Zimbra Releases/9.0.0/P33

Zimbra Collaboration Kepler 9.0.0 Patch 33 GA Release

Release Date: May 30, 2023

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

IMPORTANT: Remove Client Uploader

A majority of customers now use other options to distribute packages to the end users. If you want to continue use ClientUploader then follow these manual steps for installation

Redhat

  • As root, install the package:
yum install zimbra-extension-clientuploader
yum install zimbra-zimlet-admin-clientuploader
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Ubuntu

  • As root, install the package:
apt-get install zimbra-extension-clientuploader
apt-get install zimbra-zimlet-admin-clientuploader
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Change in upgrade process for 9.0.0 Patch 33

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions: 

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193 TBD Medium
Added additional validations for 2FA login CVE-2023-29381 TBD Medium
The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690 9.8 Low
Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382 TBD Low
The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364 9.8 Low
The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 5.3 Low

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

What's New

Package Upgrade


  • The Apache package has been upgraded from 2.4.54 to 2.4.57
  • The Apache CXF package has been upgraded from 3.5.1 to 3.5.5
  • The Spring Core package has been upgraded from 5.3.18 to 6.0.8

Modern Web App

General

  • When opening Classic UI from Modern UI menu, Classic UI is opened in the current browser instead of opening it in a new browser tab.
  • Users can now configure message retention and message disposal policies.

Zimbra Connector for Outlook

  • To better manage storage on Outlook, the Auto Archive feature is now available for users. The settings can be accessed at File -> Options -> Advanced -> AutoArchive. By default the feature is disabled. This feature does not support auto archiving Calendar and Shared Inbox folders but we continue to support them through Manual Archive feature.


Fixed Issues

Zimbra Collaboration

  • Users can now add their Google calendar as an External calendar. ZBUG-2802
  • When using Load Balancer with a Zimbra Proxy server, if it receives multiple IP addresses in the X-Forwarded-For header, it treated it as one single IP to perform the Whitelist check which resulted in suspending it. The issue has been fixed and now a whitelist check is done on a single IP address even if multiple IP addresses are received. ZBUG-2250

Classic Web App

  • External users with authorized access were unable to view externally shared briefcase folder.
  • Translations have been updated for Arabic, Deutsch (German), French Canadian, Danish, Hindi, Japanese and Español (Spanish).

Modern Web App

General

  • Addresses in To and Cc fields of an email were not being displayed intermittently when viewed in the preview pane. ZBUG-3398
  • When writing new e-mail the 'From' drop-down menu used to show '[object Object]' on hover of an email address. ZBUG-2945
  • Previously, all permissions were not displayed while adding new users in the calendar share list. Now, all permissions are displayed in this scenario. ZBUG-2940

Zimbra Connector for Outlook

  • Changes done to the tags are now updated correctly in the Web App. ZBUG-2067
  • The external and public sharing attributes were not honored in ZCO. The issue has been fixed. ZBUG-1380

NG HSM

  • To improve the testS3Connection command, a file is now uploaded on the bucket, read and finally deleted to confirm that the bucket is properly working.

NG Mobile

  • Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
  • Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
  • Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service: 

su - zimbra
zmmailboxdctl restart

Packages

The package lineup for this release is: 

PackageName                                        Version
zimbra-patch                                      ->  9.0.0.1684843181.p33-2
zimbra-mta-patch                                  ->  9.0.0.1684336338.p33-1
zimbra-proxy-patch                                ->  9.0.0.1684222812.p33-1
zimbra-ldap-patch                                 ->  9.0.0.1684222812.p33-1
zimbra-common-core-jar                            ->  9.0.0.1684125449-1
zimbra-mbox-war                                   ->  9.0.0.1684125449-1
zimbra-mbox-ews-service                           ->  9.0.0.1683869084-1
zimbra-common-core-libs                           ->  9.0.0.1683869303-1
zimbra-mbox-webclient-war                         ->  9.0.0.1684143619-1
zimbra-zimlet-nextcloud                           ->  1.0.12.1681793719-1
zimbra-zco                                        ->  9.0.0.1930.1684419492-1
zimbra-httpd                                      ->  2.4.57-1zimbra8.7b4
zimbra-apache-components                          ->  2.0.10-1zimbra8.8b1
zimbra-spell-components                           ->  2.0.11-1zimbra8.8b1  ( RHEL8, UBUNTU20: 2.0.12-1zimbra8.8b1 )
zimbra-extension-clientuploader                   ->  1.0.0.1683611258-1
zimbra-zimlet-admin-clientuploader                ->  8.0.0
zimbra-network-modules-ng                         ->  7.0.31.1684335204-1
zimbra-modern-ui                                  ->  4.32.0.1684838829-1
zimbra-modern-zimlets                             ->  4.32.0.1684838829-1
zimbra-zimlet-set-default-client                  ->  10.1.0.1684745565-1
zimbra-zimlet-secure-mail                         ->  2.2.0.1684238166-1

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 33:

Patch Installation

Retrieved from "http://wiki.zimbra.com/index.php?title=Zimbra_Releases/9.0.0/P33&oldid=70162"
Jump to: navigation, search