Hello Zimbra Friends, Customers & Partners,
Zimbra 8.8.9 “Curie” Patch 3, Zimbra Collaboration 8.7.11 Patch 6 and Zimbra Collaboration 8.6.0 Patch 11 are here.
Zimbra 8.8.9 “Curie” Patch 3
Patch 3 is here for the 8.8.9 “Curie” GA release, and it includes fixes as listed in the release notes.
Major Feature Announcements
- Forgot Password Feature is now GA!!
- OpenLDAP 2.4.46 package with multiVal and sortVal support is available. Multival configuration is recommended for large deployments.
Please follow https://wiki.zimbra.com/wiki/Zimbra-LDAP_Multival_Configuration for Multival configuration steps
Fixed Issues |
|
|---|---|
| Forgot password feature bug fixes | |
| Build and package openldap with multival fix | |
| Impossible to upgrade 8.8.8_P7 to 8.8.9 | |
| Email subject with space not encoded is not rendering properly | |
Security Fixes
Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.
| Bug# | Summary | CVE-ID | CVSS Score | Zimbra Rating | Fix Release or Patch Version |
|---|---|---|---|---|---|
| 109012 | Account Enumeration [CWE-203] | CVE-2018-15131 | 5 | Major | 8.8.9 Patch 3 |
Patch Installation
For 8.8.9 Patches, you don’t need to download any patch builds. 8.8.9 Patch packages can be installed using Linux package management commands. Please refer to the release notes for 8.8.9 Patch 3 installation on Redhat and Ubuntu platforms.
Customers upgrading from previous releases can use full 8.8.9 installer, which includes Patch 3 packages. 8.8.9 binaries are available at https://www.zimbra.com/downloads/
Zimbra 8.7.11 Patch 6
Patch 6 is here for the 8.7.11 GA release, and it includes fixes as listed in the release notes.
Fixed Issues |
|
|---|---|
| ActiveSync Logging changes: Moved Stack trace logs to debug level | |
| Fixed Active Sync issue “Listener got cancelled after 0 seconds is thrown repeatedly” observed with client sending multiple Ping requests | |
| Fixed Active Sync issue “Can’t Move Item thrown repeatedly” observed with client sending MoveItems request for non-existent items | |
| Build and package openldap with multival fix | |
OpenLDAP package 2.4.46 availability for 8.7/8.8 releases: Please note that, OpenLDAP updated package with multival support is available in Zimbra Collaboration 8.7 and 8.8 repositories.
Multival configuration is recommended for large deployments. Please follow https://wiki.zimbra.com/wiki/Zimbra-LDAP_Multival_Configuration for Multival configuration steps.
Security Fixes
Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.
| Bug# | Summary | CVE-ID | CVSS Score | Zimbra Rating | Fix Release or Patch Version |
|---|---|---|---|---|---|
| 109012 | Account Enumeration [CWE-203] | CVE-2018-15131 | 5 | Major | 8.7.11 Patch 6 |
Patch Installation
Download the patch for Network Edition and Open Source Edition.
Please refer to the release notes for 8.7.11 Patch 6 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.
Zimbra Collaboration 8.6.0 Patch 11
Patch 11 is here for the 8.6.0 GA release, and it includes fixes as listed in the release notes.
Fixed Issues |
|
|---|---|
| ActiveSync Logging changes: Moved Stack trace logs to debug level | |
| Fixed Active Sync issue “Listener got cancelled after 0 seconds is thrown repeatedly” observed with client sending multiple Ping requests | |
| Fixed Active Sync issue “Can’t Move Item thrown repeatedly” observed with client sending MoveItems request for non-existent items | |
| “ZInternetHeader.decode java.lang.ArrayIndexOutOfBoundsException” exception – fixed issue with parsing incorrect mime header | |
Security Fixes
Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.
| Bug# | Summary | CVE-ID | CVSS Score | Zimbra Rating | Fix Release or Patch Version |
|---|---|---|---|---|---|
| 106612 | Persistent XSS – unsafe content not filtered by defanger [CWE-79] | CVE-2017-7288 | 4.3 | Minor | 8.6.0 Patch 11 |
| 105071 | Persistent XSS – unsafe content not filtered by defanger [CWE-79] | CVE-2016-3407 | 4.3 | Minor | 8.6.0 Patch 11 |
| 105001 | Persistent XSS – unsafe content not filtered by defanger [CWE-79] | CVE-2016-5721 | 4.3 | Minor | 8.6.0 Patch 11 |
| 104910 | Persistent XSS – Contact print [CWE-79] | CVE-2016-3407 | 3.5 | Minor | 8.6.0 Patch 11 |
| 104222 | Persistent XSS – Signature [CWE-79] | CVE-2016-3407 | 4.3 | Minor | 8.6.0 Patch 11 |
| 103609 | Non-Persistent XSS – changepass [CWE-79] | CVE-2016-3407 | 3.5 | Minor | 8.6.0 Patch 11 |
| 103996 | XXE – Bulk Provision [CWE-611] | CVE-2016-3413 | 2.6 | Minor | 8.6.0 Patch 11 |
| 103956 | Non-Persistent XSS – REST Calendar [CWE-79] | CVE-2016-3410 | 4.3 | Minor | 8.6.0 Patch 11 |
| 102637 | Persistent XSS – unsafe content not filtered by defanger [CWE-79] | CVE-2016-3409 | 4.3 | Minor | 8.6.0 Patch 11 |
| 101813 | Persistent XSS – unsafe content not filtered by defanger [CWE-79] | CVE-2016-3408 | 4.3 | Minor | 8.6.0 Patch 11 |
| 108902 | Persistent XSS – contact group [CWE-79] | CVE-2018-10939 | 3.5 | Minor | 8.6.0 Patch 11 |
Patch Installation
Download the patch for Network Edition and Open Source Edition.
Please refer to the release notes for 8.6.0 Patch 11 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.
Thank you,
Your Zimbra Team
Still no fix for the cosntant chat disconnect as of 8.8.8?