Hello Zimbra Friends, Customers & Partners,
Zimbra 9.0.0 Kepler Patch 28 and 8.8.15 James Prescott Joule Patch 35 are here.
The patches include What’s New, Security Fixes, Fixed Issues and Known Issues as listed in their respective release notes. Please refer to the release notes for the patch installation on Red Hat and Ubuntu platforms.
Release Notes:
Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps
Please refer Zimbra Releases for latest releases and Zimbra Security Center for security updates.
Thanks,
Your Zimbra Team
Hey, there,
there seems to be an issue with the repository for the CentOS7:
root@mail ~ # yum clean metadata
Loaded plugins: changelog, fastestmirror
Cleaning repos: HP-mcp HP-spp base epel extras fwpp updates zimbra zimbra-8815-oss
13 metadata files removed
17 sqlite files removed
0 metadata files removed
root@mail ~ # yum check-update
Loaded plugins: changelog, fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 23 kB 00:00:00
* base: mirror.telepoint.bg
* epel: fedora.ipacct.com
* extras: mirror.telepoint.bg
* updates: mirror.telepoint.bg
HP-mcp | 2.4 kB 00:00:00
HP-spp | 2.5 kB 00:00:00
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
fwpp | 2.5 kB 00:00:00
updates | 2.9 kB 00:00:00
zimbra | 2.9 kB 00:00:00
zimbra-8815-oss | 2.9 kB 00:00:00
(1/12): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/12): epel/x86_64/group_gz | 98 kB 00:00:00
(3/12): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(4/12): HP-mcp/primary_db | 6.0 kB 00:00:00
(5/12): extras/7/x86_64/primary_db | 249 kB 00:00:00
(6/12): epel/x86_64/primary_db | 7.0 MB 00:00:00
(7/12): base/7/x86_64/primary_db | 6.1 MB 00:00:01
(8/12): fwpp/primary_db | 323 kB 00:00:00
(9/12): zimbra/primary_db | 147 kB 00:00:00
(10/12): updates/7/x86_64/primary_db | 18 MB 00:00:01
zimbra-8815-oss/primary_db FAILED ====================- ] 8.6 MB/s | 34 MB 00:00:00 ETA
https://repo.zimbra.com/rpm/8815/rhel7/repodata/213f26e17b13b6414fae4745fe9a591d6db006ef29956f85a516c502ba316bd0-primary.sqlite.bz2: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
(11/12): HP-spp/primary_db | 2.8 MB 00:00:04
zimbra-8815-oss/primary_db FAILED
https://repo.zimbra.com/rpm/8815/rhel7/repodata/213f26e17b13b6414fae4745fe9a591d6db006ef29956f85a516c502ba316bd0-primary.sqlite.bz2: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
https://repo.zimbra.com/rpm/8815/rhel7/repodata/213f26e17b13b6414fae4745fe9a591d6db006ef29956f85a516c502ba316bd0-primary.sqlite.bz2: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
Is the repo disabled deliberately at your end or there is an issue?
Cheers
We are looking into your issue. I confirmed there are no issues on Zimbra 9 on both Ubuntu and CentOS.
Thanks for the quick resolution Barry de Graaff! I confirm all is fine with the patch on Zimbra 8.8.15 on CentOS 7.
cheers!
Can you share some details (impact, possible mitigations, …) on the two security issues?
* RCE through ClientUploader from authenticated admin user.
* XSS can occur via one of attribute in webmail urls, leading to information disclosure.
Thanks
Mitigation of the security issues can be done by applying the latest patches. In case you want to do some other mitigation, please file a support case.
Hi
Zimbra 9 patch 28, after the patch upgrade we cannot send emails with attached files or images in the signature due this error: mail.SCAN_ERROR
I found this error in mailbox.log file:
java.net.ProtocolException: Got ‘UNKNOWN COMMAND’ from clamd, was expecting PORT
Thank you
For now you can workaround this issue as follows:
zmprov ms `zmhostname` zimbraAttachmentsScanEnabled FALSE
zmcontrol restart
Barry de Graaff – is the solution for this problem?
Amavis has been upgraded in the July patch, so this should be fixed now.