Zimbra Releases/9.0.0/P39

Zimbra Collaboration Kepler 9.0.0 Patch 39 GA Release

Release Date: February 28, 2024

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Deprecation of Zimbra Server on Ubuntu 16.04

Ubuntu 16.04 End of life occurred on April 29, 2021. Zimbra will deprecate Kepler 9.0.0 support for Ubuntu 16.04 as of December 31, 2023. At this date, there will no longer be any patch release for Zimbra Kepler 9.0.0 on Ubuntu 16.04 operating system. We encourage all our new customer's to use Ubuntu 20.04 for all their new installations.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.

  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Security Fixes

Summary CVE-ID CVSS Score
Nginx has been upgraded to version 1.24.0 to fix multiple vulnerabilities [ZBUG-3083] CVE-2022-41741 CVE-2022-41742 High
An XSS vulnerability in a Calendar invite has been resolved [ZBUG-3730] CVE-2024-27443 TBD
Local Privilege Escalation vulnerability Patched [ZBUG-3625] CVE-2024-27442 TBD

What's New

Package Upgrade

  • The Nginx package has been upgraded to 1.24.0

Modern Web App


  • "New Email" and "Find Emails" options are displayed in the context menu for a Distribution List member when multiple members are selected.
  • The event invitee selection process was enhanced to allow for choosing specific members from a distribution list (DL).
  • Users now have the ability to easily drag and drop their own calendar events to a different date or time slot.
  • Event invitations have been enhanced to alert users of any scheduling conflicts upon receipt of the invite.


  • Users can now select specific or all members of a distribution list (DL) while composing an email.


  • “Distribution Lists” has been implemented for Contacts vertical.

Fixed Issues

Modern Web App


  • Modern UI did not load images for some specific messages [ZBUG-3829]
  • Composing mail was slower when folder pane had hundreds of folders [ZBUG-3804]
  • Users were unable to rename files in Briefcase when filenames contained Chinese characters [ZBUG-3795]
  • The "Reply-All" functionality worked differently in Modern and Classic UI. It has now been standardized for consistency [ZBUG-3605]

Mobile Sync

Rolling Upgrade - MobileSync

  • In a Rolling-upgrade environment, if a zimbra-9 user shares a calendar with zimbra-10 user, the shared calendar events are not synced on the mobile for zimbra-10 user. The issue has been fixed.

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With OpenJDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

zimbra-patch                                      -> 
zimbra-mta-patch                                  -> 
zimbra-proxy-patch                                -> 
zimbra-ldap-patch                                 -> 
zimbra-nginx                                      ->  1.24.0-1zimbra8.8b4 
zimbra-proxy-components                           ->  1.0.12-1zimbra8.8b1 
zimbra-mbox-webclient-war                         -> 
zimbra-common-core-jar                            -> 
zimbra-license-tools                              -> 
zimbra-zimlet-nextcloud                           -> 
zimbra-zimlet-nextcloud-talk                      -> 
zimbra-modern-ui                                  -> 
zimbra-modern-zimlets                             ->

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 39:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »

Jump to: navigation, search