Zimbra Collaboration 8.6 Patch 9 now available (includes fix for CVE-2017-8802)

Greetings everyone, in August 2017 we announced the extension of general support and technical guidance for Zimbra Collaboration 8.6.

The extension will give you ample time to plan and upgrade to version 8.7, 8.8 or future releases, while still receiving support for your current Zimbra installation. Please start planning your Zimbra upgrade, and remember, our Zimbra Professional Services Team, and your local Partner are here to assist you with your upgrade.

Zimbra Collaboration Life-cycle Comparison

Please keep in mind that Zimbra Collaboration 8.6 general support will end this very year, and starting this September you will not receive any more security or bug fixes. We strongly recommend the upgrade to a newer version.

Zimbra Collaboration Server General Availability End of General Support End of Technical Guidance
Version 8.8 12/12/2017 12/31/2020 12/31/2021
Version 8.7 07/13/2016 9/10/2019 9/10/2020
Version 8.6.x 08/26/2015 9/30/2018 9/30/2019
Version 8.5.x 08/26/2014 9/30/2017 9/30/2018
Version 8.0 9/10/2012 9/10/2016 9/10/2017

Download the Patch 9

Please do a full backup or snapshot before installing this Patch. You can download the patch and the md5 and the SHA 256 file here:

Please, read the Full Release Notes here.

All Zimbra Collaboration 8.6.0 sites are recommended to install this patch. Patch 9 is cumulative with all the previous eight patches, so only Patch 9 is required in case you didn’t install the previous ones.

ZCS 8.6.0 Patch 9 Bug Fixes

You might find useful this short list of the fixed Bugs in this Patch 9 for Zimbra Collaboration 8.6.0.

Fixed Issues


101227 CPU load & latency when open mail with data:image/png:base64 inline image
104365 Update timezones.ics to tzdata2017b
97710 Tasks causing slowness from ZWC and consuming CPU resources
103797 Description of a previous appointment comes up when changing mode from plain-text to html
107289 Printing work week shows wrong time
107288 EWS caches and logs cleartext password
97460 Need visual cue and hyperlink for url links when composing message
100281 Deleted/canceled appts remain on calendar
101584 QuickAdd location using GAL is not saved correctly > only name is kept
107826 Implement GetStreamingEvents EWS API(Phase 1)
107499 EWS: Resolve Name should return all the contact information
97126 Script Error (this._sharesGroup is undefined) when click to “Edit Properties” folder menu
101023 zimbraHelpAdvancedURL, zimbraHelpStandardURL and zimbraHelpAdminURL does not work
107646 There is an unexpected logout for a session in the HTML client.
107925 Persistent XSS – snippet [CWE-79]
108265 Persistent XSS – message view as text [CWE-79]

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification are listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information below for details.

Bug# Summary CVE-ID CVSS
Fix Release or
Patch Version
107925 CSRF CWE-79 CVE-2017-8802 3.5 Minor 8.6 P9, 8.8.6
108265 Persistent XSS CWE-79 CVE-2017-17703 3.5 Minor 8.6 P9, 8.8.3

Before Installing the Patch

Before installing the patch, consider the following:

  • Zimbra Collaboration patches can be found at https://www.zimbra.com/downloads/zimbra-collaboration
  • Patches are delivered as a TGZ file and are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back mechanism.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to user zimbra before using ZCS CLI commands.

Install the Patch

Read carefully the Release Notes, for this Patch 9.

Important! You cannot revert to the previous ZCS release after you upgrade to the patch.

Quick note for Customers still on Zimbra Collaboration 8.6 and below

If you are a Customer running Zimbra Collaboration 8.6 or below, the End of General Support will occur this 30th of September. If running previous versions, you already are not receiving any security or bug fixes. We’re here for you! We strongly encourage you to give us a call or send us an email to sales@zimbra.com, and we will be glad to help you through the licensing and system upgrade by using our Professional Services, or you can contact your local Partner.

If by any chance you are still running versions from ZCS 8.6 or below, we encourage you upgrade to at least 8.7.11 with the latest Patch, and even better if you can upgrade to 8.8, so you will be in a supported version until 2020.

, ,

One Response to Zimbra Collaboration 8.6 Patch 9 now available (includes fix for CVE-2017-8802)

  1. Dave February 26, 2018 at 2:00 AM #

    Thank you for the patch. Your a blessing in disguise.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures