Patch Security Severity: Medium
Deployment Risk: Low
We have released Zimbra Version 10.1.17, bringing meaningful improvements across the Modern WebClient — from how you compose and read email to how you schedule meetings — along with fixes for ZCO, mobile, and server components, and several important security patches your teams should be aware of.
We strongly recommend all admins and users to upgrade for improved stability and enhanced email compatibility.
What’s New in 10.1.17
- Voice Composer for Email: Dictate emails hands-free with system language detection and spoken punctuation — available in new, reply, and forward views. Enabled by admins via the voice-composer Zimlet.
- Smarter Calendar Scheduling: A redesigned event creation flow reduces scrolling for quicker scheduling. The new “Suggest a Time” feature shows participant availability and recommends optimal meeting slots as attendees are added.
- Enhanced Email Experience: View the latest emails first with a new thread order setting. Attachments are pinned to a dedicated top panel in thread view, and the composer now supports drag-and-drop attachments, multi-signature, and autosave with a cleaner layout.
- 2FA on Login Page: QR code now shown directly at login when 2FA is enforced, removing the need to visit preferences first.
- Desktop App Upgraded: Electron updated from 37 to 41, bringing improved security, performance, and compatibility with newer Chromium and Node.js versions.
- Ubuntu 24: Now fully supported as a GA release.
Security Patches
- Delegated Send Hardened: Fixed an authorization bypass that could allow authenticated users to send emails impersonating other users.
- Classic UI Attachment Preview Secured: Fixed a stored XSS vulnerability where malicious email attachments could execute scripts when previewed.
- LFI Vulnerabilities Patched: Closed both an authenticated LFI in Briefcase via the packages parameter, and an unauthenticated LFI in Classic UI via the fu parameter.
- EWS Endpoint Protected:Fixed a CSRF vulnerability that could allow unauthorized actions to be performed on behalf of authenticated users.
- Document Editing Token Security Improved: Fixed weak random number generation for zimbraDocumentEditingJwtSecret, which was susceptible to offline brute-force attacks.
⚠️ RHEL 9 and Ubuntu 22: SSHA256 password hashes on these platforms may cause authentication failures after password changes or migrations. Reset affected user passwords post-upgrade to restore access — passwords generated after the fix will be created correctly.
Key Bug & Improvements
- Mailbox Data Protected Post-migration: zmpurgeoldmbox now safely skips blobs still referenced by active mailboxes, eliminating a data loss risk after mailbox migration.
- Mailbox Quota Bypass via IMAP Copy to Trash: A configurable soft limit keeps mailbox size in check, preventing unchecked growth from repeated IMAP copy operations.
- ZCO Delegated Send: Emails sent via Send As are now correctly saved in the delegated account’s Sent folder, and forwarded messages preserve their original formatting.
- Samsung Email: Contacts sync now sync consistently for datasets over 1,000 contacts.
- iOS Calendar: Events stay visible after accepting an invite, even when auto-add invites is disabled. Responses are also correctly sent to the organizer now.
- Mobile App: Attachments in the Zimbra mobile app now download successfully without getting stuck.
- Modern WebClient: PDF multi-page preview, print (Ctrl+P), and local contact autocomplete all fixed.
Additional Fixed Issues
- 20+ additional fixes across Admin Console, Chat, ZCO, Backup, and Zimbra Desktop including filter rule duplication, search highlighting, keyboard shortcuts, Admin Console localisation, and chat performance.
Customer Feedback Portal
Vote on suggested features, propose your own and stay updated with our product roadmap. Join us at pm.zimbra.com, our dedicated customer portal, for product feedback. Contribute to Zimbra’s evolution!
No comments yet.