Zimbra Releases/9.0.0/P43

Zimbra Collaboration Kepler 9.0.0 Patch 43 GA Release

Release Date: December 17, 2024

Check out the Security Fixes for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Things to know before you upgrade

Changes to SOAP API

There are changes in ChangePassword SOAP API. Please refer to API reference documentation. If you have custom auth implementation with ChangePassword, please incorporate changes to support new API changes.

Security Fixes

Summary CVE-ID CVSS Score
An issue with encoded @import statements in <style> tags that allowed the loading of malicious CSS has been addressed.
SSRF vulnerability in the RSS feed parser that allowed unauthorized redirection to internal network endpoints has been resolved.
A Cross-Site Scripting (XSS) vulnerability via crafted <img> HTML content in the Zimbra Classic UI has been fixed. LC attribute zimbra_owasp_strip_alt_tags_with_handlers introduced in previous patch is no longer required and has been removed. CVE-2024-45516
A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. LC attribute zimbra_owasp_strip_alt_tags_with_handlers introduced in previous patch is no longer required and has been removed.
A vulnerability in the ChangePassword API has been fixed to require a valid auth token.

Fixed Issues

Zimbra Collaboration

  • After upgrading to iOS 18, users with IMAP-connected accounts experienced slower search performance, which led to overall slowness. It happened due to an update in the query parameters. The issue has been fixed.
  • In 9.0.0-P42, the command to add zmgql.jar was executed twice during the post-install script of the patch and displayed an error. The issue has been fixed.

Packages

The package lineup for this release is:

zimbra-patch                                      ->  9.0.0.1733747325.p43-2
zimbra-mbox-admin-console-war                     ->  9.0.0.1732701570-1
zimbra-mbox-webclient-war                         ->  9.0.0.1732702347-1
zimbra-common-core-jar                            ->  9.0.0.1733200613-1
zimbra-common-core-libs                           ->  9.0.0.1733153162-1
zimbra-mbox-store-libs                            ->  9.0.0.1733153162-1
zimbra-modern-ui                                  ->  4.39.1.1733745171-1
zimbra-modern-zimlets                             ->  4.39.1.1732708629-1

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 43:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search