Zimbra Releases/9.0.0/P33
Zimbra Collaboration Kepler 9.0.0 Patch 33 GA Release
Release Date: May 30, 2023
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues
IMPORTANT: Remove Client Uploader
A majority of customers now use other options to distribute packages to the end users. If you want to continue use ClientUploader then follow these manual steps for installation
Redhat
- As
root
, install the package:
yum install zimbra-extension-clientuploader yum install zimbra-zimlet-admin-clientuploader
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart
Ubuntu
- As
root
, install the package:
apt-get install zimbra-extension-clientuploader apt-get install zimbra-zimlet-admin-clientuploader
- Restart
ZCS
aszimbra
user:
su - zimbra zmcontrol restart
Change in upgrade process for 9.0.0 Patch 33
Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.
We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.
Please refer to the Patch Installation steps to install the packages in its order.
Changes required for SSO setup before patch upgrade
Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:
su - zimbra zmprov md domain_name zimbraVirtualHostName virtual_hostname
Security Fixes
Summary | CVE-ID | CVSS Score | Zimbra Rating |
---|---|---|---|
As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package | CVE-2023-34193 | TBD | Medium |
Added additional validations for 2FA login | CVE-2023-29381 | TBD | Medium |
The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities | CVE-2023-25690 | 9.8 | Low |
Remove unused JSP file which may bypass the Preauth verification | CVE-2023-29382 | TBD | Low |
The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability | CVE-2022-46364 | 9.8 | Low |
The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities | CVE-2022-22970 | 5.3 | Low |
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.
What's New
Package Upgrade
- The Apache package has been upgraded from 2.4.54 to 2.4.57
- The Apache CXF package has been upgraded from 3.5.1 to 3.5.5
- The Spring Core package has been upgraded from 5.3.18 to 6.0.8
Modern Web App
General
- When opening Classic UI from Modern UI menu, Classic UI is opened in the current browser instead of opening it in a new browser tab.
- Users can now configure message retention and message disposal policies.
Zimbra Connector for Outlook
- To better manage storage on Outlook, the Auto Archive feature is now available for users. The settings can be accessed at File -> Options -> Advanced -> AutoArchive. By default the feature is disabled. This feature does not support auto archiving Calendar and Shared Inbox folders but we continue to support them through Manual Archive feature.
Fixed Issues
Zimbra Collaboration
- Users can now add their Google calendar as an External calendar. ZBUG-2802
- When using Load Balancer with a Zimbra Proxy server, if it receives multiple IP addresses in the X-Forwarded-For header, it treated it as one single IP to perform the Whitelist check which resulted in suspending it. The issue has been fixed and now a whitelist check is done on a single IP address even if multiple IP addresses are received. ZBUG-2250
Classic Web App
- External users with authorized access were unable to view externally shared briefcase folder.
- Translations have been updated for Arabic, Deutsch (German), French Canadian, Danish, Hindi, Japanese and Español (Spanish).
Modern Web App
General
- Addresses in To and Cc fields of an email were not being displayed intermittently when viewed in the preview pane. ZBUG-3398
- When writing new e-mail the 'From' drop-down menu used to show '[object Object]' on hover of an email address. ZBUG-2945
- Previously, all permissions were not displayed while adding new users in the calendar share list. Now, all permissions are displayed in this scenario. ZBUG-2940
Zimbra Connector for Outlook
- Changes done to the tags are now updated correctly in the Web App. ZBUG-2067
- The external and public sharing attributes were not honored in ZCO. The issue has been fixed. ZBUG-1380
NG HSM
- To improve the testS3Connection command, a file is now uploaded on the bucket, read and finally deleted to confirm that the bucket is properly working.
NG Mobile
- Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
- Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
- Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
Known Issues
- While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ... 1 more
- From Kepler-Patch-25 onwards, customers using SSO will need to update
zimbraVirtualHostName
attribute for the domains. Please refer to the instructions to update the attribute.
- With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.
To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:
1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true
2. Restart mailboxd service:
su - zimbra zmmailboxdctl restart
Packages
The package lineup for this release is:
PackageName Version zimbra-patch -> 9.0.0.1684843181.p33-2 zimbra-mta-patch -> 9.0.0.1684336338.p33-1 zimbra-proxy-patch -> 9.0.0.1684222812.p33-1 zimbra-ldap-patch -> 9.0.0.1684222812.p33-1 zimbra-common-core-jar -> 9.0.0.1684125449-1 zimbra-mbox-war -> 9.0.0.1684125449-1 zimbra-mbox-ews-service -> 9.0.0.1683869084-1 zimbra-common-core-libs -> 9.0.0.1683869303-1 zimbra-mbox-webclient-war -> 9.0.0.1684143619-1 zimbra-zimlet-nextcloud -> 1.0.12.1681793719-1 zimbra-zco -> 9.0.0.1930.1684419492-1 zimbra-httpd -> 2.4.57-1zimbra8.7b4 zimbra-apache-components -> 2.0.10-1zimbra8.8b1 zimbra-spell-components -> 2.0.11-1zimbra8.8b1 ( RHEL8, UBUNTU20: 2.0.12-1zimbra8.8b1 ) zimbra-extension-clientuploader -> 1.0.0.1683611258-1 zimbra-zimlet-admin-clientuploader -> 8.0.0 zimbra-network-modules-ng -> 7.0.31.1684335204-1 zimbra-modern-ui -> 4.32.0.1684838829-1 zimbra-modern-zimlets -> 4.32.0.1684838829-1 zimbra-zimlet-set-default-client -> 10.1.0.1684745565-1 zimbra-zimlet-secure-mail -> 2.2.0.1684238166-1
Patch Installation
Please refer to below link to install Kepler 9.0.0 Patch 33: