Zimbra Patches: 8.8.11 Patch 3 + 8.8.10 Patch 7 + 8.7.11 Patch 9

Hello Zimbra Friends, Customers & Partners,

We have three new patches to announce:

  • Zimbra 8.8.11 “Homi Bhabha” Patch 3
  • Zimbra 8.8.10 “Konrad Zuse” Patch 7
  • Zimbra 8.7.11 Patch 9

Zimbra 8.8.11 Patch 3 , 8.8.10 Patch 7 and 8.7.11 Patch 9 patches were updated to include a small fix on March 8, 2019. The Patches now include a fix for broken conversation view in Firefox. If you applied these patches before March 8, please re-apply following the instructions on their respective release notes.

Zimbra 8.8.11 “Homi Bhabha” Patch 3

Patch 3 is here for the Zimbra 8.8.11 “Homi Bhabha” GA release, and it includes fixes as listed in the release notes.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 3.5 Minor 8.8.11 Patch 3

Fixed Issues

  • Fixed issue where Proxies do not failover to the next mailbox server if the server is hung
  • Fixed an issue with viewing HTML emails in Chrome v73
  • Fixed login issue in AJAX client on Edge 44 browser
  • Fixed the issue where web client doesn’t display PDF files attached to mails sent with Apple Mail
  • zimbraMtaBlockedExtension is now working when sending a file with trailing spaces

Patch Installation

Note on fixes in this Patch: Please read this section before proceeding with Patch3 installation.

  • This patch includes fixes on MTA and Proxy.
  • As the proxy package is an add-on package, it should be installed only on Proxy nodes. When the Zimbra version is checked on Proxy node with the “zmcontrol -v” command, it will show the version as ‘Patch 8.8.11_P3 Proxy’.
  • Similarly, the MTA patch is an add-on package, and it should be installed only on MTA nodes. The version can be checked with “zmcontrol -v”, and it will show the version as ‘Patch 8.8.11_P3 mta’.
  • If Proxy/MTA services are on a mailbox node, admins can install the MTA and proxy patches first and then zimbra-patch. In this case, “zmcontrol -v” will show the version as ‘Patch 8.8.11_P3’.

For 8.8.11 Patches, you don’t need to download any patch builds. 8.8.11 Patch packages can be installed using Linux package management commands. Please refer to the release notes for Zimbra 8.8.11 Patch 3 installation on Redhat and Ubuntu platforms.

Note: Installing the zimbra-patch package only updates the Zimbra core packages.

Zimbra 8.8.10 “Konrad Zuse” Patch 7

Patch 7 is here for the Zimbra 8.8.10 “Konrad Zuse” GA release, and it includes fixes as listed in the release notes.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 3.5 Minor 8.8.10 Patch 7

Fixed Issues

  • Fixed an issue with viewing HTML emails in Chrome v73
  • Fixed login issue in AJAX client on Edge 44 browser
  • zimbraMtaBlockedExtension is now working when sending a file with trailing spaces

Patch Installation

Note on fixes in this Patch: Please read this section before proceeding with Patch 7 installation.

  • This patch includes fixes on MTA.
  • The MTA patch is add on package, and it should be installed only on MTA nodes. The version can be checked with “zmcontrol -v”, and it will show the version as ‘Patch 8.8.10_P7 mta’.
  • If MTA services are on the mailbox node, admins can install the MTA patch first and then zimbra-patch. In this case, “zmcontrol -v” will show version as ‘Patch 8.8.10_P7’.

For 8.8.10 Patches, you don’t need to download any patch builds. 8.8.10 Patch packages can be installed using Linux package management commands. Please refer to the release notes for Zimbra 8.8.10 Patch 7 installation on Redhat and Ubuntu platforms.

Note: Installing zimbra-patch package only updates the Zimbra core packages.

Nginx Bug Fix

We have fixed critical Proxy/Nginx bug where Proxy does not failover correctly in certain conditions. This fix is in zimbra-nginx package which is not available with this Patch installation. To get latest zimbra-nginx package, please follow steps from wiki: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/nginx_hotfix

Zimbra 8.7.11 Patch 9

Patch 9 is here for the Zimbra 8.7.11 GA release, and it includes fixes as listed in the release notes.

Fixed Issues

Fixed an issue with viewing HTML emails in Chrome v73
Fixed login issue in AJAX client on Edge 44 browser

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Bug 109097 – Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 3.5 Minor 8.7.11 Patch 9

Nginx Bug Fix

We have fixed critical Proxy/Nginx bug where Proxy does not failover correctly in certain conditions. This fix is in zimbra-nginx package which is not available with this Patch installation. To get latest zimbra-nginx package, please follow steps from wiki: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/nginx_hotfix

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.7.11 Patch 9 installation.

Note: Installing zimbra-patch package only updates the Zimbra core packages.

Thank you,
Your Zimbra Team

Comments are closed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures