8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Ask questions about your setup or get help installing ZCS server (ZD section below).
loadaccess_jt
Posts: 6
Joined: Tue May 21, 2019 7:12 am
Location: Canada
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by loadaccess_jt »

loadaccess_jt wrote:Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.

I just did an apt update/upgrade on all my servers (multi setup), restarted, left a new message open (with the image in my signature) and no longer appear to be having the issue.
If that changes I'll report back, but it looks like it's fixed (at least on the above version).
Turns out I was wrong, it was late and admittedly I didn't do much testing. It doesn't appear to affect new messages now, but on reply's it is still an issue.
toslan
Posts: 3
Joined: Tue Jun 25, 2019 12:01 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by toslan »

gbkersey wrote:Amazing... I don't think they had time to test the patch to mbox war..... from the git log:

commit 302b9ec9d99004670e046af58919635618cbf739 (HEAD -> develop, origin/develop, origin/HEAD)
Author: Aumin Patel <auminpatel007@gmail.com>
Date: Tue Jun 11 14:55:01 2019 +0530

ZBUG-7209 : decoding the cid of inline images for owasp feature

commit a0a68883536d3baf0cb64fcea2f3d061a33218ec
Author: Aumin Patel <auminpatel007@gmail.com>
Date: Mon Jun 10 18:03:10 2019 +0530

ZBUG-7209 : adding html-decoder for inline images for owasp feature to decode the @ character

My date math is a bit suspect, but how many hours is it betewwn 3PM India time and noon Central Daylight time in the US??? Not very long...

Anyway, the fix that worked for me (so far) is just to revert the zimbra-mbox-war package to to the original version shipped with 8.8.12 - zimbra-mbox-war_8.8.12.1553847719 - then - su - zimbra -c "zmmailboxdctl restart"

I guess Quality Control is a thing of the past.
Could you explain in more detail this workaround?
User avatar
dominix
Advanced member
Advanced member
Posts: 51
Joined: Sat Sep 13, 2014 1:07 am
Location: Pacific sud
ZCS/ZD Version: 7.2.7 ... 8.8.15 ... 9.0.0

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by dominix »

@toslan
that mean if you reinstall the package zimbra-mbox-war_8.8.12.1553847719 from the original install ( zcs-8.8.12_GA_3794.WHATEVER_64.20190329045002.tgz ) you will fix the bug, but you will not fix the breach that the P3 patch did fix.
that said, it doesn't worked for me...
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 275
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.0.6.GA.4518.UBUNTU20_64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by oetiker »

Hi

I did unpack the two dpkg files the special thing is that only one file is different....

zimbra-mbox-war_8.8.12.1553847719-1.u16_amd64.deb
zimbra-mbox-war_8.8.12.1559550747-1.u16_amd64.deb

Code: Select all

diff -r orig p3
diff -r orig/control p3/control
2c2
< Version: 8.8.12.1553847719-1.u16
---
> Version: 8.8.12.1559550747-1.u16
5c5
< Installed-Size: 27358
---
> Installed-Size: 27423
diff -r orig/md5sums p3/md5sums
44c44
< cd1653b71b091cea5f77025ea01bd1ca  opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-r239.jar
---
> b2f9662bc3c7e5d26161fe494dd2da2f  opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
68c68
< f2e3f2561704b630b3a598009d553528  usr/share/doc/zimbra-mbox-war/changelog.Debian.gz
---
> 77456bf964fb0c0e517314e5b9c14f39  usr/share/doc/zimbra-mbox-war/changelog.Debian.gz
Only in p3/opt/zimbra/jetty_base/webapps/service/WEB-INF/lib: owasp-java-html-sanitizer-20190503.1.jar
Only in orig/opt/zimbra/jetty_base/webapps/service/WEB-INF/lib: owasp-java-html-sanitizer-r239.jar
Binary files orig/usr/share/doc/zimbra-mbox-war/changelog.Debian.gz and p3/usr/share/doc/zimbra-mbox-war/changelog.Debian.gz differ
I have in my patched version 8.8.12p3 both files

Code: Select all

431645    209 -rw-r--r--   1 zimbra   zimbra      194485 Jun  6 14:39 /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
431520     209 -r--r--r--    1 root     root          194485 Jun  6 14:50 /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
in the original pkg is only the file owasp-java-html-sanitizer-r239.jar and in the new version is only the file owasp-java-html-sanitizer-20190503.1.jar

strange...

and the two files are exactly the same ... :shock:

Code: Select all

# md5sum /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
b2f9662bc3c7e5d26161fe494dd2da2f  /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
# md5sum /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
b2f9662bc3c7e5d26161fe494dd2da2f  /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
Last edited by oetiker on Wed Jun 26, 2019 7:09 am, edited 2 times in total.
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 275
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.0.6.GA.4518.UBUNTU20_64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by oetiker »

original patched 8.8.12p3 the two files are the same:

Code: Select all

find /opt/zimbra -name owasp-java-html-sanitizer\* -exec md5sum {} \; -ls
b2f9662bc3c7e5d26161fe494dd2da2f  /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
   146166    192 -rw-r--r--   1 zimbra   zimbra     194485 Jun  6 14:39 /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-20190503.1.jar
b2f9662bc3c7e5d26161fe494dd2da2f  /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
   156534    192 -r--r--r--   1 root     root       194485 Jun  6 14:50 /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
install original zimbra-mbox-war_8.8.12.1553847719-1.u16_amd64.deb from the zimbra 8.8.12 tar file

Code: Select all

find /opt/zimbra -name owasp-java-html-sanitizer\* -exec md5sum {} \; -ls
cd1653b71b091cea5f77025ea01bd1ca  /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-r239.jar
   148621    128 -rw-r--r--   1 root     root       127438 Mar 29 10:10 /opt/zimbra/jetty_base/webapps/service/WEB-INF/lib/owasp-java-html-sanitizer-r239.jar
b2f9662bc3c7e5d26161fe494dd2da2f  /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
   156534    192 -r--r--r--   1 root     root       194485 Jun  6 14:50 /opt/zimbra/lib/jars/owasp-java-html-sanitizer-r239.jar
they are different... :o :shock:
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 275
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.0.6.GA.4518.UBUNTU20_64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by oetiker »

this was not helping in my case .... bug is still there ...
Half-Ogre
Posts: 1
Joined: Wed Jun 26, 2019 3:16 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by Half-Ogre »

Confirm that this fix is not working on 8.8.12p3 opensource. Also have few systems affected this bug.Its not critical but damn annoying.
User avatar
juliano.morona
Posts: 11
Joined: Fri May 12, 2017 4:58 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by juliano.morona »

Unfortunately, this patch didn't solve the bug
User avatar
jered
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 12:35 am
Location: Somerville, MA

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by jered »

I applied this, restarted zimbra, and reloaded my browser but this does not seem to have helped.

Is there some special step to rebuild the JS archives that are delivered to the browser?
Post Reply