Zimbra Releases/9.0.0/P27

Zimbra Collaboration Kepler 9.0.0 Patch 27 GA Release

Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues


Change in upgrade process for 9.0.0 Patch 27

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version
An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio CVE-2022-41352 9.8 Major 9.0.0 P27
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393 7.8 Medium 9.0.0 P27
XSS can occur via one of the attribute of an IMG element, leading to information disclosure CVE-2022-41348 TBD Medium 9.0.0 P27

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.

Modern Web App

Briefcase

  • Briefcase is now accessible in single click after login. Earlier user needed to click on Cloud Storage and then Briefcase to be able to access it.

Zimbra Connector for Outlook

  • ZCO now supports Group Policy Object (GPO) based installation. For more information, please refer to the wiki.


Fixed Issues

Platform

  • In the previous patch release, after the log4j package was upgraded, it caused an issue with the zmrestoreoffline utility where the execution did not complete. The issue has been fixed. - ZBUG-2998
  • In the previous patch release, the patch version on MTA, LDAP and Proxy nodes were not getting updated. The issue has been fixed. - ZBUG-2985
  • Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. A new LC config zimbra_strict_unclosed_comment_tag has been introduced from this patch onwards to handle such emails. The default value is true which will not display mails having an unclosed comment tag. If set to false, the emails with unclosed comment tags will be displayed. - ZBUG-2978
  • In the previous patch release, after JDK was upgraded, the users could not log in through SAML. The issue has been fixed. - ZBUG-2927

Web UX - Modern

General

  • When a user opens their calendar, and clicks on any slot on a Saturday or a Sunday, this action used to freeze the UI. This issue has been fixed now. - ZBUG-2857
  • Attempting to leave the New List field (Contacts->Left sidebar, Assign to Lists) after adding a whitespace and hitting enter/return used to freeze the UI. This issue has been fixed. - ZBUG-2824
  • Earlier Modern UI considered total message size limit as attachment size limit. This resulted in different behavior in Modern UI and Classic UI with respect to restricting attachments greater than a certain size. This issue has been fixed. - ZBUG-2808
  • Invalid email address was populated after clicking "To" email from org chart zimlet. This issue has been fixed.

Briefcase

  • Renaming a file in Briefcase would lead to freezing the Webclient. This issue has been fixed.

NG HSM

  • A new parameter signature_version V4 has been added to use signature V4 with the CustomS3 buckets.
  • The mailbox move operation now takes into account any ongoing fetch operations from external accounts.

NG Mobile

  • Fixed a bug that prevented the Outlook app from properly synchronizing the start time of an appointment’s exception.
  • Fixed a bug that made the all-day appointments shift by 1 day on accepting the invitation from EAS devices.

Zimbra Docs

  • A bug that prevented the preview of Docs documents has been fixed for Classic Web App. The fix for Modern Web App will be delivered in the next patch release.


