Hello Zimbra Friends, Customers & Partners,
Zimbra 8.8.15 “James Prescott Joule” Patch 1 and 8.8.12 “Isaac Newton” Patch 5 are here.
For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands. Please refer to the respective release notes for patch installation on Red Hat and Ubuntu platforms.
Note: Installing a zimbra-patch package only updates the Zimbra core packages.
Zimbra 8.8.15 “James Prescott Joule” Patch 1
Patch 1 is here for the Zimbra 8.8.15 “James Prescott Joule” GA release, and it includes fixes as listed in the release notes.
Highlights:
- Zimbra 8.8.15 now fully supported on UBUNTU18 (GA). Download the latest UBUNTU-18 binaries from https://www.zimbra.com/downloads
- Zimbra Connect (New Features)
- Instant Meetings – Text and video chat sessions can include external users.
- User Profile Manager – Users now can manage their Connect notification settings and upload a profile picture.
Security Fixes
Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.
Bug# | Summary | CVE-ID | CVSS Score | Zimbra Rating | Fix Release or Patch Version |
---|---|---|---|---|---|
109174 | Non-Persistent XSS – admin console | CVE-2019-12427 | 4.3 | Minor | 8.8.15 P1 |
109141 | Non-Persistent XSS – web client | CVE-2019-15313 | 4.3 | Minor | 8.8.15 P1 |
Zimbra 8.8.12 “Isaac Newton” Patch 5
Patch 5 is here for the Zimbra 8.8.12 “Isaac Newton” GA release, and it includes fixes as listed in the release notes.
Fixed Issues |
|
---|---|
CSS display attribute is now configurable in OWASP allowing users to have better control over HTML rendering elements. | |
Introduction of OWASP sanitization caused HTML action buttons shown in emails to open the links inside the email preview pane. They now open in a new tab or window. | |
The zimbraLastLogonTimeStampFrequency setting now limits the frequency of updates to the ‘’lastLoginTimeStamp’’ in ephemeral data storage, reducing the load for syncing those changes in multi-node systems. |
Thank you,
Your Zimbra Team
Hi,
is Zimbra 8.7.11 affected from the CVE listed in this patch ?
thanks
Marco
Hi Marco – sorry for the delayed response! Yes, we released 8.7.11 patch 14 today which fixes the CVE. Thanks!