NEW Zimbra Patches: 8.8.9 Patch 3 + 8.7.11 Patch 6 + 8.6.0 Patch 11

Hello Zimbra Friends, Customers & Partners,

Zimbra 8.8.9 “Curie” Patch 3, Zimbra Collaboration 8.7.11 Patch 6 and Zimbra Collaboration 8.6.0 Patch 11 are here.

Zimbra 8.8.9 “Curie” Patch 3

Patch 3 is here for the 8.8.9 “Curie” GA release, and it includes fixes as listed in the release notes.

Major Feature Announcements

Fixed Issues

Forgot password feature bug fixes
Build and package openldap with multival fix
Impossible to upgrade 8.8.8_P7 to 8.8.9
Email subject with space not encoded is not rendering properly

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109012 Account Enumeration [CWE-203] CVE-2018-15131 5 Major 8.8.9 Patch 3

Patch Installation

For 8.8.9 Patches, you don’t need to download any patch builds. 8.8.9 Patch packages can be installed using Linux package management commands. Please refer to the release notes for 8.8.9 Patch 3 installation on Redhat and Ubuntu platforms.

Customers upgrading from previous releases can use full 8.8.9 installer, which includes Patch 3 packages. 8.8.9 binaries are available at https://www.zimbra.com/downloads/

Zimbra 8.7.11 Patch 6

Patch 6 is here for the 8.7.11 GA release, and it includes fixes as listed in the release notes.

Fixed Issues

ActiveSync Logging changes: Moved Stack trace logs to debug level
Fixed Active Sync issue “Listener got cancelled after 0 seconds is thrown repeatedly” observed with client sending multiple Ping requests
Fixed Active Sync issue “Can’t Move Item thrown repeatedly” observed with client sending MoveItems request for non-existent items
Build and package openldap with multival fix

OpenLDAP package 2.4.46 availability for 8.7/8.8 releases: Please note that, OpenLDAP updated package with multival support is available in Zimbra Collaboration 8.7 and 8.8 repositories.
Multival configuration is recommended for large deployments. Please follow https://wiki.zimbra.com/wiki/Zimbra-LDAP_Multival_Configuration for Multival configuration steps.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109012 Account Enumeration [CWE-203] CVE-2018-15131 5 Major 8.7.11 Patch 6

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.7.11 Patch 6 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Zimbra Collaboration 8.6.0 Patch 11

Patch 11 is here for the 8.6.0 GA release, and it includes fixes as listed in the release notes.

Fixed Issues

ActiveSync Logging changes: Moved Stack trace logs to debug level
Fixed Active Sync issue “Listener got cancelled after 0 seconds is thrown repeatedly” observed with client sending multiple Ping requests
Fixed Active Sync issue “Can’t Move Item thrown repeatedly” observed with client sending MoveItems request for non-existent items
“ZInternetHeader.decode java.lang.ArrayIndexOutOfBoundsException” exception – fixed issue with parsing incorrect mime header

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
106612 Persistent XSS – unsafe content not filtered by defanger [CWE-79] CVE-2017-7288 4.3 Minor 8.6.0 Patch 11
105071 Persistent XSS – unsafe content not filtered by defanger [CWE-79] CVE-2016-3407 4.3 Minor 8.6.0 Patch 11
105001 Persistent XSS – unsafe content not filtered by defanger [CWE-79] CVE-2016-5721 4.3 Minor 8.6.0 Patch 11
104910 Persistent XSS – Contact print [CWE-79] CVE-2016-3407 3.5 Minor 8.6.0 Patch 11
104222 Persistent XSS – Signature [CWE-79] CVE-2016-3407 4.3 Minor 8.6.0 Patch 11
103609 Non-Persistent XSS – changepass [CWE-79] CVE-2016-3407 3.5 Minor 8.6.0 Patch 11
103996 XXE – Bulk Provision [CWE-611] CVE-2016-3413 2.6 Minor 8.6.0 Patch 11
103956 Non-Persistent XSS – REST Calendar [CWE-79] CVE-2016-3410 4.3 Minor 8.6.0 Patch 11
102637 Persistent XSS – unsafe content not filtered by defanger [CWE-79] CVE-2016-3409 4.3 Minor 8.6.0 Patch 11
101813 Persistent XSS – unsafe content not filtered by defanger [CWE-79] CVE-2016-3408 4.3 Minor 8.6.0 Patch 11
108902 Persistent XSS – contact group [CWE-79] CVE-2018-10939 3.5 Minor 8.6.0 Patch 11

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.6.0 Patch 11 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Thank you,

Your Zimbra Team

 

One Response to NEW Zimbra Patches: 8.8.9 Patch 3 + 8.7.11 Patch 6 + 8.6.0 Patch 11

  1. Alex August 30, 2018 at 6:27 AM #

    Still no fix for the cosntant chat disconnect as of 8.8.8?

Leave a Reply