Zimbra Collaboration Kepler 9.0.0 Patch 35 GA Release

Check out the Security Fixes, Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Security Fixes

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

Known Issues

• While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.

/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more

• From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.

• With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart

Packages

The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                ->  9.0.0.1692275170.p35-2

Patch Installation

Please refer to the steps below to install Kepler 9.0.0 Patch 35 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

• Patches are cumulative.
• A full backup should be performed before any patch is applied. There is no automated roll-back.
• Switch to zimbra user before using ZCS CLI commands.
• Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
• Important Note for ZCS Setup with Local ZCS repository: Customers who have set up local ZCS repository should first update the local repository by following instructions in wiki

If you have patch 33 or an older version installed, then follow below link to install Kepler 9.0.0 Patch 35:
Patch Installation link : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/patch_installation

If you have patch 34 installed, then follow below instructions to apply this patch only on mailbox node:

Redhat

Install/Upgrade zimbra-patch on Mailbox node

• As root, install the package:

yum install zimbra-patch

• Restart ZCS as zimbra user:

su - zimbra
zmcontrol restart

Ubuntu

Install/Upgrade zimbra-patch on Mailbox node

• As root, install package

apt-get install zimbra-patch

• Restart ZCS as zimbra user:

su - zimbra
zmcontrol restart