Zimbra Releases/9.0.0/P34

Zimbra Collaboration Kepler 9.0.0 Patch 34 GA Release

Release Date: July 26, 2023

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

IMPORTANT: To install LDAP component standalone

The ZCS installer script has been updated to fix an issue related to deploying the certificate when installing the LDAP component. If you are planning to do a fresh install on a new server, please download the latest installer tar from the Zimbra Downloads page.

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run the below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider: 

As root user run below commands

Take backup of openssl.cnf
cd /opt/zimbra/common/etc/ssl
cp openssl.cnf <backup-path>/openssl.cnf

Copy openssl-source.cnf file
cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

Verify that, FIPS provider is disabled:
Run below command and verify fips provider is not listed
/opt/zimbra/common/bin/openssl list --providers

As zimbra user run below commands
su - zimbra
zmcontrol restart

Enable FIPS provider: 

As root user run below commands

Take backup of openssl.cnf
cd /opt/zimbra/common/etc/ssl
cp openssl.cnf <backup-path>/openssl.cnf

Copy openssl-fips.cnf file
cd /opt/zimbra/common/etc/ssl
cp openssl-fips.cnf openssl.cnf

Verify that, FIPS provider is enabled:
Run below command and verify fips provider is listed
/opt/zimbra/common/bin/openssl list --providers

As zimbra user run below commands
su - zimbra
zmcontrol restart

Change in upgrade process for 9.0.0 Patch 34

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions: 

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname


Security Fixes

Summary CVE-ID CVSS Score
OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464 TBD
The Amavis package has been upgraded to 2.13.0 version. TBD TBD
A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750 TBD

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

What's New

Package Upgrade

  • The OpenSSL package has been upgraded from 1.1.1t to 3.0.9
  • The Amavis package has been upgraded from 2.10.1 to 2.13.0
  • The Clamav package has been upgraded from 0.105.2 to 1.0.1
  • The Crypt::OpenSSL::RSA package has been upgraded from 0.31 to 0.33
  • The IO::Socket::SSL package has been upgraded from 2.068 to 2.083
  • The LWP::Protocol::https package has been upgraded from 6.06 to 6.10
  • The Mail::DKIM package has been upgraded from 0.40 to 0.43
  • The Net::SSLeay package has been upgraded from 1.88 to 1.92
  • The Unbound package has been upgraded from 1.11 to 1.17.1

Modern Web App

General

  • Changes have been made to simplify and clarify the email forwarding settings. For example, the label for "Access your email elsewhere" has been updated, and "Forward: Your mail is forwarded to the specified address, so you can check it there." has been modified to "Enable email forwarding".
  • The 'Advanced Paste' for Modern UI composer, which previously handled copy/pasting from various applications such as Word, Excel, PowerPoint, PDF, Websites, Paint, etc., is no longer available. The feature has been removed due to its technical complexity and dependencies on third-party libraries that didn't meet Zimbra's standards.
  • Users can now specify and book equipment when composing a calendar event.

Calendar

  • "Equipment" option in Calendar is hidden when zimbraFeatureGroupCalendarEnabled is FALSE.


Zimbra Connector for Outlook

  • The Zimbra Free Busy provider has been set as a default Free Busy provider. It will now display the correct status color for Busy, Tentative, and Out Of Office meetings. Earlier, it was set to Internet Free Busy provider.


Fixed Issues

Zimbra Collaboration

  • When setting the zimbraFileUploadMaxSize value to more than 2GB (2146483647 bytes), the Web App and Admin Console became unresponsive. The issue has been fixed. ZBUG-3204
  • The faulty X-Forwarded-For header which handles the IPv6 client logged an incorrect OIP field. The issue has been fixed. Please note the following requirements has to be fulfilled when adding the IPv6 IP address to the zimbraMailTrustedIP attribute:


Classic Web App

  • NextCloud zimlet on Classic Web App is now available with Zimbra Daffodil (v10). ZBUG-3450


Zimbra Connector for Outlook

  • In the Auto-Complete cache, a parsing problem was identified in a particular scenario. The full cache will now be parsed, and the user will be prompted to remove the bad cache. ZBUG-3456
  • In case the ZCO registry keys are broken due to a Microsoft upgrade, the installer fixes such registry keys. ZBUG-3047
  • Fixed an issue that results in Outlook crashing when sending the OneNote document as a PDF attachment. ZBUG-2776
  • When the Free Busy provider is set to Internet Free Busy, the *Tentative* meeting status gets displayed as *Busy*. Changed the default Free Busy provider to Zimbra which also displays the correct status color for Busy, Tentative, and Out Of Office meetings. ZBUG-2278


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service: 

su - zimbra
zmmailboxdctl restart

Packages

The package lineup for this release is: 

