NEW Zimbra Patches: 8.8.8 Patch 3 + 8.7.11 Patch 3 + 8.6.0 Patch 10

Zimbra Collaboration 8.8.8 Patch 3

Patch 3 has been issued for 8.8.8 GA release that includes fixes as listed in the release notes.

Fixed Issues (Bugzilla query)

108948 Admin console shows chat service as “Stopped” and if admin starts the service, chat becomes unusable
108506 Different date shown for Recurring Appointment Instance

Patch Installation

For 8.8.8 Patches, you don’t need to download any patch builds. 8.8.8 Patch packages can be installed by using Linux package management commands.
Please refer to the release notes for 8.8.8 Patch 3 installation on Redhat and Ubuntu platforms.

8.8.8 Patch 3 Change: Please Read!

8.8.8 Patch 3 (zimbra-patch) checks if your system is Network Edition and if so adds a new Network Edition-only package repository. As a result, after 8.8.8 Patch 3 installation is completed, Network Edition customers will need to run another package update/upgrade process to obtain the updated Network Edition-only packages available from newly added package repository.

Note: This patch should be installed only on all mailbox nodes running in your environment.

 

Zimbra Collaboration 8.7.11 Patch 3

Patch 3 has been issued for 8.7.11 GA release that includes fixes as listed in the release notes.

Fixed Issues (Bugzilla query)

108452 EWS: Cannot create a basic meeting/appointment from Calendar app
108777 Calendar read only on MacOS High Sierra with Exchange Account
108964 error during tgz import results in endless loop and memory leak

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification are listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information below for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
108962 Account Enumeration [CWE-203]  CVE-2018-10949 5.0 Major 8.7.11 Patch 3
108963 Verbose Error Messages [CWE-209]  CVE-2018-10950 3.6 Minor 8.7.11 Patch 3
107948 Persistent XSS – mail addrs [CWE-79]  CVE-2018-10948 3.5 Minor 8.7.11 Patch 3
108894 Redact Admin SOAP API zimbraSSLPrivateKey access [CWE-199]  CVE-2018-10951 3.6 Minor 8.7.11 Patch 3

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.7.11 Patch 3 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

 

Zimbra Collaboration 8.6.0 Patch 10

Patch 10 has been issued for 8.6.0 GA release that includes fixes as listed in the release notes.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification are listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information below for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
107948 Persistent XSS – mail addrs [CWE-79]  CVE-2018-10948  3.5  Minor 8.6.0 Patch 10
106811 Limited XXE [CWE-611]  CVE-2016-9924  4.3  Minor 8.6.0 Patch 10
108786 Persistent XSS – content-location [CWE-79]  CVE-2018-6882  4.3  Minor 8.6.0 Patch 10
97579 login CSRF protection: ZWC login form does not use a csrf token [CWE-352]  CVE-2015-7610  5.8  Major 8.6.0 Patch 10
108894 Redact Admin SOAP API zimbraSSLPrivateKey access [CWE-199]  CVE-2018-10951  3.6  Minor 8.6.0 Patch 10

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.6.0 Patch 10 installation.
Note: This patch should be installed on all nodes running in your environment.

No comments yet.

Leave a Reply