Zimbra Releases/8.8.15/P45
Zimbra Collaboration Joule 8.8.15 Patch 45 GA Release
Release Date: December 18, 2023
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.
NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.
Blank email issue on ZCO
After recent Microsoft updates (Version 2310, 2311), customers reported an intermittent issue that when sending a message from ZCO, it is delivered as a blank message to the recipient. The issue is not consistently reproducible and there are no definite steps to reproduce it. There have been no changes in the ZCO product that caused the issue, as we found this issue is not seen on Outlook versions not having the latest Microsoft patch. Our engineering team has also submitted a post on Microsoft forums asking for their immediate attention. We are also analyzing the issue and trying to find a root cause and feasible solution for the ZCO product. We will update as soon as we have an ETA on the fix.
For the customers facing the issue, the workaround is to downgrade their Outlook to the previous version.
Update: The issue has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.
For customers who have installed the previous ZCO package 1938, please upgrade to the latest one on the mailstore node using the following commands:
Update: The issue for non-english locale has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.
For customers who have installed the previous ZCO package 1938 or 1939, please upgrade to the latest one on the mailstore node using the following commands:
For Ubuntu:
apt-get update apt-get install zimbra-zco
For RHEL/Centos/Rocky Linux:
yum clean metadata yum check-update yum install zimbra-zco
Joule-8.8.15 End of Life (EOL) Notice
Joule-8.8.15 is set to reach its End of Life on December 31, 2023. This marks the final patch release for the version, and no further updates will be provided after this date. Customers using Joule-8.8.15 are advised to plan their migration to a supported version to ensure continued security and access to the latest features. For assistance during this transition, our support team is available to address any inquiries.
NOTICE: OpenJDK cacert Package Upgrade
Please follow the instructions:
Install zimbra-core-components before the patch upgrade on the mailstore node. apt-get install zimbra-core-components (For Ubuntu) yum install zimbra-core-components (For RHEL/Centos/Rocky Linux)
While deploying zimlets, if the following error is encountered
Enabling Zimlet zimbra-zimlet-secure-mail ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) *** zimbra-zimlet-secure-mail Installation Completed. *** *** Restart the mailbox service as zimbra user. Run ***
then, redeploy zimlets that are throwing error in the patch upgrade
zmzimletctl -l deploy <zimlet.zip file name>
Change in upgrade process for 8.8.15 Patch 45
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation steps to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
Security Fixes
| Summary | CVE-ID | CVSS Score |
|---|---|---|
| OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. | CVE-2023-21930 CVE-2022-21476 CVE-2022-21449 | High |
| Fixed a vulnerability where an auth token was possible to be obtained. | CVE-2023-48432 | 6.1 |
| Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. | TBD | TBD |
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.
Migration to Daffodil v10
Support for migrating customers running the 8.8.15 version with NG modules has now been added to the Daffodil 10.0.6 Patch Release. Please refer to Daffodil 10.0.6 Release Notes for more details. Please make sure the server's are upgraded to latest 8.8.15 patch release before the migration.
What's New
Package Upgrade
- The OpenJDK package has been upgraded from 17.0.2 to 17.0.8
Fixed Issues
Zimbra Collaboration
- On a setup with a large number of accounts (in millions), an LDAP query executed for retrieving all accounts resulted in a timeout exception. A fix has been made to skip the LDAP query if the license issued is of unlimited accounts. ZBUG-3655
- In some scenarios, the external message warning was not being appended in the email when received from Gmail. The issue has been fixed. ZBUG-3132
Known Issues
- While deploying zimlets, if the following error is encountered, please refer to the [Installation] page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
... 1 more
- From Kepler-Patch-25 onwards, customers using SSO will need to update
zimbraVirtualHostNameattribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
Packages
The package lineup for this release is:
FOSS:
PackageName -> Version zimbra-patch -> 8.8.15.1701429424.p45-1 zimbra-mta-patch -> 8.8.15.1701429424.p45-1 zimbra-proxy-patch -> 8.8.15.1701429424.p45-1 zimbra-ldap-patch -> 8.8.15.1701429424.p45-1 zimbra-openjdk-cacerts -> 1.0.10-1zimbra8.7b1 zimbra-openjdk -> 17.0.8-1zimbra8.8b1 zimbra-core-components -> 2.0.26-1zimbra8.8b1 zimbra-ldap-components -> 1.0.26-1zimbra8.8b1 zimbra-common-core-jar -> 8.8.15.1701335039-1 zimbra-mbox-webclient-war -> 8.8.15.1701417049-1
NETWORK:
PackageName -> Version zimbra-patch -> 8.8.15.1701429424.p45-2 zimbra-zco -> 8.8.15.1938.1701268058-1 zimbra-network-modules-ng -> 6.0.41.1701755985-1
Patch Installation
Please refer to below link to install Joule 8.8.15 Patch 45:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build
