Zimbra 8.8.10 Patch 7 and 8.8.11 Patch 3 Released - Two Cautions
Posted: Sat Mar 02, 2019 4:11 pm
The Release Notes for these patches were published on Friday and the Patch packages hit the repos sometime overnight. The main download pages have yet to be updated as I write this, but I know early adopters watch the repos and the Release Notes so, while I've yet to install these Patches I thought it would be helpful to point out a few things based on what I see so far:
First, these new patches include a new Zimbra package, "zimbra-mta-patch" which must be installed manually on all MTA nodes as it is an entirely new package. If you just run " apt-get update && apt-get dist-upgrade" you won't get this new MTA patch.
Second, this new MTA patch is to fix the problem with files having blocked extensions getting through because the filenames have spaces at the end. I downloaded the deb package, unpacked it and as I suspected it contains a replacement /opt/zimbra/conf/amavisd.conf.in file with a modified regex like so (the patch file is listed first):
In my experience, many Zimbra Admins customize the /opt/zimbra/conf/amavisd.conf.in file, so before you install this patch I recommend downloading and unpacking the deb file, and then run a diff against the mta patch version and your own version of /opt/zimbra/conf/amavisd.conf.in. In this way, if you have any amavis customizations in this file, you can put them back in place immediately after you install the mta patch.
Here's the process I used after running "apt-get update":
Hope that helps,
Mark
First, these new patches include a new Zimbra package, "zimbra-mta-patch" which must be installed manually on all MTA nodes as it is an entirely new package. If you just run " apt-get update && apt-get dist-upgrade" you won't get this new MTA patch.
Second, this new MTA patch is to fix the problem with files having blocked extensions getting through because the filenames have spaces at the end. I downloaded the deb package, unpacked it and as I suspected it contains a replacement /opt/zimbra/conf/amavisd.conf.in file with a modified regex like so (the patch file is listed first):
Code: Select all
< %%uncomment VAR:zimbraMtaBlockedExtension%%qr{.\.(?:%%list VAR:zimbraMtaBlockedExtension |%%)\s*$}i,
---
> %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i,Here's the process I used after running "apt-get update":
Code: Select all
root@my:~# mkdir mta-patch
root@my:~# cd mta-patch/
root@my:~/mta-patch# apt-get download zimbra-mta-patch
Get:1 https://repo.zimbra.com/apt/8810 xenial/zimbra amd64 zimbra-mta-patch amd64 8.8.10.1551265076.p7-1.u16 [15.9 kB]
Fetched 15.9 kB in 0s (67.3 kB/s)
W: Can't drop privileges for downloading as file '/root/zimbra-mta-patch_8.8.10.1551265076.p7-1.u16_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
root@my:~/mta-patch# ar -x zimbra-mta-patch_8.8.10.1551265076.p7-1.u16_amd64.deb
root@my:~/mta-patch# cd ~/mta-patch/opt/zimbra/lib/patches/mta
root@my:~/mta-patch/opt/zimbra/lib/patches/mta# ls
amavisd.conf.in
root@my:~/mta-patch/opt/zimbra/lib/patches/mta# diff amavisd.conf.in /opt/zimbra/conf/amavisd.conf.in
150c150,152
< $sa_mail_body_size_limit = 512*1024; # don't waste time on SA if mail is larger
---
> # $sa_mail_body_size_limit = 512*1024; # don't waste time on SA if mail is larger
> $sa_mail_body_size_limit = 768*1024; # don't waste time on SA if mail is larger
270c272
< %%uncomment VAR:zimbraMtaBlockedExtension%%qr{.\.(?:%%list VAR:zimbraMtaBlockedExtension |%%)\s*$}i,
---
> %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i,
372a375
> (our custom whitelist and blacklist entries)
root@my:~/mta-patch/opt/zimbra/lib/patches/mta#
Mark