CRITICAL SECURITY PATCH
This alert is sent out to all Zimbra partners, customers and subscribers
Patch Security Severity: High
Deployment Risk: Low
This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client.
The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately.
APPLY THIS PATCH IMMEDIATELY
To allow all customers to apply this patch in a timely manner, the enforcement of zimbraLowestSupportedAuthVersion level=2 has been reverted.
This allows customers who did not upgrade to the previous patch release due to LDAP load concerns to apply this patch directly.
Note: Customers already on zimbraLowestSupportedAuthVersion level=2 should retain their current setting.
We strongly urge Zimbra administrators to ensure your system is up-to-date with the latest security updates and patched versions
- Zimbra Daffodil 10.1.5 (Release Notes)
- Zimbra Daffodil 10.0.13 (Release Notes)
- 9.0.0 P44 (Release Notes)
Existing Zimbra 9 customers have until 06/30/2025 to upgrade to the new version (Daffodil v10).
Also, please note that the details of the zimbraLowestSupportedAuthVersion enforcement will be removed from the previous versions’ release notes and a reference to the 10.1.5 release will be inserted to avoid confusion.
Keeping Zimbra updated is crucial to protect against known vulnerabilities and maintain a secure environment. For more information, check out Zimbra_Releases.
Refer to the release notes for the patch installation on Red Hat and Ubuntu platforms.
An upgrade to the latest patch for your version is highly recommended. Refer to our blog and the Zimbra Security Center for steps to ensure your system is safe. You can also set up RSS feed notifications.
Keeping your Zimbra system secure is as simple as regularly applying the latest patches—don’t wait to update!
No comments yet.