Zimbra Releases/9.0.0/P37

Zimbra Collaboration Kepler 9.0.0 Patch 37 GA Release

Release Date: October 19, 2023

Check out the Security Fixes, What's New, Fixed Issues and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Change in upgrade process for 9.0.0 Patch 37

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score
A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280 TBD
A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746 High
An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207 TBD
Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206 TBD

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

Migration to Daffodil v10

Support for migrating customers running the 9.0.0 version with NG modules has now been added to the Daffodil 10.0.5 Patch Release. Please refer to Daffodil 10.0.5 Release Notes for more details. Please make sure the server's are upgraded to latest 9.0.0 patch release before the migration.

What's New

Zimbra Web Client (ZWC)

  • A security related issue has been fixed to prevent account takeover by stealing user cookies.

Fixed Issues

Zimbra Collaboration

  • When installing Zimrba, the following OS packages will get installed as Zimbra dependencies - rsyslog, net-tools, libcap2-bin. ZBUG-2931

Classic Web App

  • Appointments were displayed an hour earlier in the calendar when the timezone was set to some of the CST timezone like Guadalajara. ZBUG-3414
  • America/Mexico_City events were scheduled one hour before the time those events are supposed to happen, when the events were sent from non-zimbra external calendar services. ZBUG-3395
  • Hyperlink on images in emails did not work when using "Conversation View" ZBUG-3322
  • In the Classic UI webmail when used with the Chrome browser, the print preview and actual print would appear on the next page following the email details. ZBUG-3198

Admin Web Console

  • On every refresh, the queue length value in the admin console was added, which resulted in impacting the performance. ZBUG-1571

Modern Web App


  • Modern Web App did not display the "Show Original" option in right-click context menu. ZBUG-3442
  • The read/unread flag was incorrectly displayed in the right click context menu. ZBUG-3436
  • Full day events were displayed as spanning multiple days when the event involved change of Day Light Savings e.g. last Sunday of March/October in Germany. ZBUG-3422
  • Sharing calendar using 'Modern UI' with the permission 'view free/busy times only' ended up sharing calendar with 'view' permission. ZBUG-3345

Zimbra Connector for Outlook

  • When setting up ZCO for the first time, if no password is specified, an empty Outlook profile is created. When Outlook is opened again, the user just needs to provide his password to proceed. Earlier, the user had to specify the server and username again. ZBUG-3472
  • For a shared contact folder, modification done to the "Display As" field through Web Client will be reflected in ZCO. ZBUG-1421

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

zimbra-patch                                      -> 
zimbra-mta-patch                                  -> 
zimbra-proxy-patch                                -> 
zimbra-ldap-patch                                 -> 
zimbra-os-requirements                            ->  1.0.3-1zimbra8.7b1 
zimbra-core-components                            ->  3.0.21-1zimbra9.0b1 
zimbra-ldap-components                            ->  2.0.15-1zimbra9.0b1 
zimbra-timezone-data                              -> 
zimbra-mbox-admin-console-war                     -> 
zimbra-mbox-webclient-war                         -> 
zimbra-help                                       -> 
zimbra-zco                                        -> 
zimbra-modern-ui                                  -> 
zimbra-modern-zimlets                             -> 
zimbra-modules-porter                             ->

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 37:

Patch Installation

Jump to: navigation, search