PackageName                                        Version
zimbra-patch                                      ->  9.0.0.1688906705.p34-2
zimbra-mta-patch                                  ->  9.0.0.1688906705.p34-1
zimbra-proxy-patch                                ->  9.0.0.1688906705.p34-1
zimbra-ldap-patch                                 ->  9.0.0.1688906705.p34-1
zimbra-common-core-jar                            ->  9.0.0.1688733256-1
zimbra-mbox-webclient-war                         ->  9.0.0.1688663735-1
zimbra-zco                                        ->  9.0.0.1933.1688639704-1
zimbra-modern-ui                                  ->  4.33.0.1688725065-1
zimbra-modern-zimlets                             ->  4.33.0.1688725065-1
zimbra-zimlet-ads                                 ->  9.1.0.1688647815-1
zimbra-zimlet-user-sessions-management            ->  10.1.0.1688647815-1
zimbra-zimlet-org-chart                           ->  3.1.0.1688647815-1
zimbra-zimlet-additional-signature-setting        ->  9.0.0.1688647815-1
zimbra-zimlet-restore-contacts                    ->  7.1.0.1688647815-1
zimbra-zimlet-sideloader                          ->  8.1.0.1688647815-1
zimbra-zimlet-set-default-client                  ->  10.2.0.1688647815-1
zimbra-zimlet-date                                ->  7.1.0.1688647815-1
zimbra-zimlet-privacy-protector                   ->  5.2.0.1688647815-1
zimbra-zimlet-classic-unsupportedbrowser          ->  4.1.0.1688647815-1
zimbra-zimlet-install-pwa                         ->  7.1.0.1688647815-1
zimbra-zimlet-emptysubject                        ->  3.1.0.1688647815-1
zimbra-zimlet-duplicate-contacts                  ->  6.2.0.1688647815-1
zimbra-zimlet-secure-mail                         ->  2.3.0.1688647815-1
zimbra-zimlet-web-search                          ->  5.1.0.1688647815-1
zimbra-zimlet-user-feedback                       ->  7.1.0.1688647815-1
zimbra-zimlet-calendar-subscription               ->  7.1.0.1688647815-1
zimbra-zimlet-briefcase-edit-lool                 ->  4.2.0.1688647815-1
zimbra-zimlet-nextcloud                           ->  1.0.14.1689672362-1
zimbra-zimlet-nextcloud-talk                      ->  1.0.0.1689672460-1
zimbra-openssl                                    ->  3.0.9-1zimbra8.8b1
zimbra-heimdal                                    ->  1.5.3-1zimbra8.7b4
zimbra-perl-net-ssleay                            ->  1.92-1zimbra8.8b1
zimbra-curl                                       ->  7.49.1-1zimbra8.7b4
zimbra-unbound                                    ->  1.17.1-1zimbra8.8b1
zimbra-apr-util                                   ->  1.6.1-1zimbra8.7b3
zimbra-perl-dbd-mysql                             ->  4.050-1zimbra8.7b5
zimbra-perl-crypt-openssl-random                  ->  0.11-1zimbra8.7b4
zimbra-perl-crypt-openssl-rsa                     ->  0.33-1zimbra8.8b1
zimbra-cyrus-sasl                                 ->  2.1.28-1zimbra8.7b4
zimbra-openldap                                   ->  2.4.59-1zimbra8.8b6
zimbra-postfix                                    ->  3.6.1-1zimbra8.7b4
zimbra-opendkim                                   ->  2.10.3-1zimbra8.7b6
zimbra-clamav                                     ->  1.0.1-1zimbra8.8b4
zimbra-clamav-db                                  ->  1.0.0-1zimbra8.7b2
zimbra-amavisd                                    ->  2.13.0-1zimbra8.7b2
zimbra-net-snmp                                   ->  5.8-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 5.8-1zimbra8.7b4)
zimbra-perl-io-socket-ssl                         ->  2.083-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 2.083-1zimbra8.7b4)
zimbra-perl-net-http                              ->  6.09-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 6.09-1zimbra8.7b5)
zimbra-perl-libwww                                ->  6.13-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 6.13-1zimbra8.7b5)
zimbra-perl-lwp-protocol-https                    ->  6.10-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 6.10-1zimbra8.7b4)
zimbra-perl-xml-parser                            ->  2.44-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 2.44-1zimbra8.7b5)
zimbra-perl-soap-lite                             ->  1.19-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 1.19-1zimbra8.7b5)
zimbra-perl-xml-sax-expat                         ->  0.51-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 0.51-1zimbra8.7b5)
zimbra-perl-xml-simple                            ->  2.25-1zimbra8.7b3 (For RHEL8,UBUNTU20 - 2.25-1zimbra8.7b4)
zimbra-perl-mail-dkim                             ->  0.43-1zimbra8.8b1
zimbra-perl-mail-spamassassin                     ->  3.4.6-1zimbra8.8b4 (For RHEL8,UBUNTU20 - 3.4.6-1zimbra8.8b5)
zimbra-spamassassin-rules                         ->  1.0.0-1zimbra8.8b6 (For RHEL8,UBUNTU20 - 1.0.0-1zimbra8.8b7)
zimbra-perl-innotop                               ->  1.9.1-1zimbra8.7b4 (For RHEL8,UBUNTU20 - 1.9.1-1zimbra8.7b5)
zimbra-httpd                                      ->  2.4.57-1zimbra8.7b5
zimbra-perl-net-ldapapi                           ->  3.0.3-1zimbra8.7b2
zimbra-perl                                       ->  1.0.8-1zimbra8.7b1 (For RHEL8,UBUNTU20 - 1.0.9-1zimbra8.7b1)
zimbra-nginx                                      ->  1.20.0-1zimbra8.8b4
zimbra-osl                                        ->  2.0.1-1zimbra9.0b1
zimbra-core-components                            ->  3.0.20-1zimbra9.0b1
zimbra-ldap-components                            ->  2.0.14-1zimbra9.0b1
zimbra-proxy-components                           ->  1.0.11-1zimbra8.8b1
zimbra-mta-components                             ->  1.0.22-1zimbra8.8b1
zimbra-apache-components                          ->  2.0.11-1zimbra8.8b1
zimbra-dnscache-components                        ->  1.0.5-1zimbra8.7b1
zimbra-snmp-components                            ->  1.0.4-1zimbra8.7b1 (For RHEL8,UBUNTU20 - 1.0.5-1zimbra8.7b1)
zimbra-spell-components                           ->  2.0.12-1zimbra8.8b1 (For RHEL8,UBUNTU20 - 2 .0.13-1zimbra8.8b1)

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 34:

Patch Installation

Retrieved from "http://wiki.zimbra.com/index.php?title=Zimbra_Releases/9.0.0/P34&oldid=70160"
Jump to: navigation, search