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


Packages

The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                      -> 9.0.0.1664354709.p27-2
zimbra-proxy-patch                                -> 9.0.0.1664298029.p27-1
zimbra-proxy-components                           -> 1.0.10-1zimbra8.8b1
zimbra-mta-patch                                  -> 9.0.0.1664298029.p27-1
zimbra-mta-components                             -> 1.0.16-1zimbra8.8b1
zimbra-common-core-jar                            -> 9.0.0.1663929578-1
zimbra-nginx                                      -> 1.20.0-1zimbra8.8b3
zimbra-httpd                                      -> 2.4.53-1zimbra8.7b3
zimbra-spell-components                           -> 2.0.9-1zimbra8.8b1
zimbra-apache-components                          -> 2.0.7-1zimbra8.8b1
zimbra-lmdb-lib                                   -> 2.4.59-1zimbra8.8b5
zimbra-lmdb-dbg                                   -> 2.4.59-1zimbra8.8b5
zimbra-lmdb                                       -> 2.4.59-1zimbra8.8b5
zimbra-openldap-lib                               -> 2.4.59-1zimbra8.8b5
zimbra-openldap-client                            -> 2.4.59-1zimbra8.8b5
zimbra-openldap-server                            -> 2.4.59-1zimbra8.8b4
zimbra-openjdk-cacerts                            -> 1.0.8-1zimbra8.7b1
zimbra-openjdk                                    -> 17.0.2-1zimbra8.8b1
zimbra-ldap-components                            -> 2.0.9-1zimbra8.8b1
zimbra-core-components                            -> 3.0.15-1zimbra8.8b1
zimbra-clamav                                     -> 0.103.3-1zimbra8.8b3
zimbra-clamav-libs                                -> 0.103.3-1zimbra8.8b3
zimbra-openssl                                    -> 1.1.1q-1zimbra8.7b4
zimbra-openssl-lib                                -> 1.1.1q-1zimbra8.7b4
zimbra-postfix-logwatch                           -> 1.40.03-1zimbra8.7b1
zimbra-timezone-data                              -> 3.0.0.1646993320-1
zimbra-mbox-store-libs                            -> 9.0.0.1663926595-1
zimbra-mbox-war                                   -> 9.0.0.1655457955-1
zimbra-mbox-webclient-war                         -> 9.0.0.1663672675-1
zimbra-mbox-admin-console-war                     -> 9.0.0.1663580129-1
zimbra-common-mbox-conf-attrs                     -> 9.0.0.1652767366-1
zimbra-common-core-libs                           -> 9.0.0.1663926595-1
zimbra-mbox-ews-service                           -> 9.0.0.1657194604-1
zimbra-zco                                        -> 9.0.0.1923.1664182721-1
zimbra-php                                        -> 7.4.27-1zimbra8.7b3
zimbra-modern-ui                                  -> 4.28.1.1664289747-1
zimbra-modern-zimlets                             -> 4.28.1.1664289747-1
zimbra-network-modules-ng                         -> 7.0.27.1662731491-1
zimbra-drive-ng                                   -> 4.0.13.1637855796-1
zimbra-drive-modern                               -> 1.0.13.1637855796-1
zimbra-connect                                    -> 2.0.21.1635424388-1
zimbra-connect-modern                             -> 1.0.21.1635424388-1
zimbra-docs                                       -> 4.0.7.1663658601-1
zimbra-docs-modern                                -> 1.0.6.1632998065-1
zimbra-chat                                       -> 4.0.2.1654677981-1
zimbra-zimlet-auth                                -> 1.0.4.1652971904-1
zimbra-zimlet-install-pwa                         -> 6.1.1.1652766350-1
zimbra-zimlet-emptysubject                        -> 2.1.1.1652766350-1
zimbra-zimlet-set-default-client                  -> 8.1.1.1652766350-1
zimbra-zimlet-document-editor                     -> 6.0.1.1631795284-1
zimbra-zimlet-date                                -> 6.2.0.1655915267-1
zimbra-zimlet-additional-signature-setting        -> 7.0.0.1655915267-1
zimbra-zimlet-calendar-subscription               -> 6.2.0.1652766350-1
zimbra-zimlet-sideloader                          -> 7.1.1.1652766350-1
zimbra-zimlet-briefcase-edit-lool                 -> 3.0.0.1661587094-1
zimbra-zimlet-org-chart                           -> 2.3.0.1661587094-1
zimbra-zimlet-ads                                 -> 8.2.1.1652766350-1
zimbra-zimlet-user-sessions-management            -> 8.2.1.1652766350-1
zimbra-zimlet-user-feedback                       -> 6.1.1.1652766350-1
zimbra-zimlet-privacy-protector                   -> 4.2.0.1661587094-1
zimbra-zimlet-duplicate-contacts                  -> 5.1.1.1652766350-1
zimbra-zimlet-secure-mail                         -> 1.2.1.1652766350-1
zimbra-zimlet-web-search                          -> 4.1.1.1652766350-1
zimbra-zimlet-restore-contacts                    -> 6.1.1.1652766350-1
zimbra-zimlet-zoom                                -> 7.0.0.1628846401-1
zimbra-zimlet-slack                               -> 5.5.0.1628846401-1
zimbra-zimlet-dropbox                             -> 6.0.0.1628846401-1
zimbra-zimlet-onedrive                            -> 6.0.0.1628846401-
zimbra-zimlet-google-drive                        -> 6.0.0.1628846401-1
zimbra-zimlet-jitsi                               -> 3.3.1.1628846401-1
zimbra-zimlet-video-call-preferences              -> 2.1.0.1628846401-1
zimbra-zimlet-nextcloud                           -> 1.0.8.1656483260-1
zimbra-zimlet-webex                               -> 1.0.1.1629957793-1
zimbra-zimlet-voice-message                       -> 1.0.3.1611114827-1
zimbra-zimlet-classic-unsupportedbrowser          -> 3.1.1.1652766350-1
zimbra-zimlet-email-templates                     -> 2.0.0.1630308426-1
zimbra-zimlet-signature-template                  -> 1.0.0.1609841753-1
zimbra-ldap-patch                                 -> 9.0.0.1664298029.p27-1


Patch Installation

Please refer to below link to install 9.0.0 Patch 27 patch:

Patch Installation

Jump to: navigation, search