Zimbra Releases/9.0.0/P41
Zimbra Collaboration Kepler 9.0.0 Patch 41 GA Release
Release Date: September 04, 2024
Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration.
Please refer to the Patch Installation page for Patch Installation instructions.
As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues
Security Fixes
Summary | CVE-ID | CVSS Score |
---|---|---|
A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. | CVE-2024-45513 | TBD |
Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. | CVE-2024-45519 | TBD |
A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. | CVE-2024-45518 | TBD |
A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. | CVE-2024-45194 | TBD |
A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. | CVE-2024-45517 | TBD |
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. | CVE-2024-45516 | TBD |
A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. | CVE-2024-45514 | TBD |
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. | TBD | TBD |
Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. | CVE-2024-45512 | TBD |
Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. | CVE-2024-45510 | TBD |
A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 | CVE-2024-38356 | Medium |
What's New
Modern Web App
General
- An option to turn off the deletion of appointments for declined meetings has been implemented. Users can now retain appointments in their calendars even if they decline the meeting.
- A PostCSS line return parsing error has been fixed, improving the stability and reliability of the stylesheet processing in the Modern UI.
- Implementation of truncated folder names in the Modern UI has been completed. Folder names that are too long will now be truncated appropriately to fit the interface.
Mail
- The tap-to-read or select functionality in the mobile mail list has been reconfigured to allow larger tap area. This update improves the user experience by making it easier to interact with emails on mobile devices.
- The formatting of footer and signature elements in mobile views has been adjusted for better readability and presentation.
- The folder list is no longer shown when composing emails in the Modern UI, reducing cognitive load for user when composing the email and reducing visual clutter.
Fixed Issues
Modern Web App
General
- The issue where the "sender address is suspicious" warning was incorrectly triggered due to case differences in the email address has been resolved. The check for suspicious email addresses is now case-insensitive, in compliance with RFC standards
- An issue where extra body content was being added in the Modern UI mail body under certain conditions has been corrected.
- An issue in the Modern UI where moving emails in "Conversation view" caused unexpected behavior has been fixed.
- The issue where email body/text alignment in the Modern UI web app was incorrect has been resolved.
- Scrolling issues within the Modern UI have been addressed. Users should now experience smooth and consistent scrolling behavior across all supported apps including Zimbra desktop.
- The problem where S/MIME signing did not work in the Modern UI has been addressed. S/MIME signing functionality is now fully operational.
- An issue where editing the attendees or the body of a new event would not save the changes correctly has been fixed. All edits are now properly saved.
- The issue where meeting invitation emails incorrectly displayed a conflict banner for meetings has been resolved. The conflict banner now only shows when there is an actual scheduling conflict.
- The issue where there was no save button after searching and editing a contact has been resolved.
- In the Modern UI, an issue where Zimbra incorrectly showed all folder types in the folder tree has been fixed.
- An issue where multi-day all-day appointments were truncated to a single day has been fixed. Multi-day all-day events now display correctly across all intended dates.
Mail
- An issue where wide elements in emails were not displayed correctly when reading on mobile has been addressed. Emails now render properly on mobile devices regardless of content width.
- The "Edit as new" option was previously unavailable when no predefined signature was set. This issue has been resolved, and the option is now accessible regardless of signature settings.
Calendar
- The issue where the "Today" button on the calendar print dialog was not working has been fixed. The button now correctly navigates to today's date in the print preview.
- An issue in the Modern UI where the "New Event" body did not wrap text properly has been resolved. Additionally, the button alignment has been corrected to ensure proper layout.
- The issue where an error was thrown upon clicking the "Show Availability" button in the calendar has been resolved. Users can now view availability without encountering errors.
Known Issues
Modern Web App
- When replying to or forwarding an email in plain text with attachments, an error message stating "Failed to Process this request" may appear when the draft is auto-saved. This issue occurs after switching the email format from HTML to plain text, especially when the email contains an image in the signature.
- When viewing a message if there are any distribution lists to which the mail is sent to then the distribution list are displayed twice.
- "Edit as New," "New Event," and "Print" functionalities do not work when the preview pane is disabled in the Zimbra Modern UI. As a workaround, please enable the preview pane to use these features.
Packages
Jira ticket:
The package lineup for this release is:
zimbra-patch -> 9.0.0.1724300725.p41-2 zimbra-mta-patch -> 9.0.0.1723780664.p41-1 zimbra-common-core-jar -> 9.0.0.1723727322-1 zimbra-mbox-webclient-war -> 9.0.0.1723644503-1 zimbra-modern-ui -> 4.39.0.1724260715-1 zimbra-modern-zimlets -> 4.39.0.1724260715-1 zimbra-zimlet-classic-unsupportedbrowser -> 4.1.1.1723729388-1 zimbra-zimlet-date -> 8.0.0.1723729388-1 zimbra-zimlet-restore-contacts -> 7.2.1.1723729388-1 zimbra-zimlet-set-default-client -> 10.4.1.1723729388-1 zimbra-zimlet-user-feedback -> 7.2.1.1723729388-1 zimbra-zimlet-additional-signature-setting -> 9.1.1.1713165868-1 zimbra-zimlet-calendar-subscription -> 7.2.1.1713165868-1 zimbra-zimlet-emptysubject -> 3.2.1.1713165868-1 zimbra-zimlet-org-chart -> 3.2.1.1713165868-1 zimbra-zimlet-user-sessions-management -> 10.2.1.1713165868-1
Patch Installation
Please refer to below link to install Kepler 9.0.0 Patch 41:
Quick note: Open Source repo
The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build