Zimbra 8.8.15 Patch-34 - share experience
Zimbra 8.8.15 Patch-34 - share experience
Hi,
Zimbra 8.8.15 Patch-34 has just been released. Please share your experience after upgrade, thanks!
Zimbra 8.8.15 Patch-34 has just been released. Please share your experience after upgrade, thanks!
-
- Advanced member
- Posts: 173
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Zimbra 8.8.15 Patch-34 - share experience
The patch notes say to run this extra command:
But my 'apt upgrade' already lists them as 'to be upgraded'. Not sure why it's suddenly instructed this way, nor why those packages are not just made dependencies of something else.
My own protection measures are in place against the CPIO hack, so I'm waiting with the installations, even though I have a very easy restore method in case of disaster.
Code: Select all
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
My own protection measures are in place against the CPIO hack, so I'm waiting with the installations, even though I have a very easy restore method in case of disaster.
-
- Outstanding Member
- Posts: 264
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra 8.8.15 Patch-34 - share experience
P34 introduced a new zmlocalconfig variable "zimbra_strict_unclosed_comment_tag" to workaround issues with the OWASP sanitizer on certain malformed(?) e-mails:
Is it recommended to set this to false, or does it imply a security risk? (it's about this effect in P33: viewtopic.php?f=13&t=71022&hilit=display#p306022, which seems to be quite common)Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. A new LC config zimbra_strict_unclosed_comment_tag has been introduced from this patch onwards to handle such emails. The default value is true which will not display mails having an unclosed comment tag. If set to false, the emails with unclosed comment tags will be displayed. - ZBUG-2978
Re: Zimbra 8.8.15 Patch-34 - share experience
No issues on my test server so far, but my tests are not exhaustive. Installed without issue, all services appear functional. Single server, p33 to p34.
-
- Posts: 16
- Joined: Sat Sep 13, 2014 1:19 am
Re: Zimbra 8.8.15 Patch-34 - share experience
I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
-
- Outstanding Member
- Posts: 264
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra 8.8.15 Patch-34 - share experience
Can you be more specific than "does not start"? (erorr messages?)cougarmaster wrote:I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
Since Patch 34, slapd is being started as zimbra user with CAP_NET_BIND capability, instead of as root with sudo. Maybe something went wrong with the permissions; can you run /opt/zimbra/libexec/zmfixperms and try again?
Re: Zimbra 8.8.15 Patch-34 - share experience
This is what it looks like on my test VM
I'll start looking at capabilities. Ta for the pointer.
Edit : EXT4_FS_SECURITY was not set in the kernel, thus setcap couldn't store the capability.
Code: Select all
zimbra@ztest:~$ zmcontrol start
Host mail.xxxx.com
Starting ldap...Done.
Failed.
Failed to start slapd. Attempting debug start to determine error.
63466406 daemon: bind(7) failed errno=13 (Permission denied)
63466406 slap_open_listener: failed on ldap://mail.xxxx.com:389
Edit : EXT4_FS_SECURITY was not set in the kernel, thus setcap couldn't store the capability.
-
- Posts: 16
- Joined: Sat Sep 13, 2014 1:19 am
Re: Zimbra 8.8.15 Patch-34 - share experience
I did many times but I found that if I systemctl stop slapd it kinda works still testingghen wrote:Can you be more specific than "does not start"? (erorr messages?)cougarmaster wrote:I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
Since Patch 34, slapd is being started as zimbra user with CAP_NET_BIND capability, instead of as root with sudo. Maybe something went wrong with the permissions; can you run /opt/zimbra/libexec/zmfixperms and try again?
Code: Select all
zimbra@mail:~$ zmcontrol start
Host mail.kingslandintl.com.hk
Starting ldap...Done.
Failed.
Failed to start slapd. Attempting debug start to determine error.
634680ea daemon: bind(7) failed errno=13 (Permission denied)
634680ea slap_open_listener: failed on ldap://mail.kingslandintl.com.hk:389
Code: Select all
Set capability for /opt/zimbra/common/libexec/slapd
Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Re: Zimbra 8.8.15 Patch-34 - share experience
Your filesystem doesn't have extended attributes enabled.cougarmaster wrote: Here is when I do the zmfixperm
Code: Select all
Set capability for /opt/zimbra/common/libexec/slapd Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
-
- Posts: 16
- Joined: Sat Sep 13, 2014 1:19 am
Re: Zimbra 8.8.15 Patch-34 - share experience
BradC wrote:Your filesystem doesn't have extended attributes enabled.cougarmaster wrote: Here is when I do the zmfixperm
Code: Select all
Set capability for /opt/zimbra/common/libexec/slapd Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
I think this is it thank you for that reminder OMG ...cry cry cry..thank you