the zimbra-lds-patch package. After upgrading to 10.1.4, you must reactivate the license to maintain synchronization. Please refer to patch installation for LDS patch update steps.

To reactivate the license, execute the following command as zimbra user:

zmilcense -a <license_key>

Security Fixes

Summary CVE-ID CVSS Score
An issue with encoded @import statements in <style> tags that allowed the loading of malicious CSS has been addressed.
CSRF vulnerability on GraphQL endpoints allowing unauthorized operations has been addressed by enforcing CSRF token validation.
SSRF vulnerability in the RSS feed parser that allowed unauthorized redirection to internal network endpoints has been resolved.
An SQL injection vulnerability in the ZimbraSyncService SOAP endpoint has been resolved.
A Cross-Site Scripting (XSS) vulnerability via crafted <img> HTML content in the Zimbra Classic UI has been fixed. LC attribute zimbra_owasp_strip_alt_tags_with_handlers introduced in previous patch is no longer required and has been removed. CVE-2024-45516
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. LC attribute zimbra_owasp_strip_alt_tags_with_handlers introduced in previous patch is no longer required and has been removed.
A vulnerability in the ChangePassword API has been fixed to require a valid auth token.

What's New

Zimbra Collaboration


Modern Web App

General

  • Updated Turkish translations.
  • Custom link configuration Zimlet for the Modern UI, allows administrators to add a custom label in the settings menu that redirects users to a specified URL. This feature enhances flexibility for organizations to link users to specific resources or tools directly from the Zimbra interface.
  • Introduced @mention functionality in email bodies, auto-adding mentions to the "To" field and highlighting names.
  • Introduced the option to create HTML signatures using source code in the Modern UI, aligning with Classic UI functionality.
  • Added functionality to display the folder location of an email in the search results
  • Implemented URL defanging for added security in emails, converting clickable links to safe non-clickable formats.
  • Fixed 45 accessibility issues to improve Modern UI compliance with Web Content Accessibility Guidelines (WCAG).


Mail

  • Updated the mobile mail view to display the sender's full email address below their display name


Calendar

  • Availability component is now always displayed when creating or editing an event in the calendar.

Admin Web Console

  • Delegated administrators can control the users' 2FA settings. For more details, please refer to the admin-guide

Classic Web App

  • Incorporated the latest IANA Time Zone database to ensure accurate and up-to-date time zone information.


Zimbra Connector for Outlook

  • Enhanced logging by adding the following information - Outlook version, Outlook, and ZCO language selected by the user.
  • The install/upgrade history for the ZCO versions is now maintained.


Licensing

  • Mailbox service restart is not required after switching the LDS node.
  • As part of optimization, the number of refresh calls to the license server has been reduced. A license re-activation is required for any updates to the license (enable a new feature or updates to the limits). Please note that the activation count will not be impacted when re-activating the license on the same server.


Fixed Issues

Zimbra Collaboration

  • Renamed an LC config introduced in Release 10.1.2/10.0.10 from 'zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed' to 'zimbra_gql_enable_dangerous_deprecated_get_method'. The functionality remains the same. The default value is FALSE (getting displayed as null), and customers are recommended not to set it to TRUE.
  • Improved logging for the following scenarios:
  • License Activation Limit Error: Previously, when the maximum number of activations for a license was reached, the CLI displayed a generic or irrelevant error message. This issue has been resolved, and the system now provides a more appropriate and informative message when the activation limit is exceeded.
  • Trial License Activation Issues: Previously, the activation of a trial license on top of an existing trial license or on a regular license was not handled correctly, resulting in uninformative error messages. This has been fixed, and the system now displays more appropriate and meaningful messages for these scenarios.
  • LDS Restoration Error: When restoring the LDS from its backup on another node after a crash of the existing LDS node, the error messages were unclear or irrelevant. This has been corrected, and the system now provides more appropriate and informative messages for this case.
  • After upgrading to iOS 18, users with IMAP-connected accounts experienced slower search performance, which led to overall slowness. It happened due to an update in the query parameters. The issue has been fixed.
  • Admins can now manage periodic usage reporting on the server to update license usage. The system will skip usage reporting if a forced leader is set for leader election, delay the leader election start by 30 minutes to accommodate the forced leader if necessary, and schedule usage reporting to run at midnight.
  • Fixed an issue with sending scheduled messages through the "Send Later" option with Send on Behalf or Send As Permissions for a Distribution List (DL).
  • Messages scheduled through the "Send Later" option were deleted if mailboxd service was restarted before the messages were sent. The issue has been fixed.
  • "Send Later" scheduled messages disappeared without sending when using a nonexistent email address for "zimbraAllowFromAddress". The issue has been fixed.
  • When creating an appointment, users intermittently faced a "null check" error. The issue has been fixed.


Modern Web App

General

  • Corrected overlapping of appointment details of adjacent event tabs.
  • Fixed rendering of left-side folders that used to occur during zoom-in/zoom-out.
  • Resolved issue causing webmail to hang indefinitely during "Reply To All" in Modern UI.
  • Shared folders are now displayed only on user request in Settings, with improved labeling. Unnecessary exclamation warnings have to been removed to avoid confusion for users.
  • When Sharing is enabled, the Share option in Briefcase's top 3-dot menu is now Active instead of being disabled.
  • Added progress indicators and feedback for large attachment downloads to improve usability.
  • Adjusted the behavior for "Send Later" action to ensure the message preview is shown or skipped appropriately.


Mail

  • Resolved an issue where auto-saving drafts failed when replying/forwarding plain text emails with attachments.
  • Resolved an issue where the left-side menu in the mail pane would disappear after resizing the browser window.
  • Long sender names in the email header on mobile are now truncated with ellipses to prevent overflow issues.
  • Fixed the issue where tapping an email address in the email header on mobile did not display the contact card.


Search

  • Resolved issue where the search bar and top elements disappeared in pinned search tab interactions.


Mobile App

  • Fixed the mobile UI issue where "Edit as New" failed to populate changes and "New Event" opened as a blank form.


Licensing

  • Resolved licensing issue preventing use of "Archiving and Discovery" feature post-upgrade.


Packages

The package lineup for this release is:

zimbra-patch                                      ->  10.1.4.1733459272-2
zimbra-lds-patch                                  ->  10.1.4.1732884536-1
zimbra-mta-patch                                  ->  10.1.4.1732884536-1
zimbra-onlyoffice-patch                           ->  10.1.4.1732884536-1
zimbra-proxy-patch                                ->  10.1.4.1732884536-1
zimbra-ldap-patch                                 ->  10.1.4.1732884536-1
zimbra-mbox-webclient-war                         ->  10.1.4.1732702939-1
zimbra-mbox-admin-console-war                     ->  10.1.4.1732701960-1
zimbra-common-core-jar                            ->  10.1.4.1733200444-1
zimbra-license-tools                              ->  10.1.4.1732877305-1
zimbra-timezone-data                              ->  4.0.0.1732870323-1
zimbra-common-core-libs                           ->  10.1.4.1732820104-1
zimbra-mbox-store-libs                            ->  10.1.4.1732820104-1
zimbra-zco                                        ->  1945.1732881109-1
zimbra-license-daemon                             ->  1.0.0.1732741110-1
zimbra-modern-ui                                  ->  4.42.0.1733403055-1
zimbra-modern-zimlets                             ->  4.42.0.1733403055-1
zimbra-zimlet-email-defanger                      ->  1.0.1.1733403559-1
zimbra-zimlet-external-setting-links              ->  1.0.1.1733403559-1

Patch Installation

Please refer to below link to install 10.1.4:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search