Patch for Zimbra Daffodil 10.0.4, 9.0.0 Patch-36 & 8.8.15 Patch-43

Guarding Against XSS: Security Update

This Patch Release is for the following editions

This notification is published ahead of the actual release to enable administrators to schedule time to install the patch.

The patch has been released on Wednesday (13 Sept).

The steps for installing this patch can be found in the release notes linked above.

6 Responses to Patch for Zimbra Daffodil 10.0.4, 9.0.0 Patch-36 & 8.8.15 Patch-43

  1. Geert September 13, 2023 at 3:25 AM #

    There seems to be an encoding issue in several .js files in zimbra-mbox-webclient-war since this patch. The diff looks like:

    – //Only the server will set ZmSetting.TWO_FACTOR_AUTH_ENABLED. Don’t try to save the setting from the UI.
    + //Only the server will set ZmSetting.TWO_FACTOR_AUTH_ENABLED. Don???t try to save the setting from the UI.

    Notice how the non-ASCII apostrophe gets replaced with “???”

    While this doesn’t matter in a comment, there may be other encoding issues in different places…
    The corresponding source file didn’t change:
    So the encoding error was probably introduced while building/packaging.

    • Jered September 13, 2023 at 5:41 AM #

      This character encoding issue only affects four comments through the entire zimbra-mbox-webclient-war package, so I think this is safe to apply. The root cause should be identified to avoid possible future problems, though.

  2. Geert September 13, 2023 at 4:14 AM #

    Also, in the UI this build is labeled “8.8.15_GA_3”, whereas previous version was “8.8.15_GA_4545”, with always increasing GA build number. This seems wrong as well?

  3. Geert September 13, 2023 at 4:44 AM #

    Also, while removing the Docs.jsp file, shouldn’t the patch also remove the corresponding jetty/work/zimbra/jsp/org/apache/jsp/public_/Docs_jsp.* files, as was done for hostedlogin.jsp in the previous patch ?

  4. Umashankar Avagadda September 13, 2023 at 6:01 AM #

    can you share the ZCS version and OS details ?

  5. Deepak Gautam September 14, 2023 at 6:16 AM #

    Hi Geert,

    After a thorough review of all the details, we have determined that there are no significant impacts resulting from the encoding issues.

    The encoding change is a byproduct of our build process, and our team is actively working to resolve it in the next patch release. Importantly, this encoding issue does not affect the functionality of the system.

    Regarding Docs.JSP and other files, the security issue is from the JSP file only and the JSP file is the entry point. After the previous patch, we validated these issues and found no impact from other files.

    Thank you for your feedback. If you have any further questions or concerns, please let us know.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures