Zimbra Forums

Just in case people missed it: https://groups.google.com/a/openssl.org/g/openssl-project/c/pwBoo9Tac6M I'm not sure if the particular subsystem is part of a normal TLS hand port, but better safe than sorry. Better upgrade, and reboot (because libssl is used by many things, and a reboot is the quicke...

What other breaking changes have you noticed with the 10.1.13 FOSS packages? Rolling back and pinning zimbra-jetty-distribution was sufficient to resolve my problems. I have not yet seen any issues with the other major update (openssl), and I do not use Zimbra's clamav. That wasn't specifically 10....

I guess this is a result too: IMPORTANT: DO NOT let system package manger update zimbra-jetty-distribution w/o 10.1.13

If one wants to do 'apt update' to install the clamav updates, you're in a bind (as FOSS user).

Note BTW: as open source user, updating your packages may be difficult. See IMPORTANT: DO NOT let system package manger update zimbra-jetty-distribution w/o 10.1.13 . I just tried upgrading clamav stuff only, but it's now broken because it also requires a newer openssl. But, I'll wait with that, unt...

Clamav is really a liability at this point. Disabling it is safer. I mean, this (https://www.cve.org/CVERecord?id=CVE-2025-20260) is a zero-click hack: just send someone a PDF. The chance of that happening is a lot higher than me opening a virus. In fact, I've been getting all sorts of pdf attachmen...

There are other packages that break if you just do the apt stuff. I have learned you just can't do that. Which means now I'm in a bind, because my FOSS doesn't have 10.1.13.

As for the clam-av fixes that would be installed, I disabled clamav a long time ago.

Excellent, thanks. I will likely try the full build soon.

I actually don't know. Hopefully someone more knowledgeable than me can jump in and give us some insight. You're in the other thread, so you must have seen it, but for completeness, in Zimbra 10.1.12 Released - Please Post Your Patch/Upgrade Results Here , it was determined that a Zimbra installati...

Since host was not validated before the patch, theoretically someone could send cookie values that construct a 3rd party hostname into $chat_host and Zimbra would proxy requests to. Aaah, I didn't think that direction. I wouldn't call that a CSRF. Mostly one is victim to CSRF, not a 'tool for'. I t...

The empty map comes from the template: ${web.upstream.chat} ${web.upstream.chat.map_entries} So, if you don't have chat, $proxy_chat_host is an empty string, and the location as matched in '/opt/zimbra/conf/nginx/includes/nginx.conf.chat.common' set an empty 'Host' header and proxy_cookie_domain to ...