Zimbra Releases/9.0.0/P40

Zimbra Collaboration Kepler 9.0.0 Patch 40 GA Release

Release Date: April 22, 2024

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Deprecation of Zimbra Server on Ubuntu 16.04

Ubuntu 16.04 End of life occurred on April 29, 2021. Zimbra will deprecate Kepler 9.0.0 support for Ubuntu 16.04 as of December 31, 2023. At this date, there will no longer be any patch release for Zimbra Kepler 9.0.0 on Ubuntu 16.04 operating system. We encourage all our new customer's to use Ubuntu 20.04 for all their new installations.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.

  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Security Fixes

Summary CVE-ID CVSS Score
SMTP Smuggling vulnerability Patched [ZBUG-3780] CVE-2023-51764 5.3
Upgraded PHP to 8.3.0 to fix allocated memory vulnerability [ZBUG-3082] CVE-2021-21708 9.8
An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter [ ZBUG-3794] CVE-2024-33536 TBD
Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter [ZBUG-3816] CVE-2024-33535 TBD
Addressed XSS vulnerability in zimbraAdmin interface due to non sanitised parameter [ZBUG-3817] CVE-2024-33533 TBD

What's New

Package Upgrade

  • The Postfix package has been upgraded to 3.6.14

postconf settings are not retained when updating to 9.0 P40. Make sure to re-apply any customizations, including TLS cipher configurations you had previously configured using the postconf command.
Please see https://blog.zimbra.com/2023/08/review-your-zimbra-configuration-after-updating-to-the-latest-patch/#comment-152664 for manual steps to re-apply postfix customizations.

  • The PHP package has been upgraded to 8.3.0

Fixed Issues

Zimbra Collaboration

  • [ZBUG-2859] To enhance security, when using External LDAP for authentication, the behaviour of authentication of admin accounts has been changed. Earlier, the admin accounts could be authenticated locally with zimbraAuthFallbackToLocal set to FALSE. The behaviour has now been corrected for admin accounts to honour zimbraAuthFallbackToLocal. The local LDAP authentication will fail if zimbraAuthFallbackToLocal is set to FALSE.
    • It is recommended to set zimbraAuthFallbackToLocal FALSE when using external authentication.
    • If you are unable to add your admin account to your external authentication source, you are recommended to follow the steps here
  • With OpenJDK 17.08, there was issue with mailbox threads not closing gracefully when External LDAP was not reachable. We have fixed issue by enabling concurrent socket connection. [ZBUG-3987]

Zimbra Connector for Outlook

  • If an Outlook Profile or Outlook is set to a different language than ZCO, then when sending an email through a Draft folder, it appears empty to the recipient. The issue has been fixed. [ZBUG-3972]

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With OpenJDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

zimbra-patch                                      -> 
zimbra-mta-patch                                  ->
zimbra-proxy-patch                                ->
zimbra-ldap-patch                                 ->
zimbra-common-core-jar                            ->
zimbra-mbox-admin-console-war                     ->
zimbra-mbox-webclient-war                         ->
zimbra-postfix                                    ->  3.6.14-1zimbra8.7b4
zimbra-mta-components                             ->  1.0.23-1zimbra8.8b1
zimbra-php                                        ->  8.3.0-1zimbra8.7b3
zimbra-apache-components                          ->  2.0.12-1zimbra8.8b1
zimbra-spell-components                           ->  2.0.13-1zimbra8.8b1, 2.0.14-1zimbra8.8b1 ( for RHEL8 and Ubuntu 20 )
zimbra-zco                                        ->

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 40:

Patch Installation

Jump to: navigation, search