Zimbra Releases/10.1.5
Zimbra Daffodil (v10.1.5) Patch Release
Release Date: January 27, 2025
Check out the Things to Know Before Upgrading sections for this version of Zimbra Collaboration.
Things to know before you upgrade
Changes to SOAP API
There are changes in ChangePassword SOAP API. Please refer to API reference documentation. If you have custom auth implementation with ChangePassword, please incorporate changes to support new API changes.
Changes to Licensing System
To upgrade to version 10.1.5 from 10.1.3 or before, it is important to ensure that you are using the latest version of the zimbra-lds-patch package. After upgrading to 10.1.5, you must reactivate the license to maintain synchronization. Please refer to patch installation for LDS patch update steps.
To reactivate the license, execute the following command as zimbra user:
zmilcense -a <license_key>
Security Fixes
| Summary | CVE-ID | CVSS Score |
|---|---|---|
| This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately. |
Fixed Issues
Zimbra Collaboration
- To allow all customers to apply this patch in a timely manner, the enforcement of zimbraLowestSupportedAuthVersion level=2 has been reverted. This allows any customers who did not upgrade to the previous patch release due to LDAP load concerns to apply this patch directly.
(Note: Customers already on zimbraLowestSupportedAuthVersion level=2 should retain their current setting)
Packages
Jira ticket:
The package lineup for this release is:
zimbra-patch -> 10.1.5.1737691160-2 zimbra-common-core-jar -> 10.1.5.1737379628-1 zimbra-mbox-webclient-war -> 10.1.5.1737655177-1
Patch Installation
Please refer to below link to install 10.1.5:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build
