Zimbra Forums

Hi Mark

I tried this, but I get an error "password login forbidden" when using curl this way. I can only access the vault with a browser (with the same password...), not with WebDAV.
Is this something Zimbra support needs to enable per location / per user?

Yes indeed. That's why I'm subscribed to (some of) their github repo's. But the proprietary parts are not visible there of course.

You can easily disable all DHE ciphers, just set zimbraSSLDHParam to an empty value: zmprov mcf zimbraSSLDHParam '' (that's an empty value between quotes). Btw, DHE ciphers are not vulnerable or "weak" in a cryptographic sense (when using a strong group), and FIPS mode will not disable the...

From time to time we have "runaway threads" that consume 100% CPU, a zmmailboxdctl restart "fixes" that (until it comes back).
Over the years we have had several exchanges with support about this, but so far no root cause has been identified.

Do you have zimbra-ldap-patch installed on your LDAP server(s)? Traditionally slapd was started as root (via sudo) to bind on port 389, and then dropped privileges to the zimbra user. This was changed some time ago to be started as zimbra, but with "cap_net_bind" capability to allow to bin...

No need for all this trickery, merely having cpio installed on your system doesn't make it vulnerable, only amavisd using it to extract untrusted input.
If you're on Zimbra 8.8.15 P40 / 9.0.0 P33 / 10.0.1 or newer, amavisd no longer uses cpio, even if pax is missing.

Removing cpio will break generation of initramfs on Red Hat based Linux distributions. This has been warned for on this forum before.

amavisd not using cpio anymore should be sufficient.

There's still a big difference. You cannot make cpio execute commands, you could only make it write files to arbitrary destinations.
But if you can put an executable .jsp under /opt/zimbra/jetty/webapps/zimbra/public, you can execute it by calling the corresponding URL...

Looks very similar indeed, this could trick amavis (using cpio) to write files into /opt/zimbra/jetty/webapps/zimbra/public, which contains executable code. This was initially fixed by installing pax, and later by avoiding cpio altogether . But the real underlying issue of this –and several other Zi...