Zimbra 8.8.15 Patch-34 - share experience

Ask questions about your setup or get help installing ZCS server (ZD section below).
bulletxt
Advanced member
Advanced member
Posts: 81
Joined: Sat Sep 13, 2014 1:08 am

Zimbra 8.8.15 Patch-34 - share experience

Post by bulletxt »

Hi,
Zimbra 8.8.15 Patch-34 has just been released. Please share your experience after upgrade, thanks!
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by halfgaar »

The patch notes say to run this extra command:

Code: Select all

apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
But my 'apt upgrade' already lists them as 'to be upgraded'. Not sure why it's suddenly instructed this way, nor why those packages are not just made dependencies of something else.

My own protection measures are in place against the CPIO hack, so I'm waiting with the installations, even though I have a very easy restore method in case of disaster.
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by ghen »

P34 introduced a new zmlocalconfig variable "zimbra_strict_unclosed_comment_tag" to workaround issues with the OWASP sanitizer on certain malformed(?) e-mails:
Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. A new LC config zimbra_strict_unclosed_comment_tag has been introduced from this patch onwards to handle such emails. The default value is true which will not display mails having an unclosed comment tag. If set to false, the emails with unclosed comment tags will be displayed. - ZBUG-2978
Is it recommended to set this to false, or does it imply a security risk? (it's about this effect in P33: viewtopic.php?f=13&t=71022&hilit=display#p306022, which seems to be quite common)
khawkins
Posts: 12
Joined: Sat Dec 11, 2021 12:25 am
ZCS/ZD Version: 8.8.15

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by khawkins »

No issues on my test server so far, but my tests are not exhaustive. Installed without issue, all services appear functional. Single server, p33 to p34.
cougarmaster
Posts: 16
Joined: Sat Sep 13, 2014 1:19 am

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by cougarmaster »

I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by ghen »

cougarmaster wrote:I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
Can you be more specific than "does not start"? (erorr messages?)

Since Patch 34, slapd is being started as zimbra user with CAP_NET_BIND capability, instead of as root with sudo. Maybe something went wrong with the permissions; can you run /opt/zimbra/libexec/zmfixperms and try again?
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by BradC »

This is what it looks like on my test VM

Code: Select all

zimbra@ztest:~$ zmcontrol start
Host mail.xxxx.com
	Starting ldap...Done.
Failed.
Failed to start slapd.  Attempting debug start to determine error.
63466406 daemon: bind(7) failed errno=13 (Permission denied)
63466406 slap_open_listener: failed on ldap://mail.xxxx.com:389
I'll start looking at capabilities. Ta for the pointer.

Edit : EXT4_FS_SECURITY was not set in the kernel, thus setcap couldn't store the capability.
cougarmaster
Posts: 16
Joined: Sat Sep 13, 2014 1:19 am

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by cougarmaster »

ghen wrote:
cougarmaster wrote:I have an issue after I apt upgraded to patch 34 ldap stop woking so I reinstalled the os and tried to reinstall zimbra 8.8.15 but slapd and ldap would not start. Now zmcontrol -v is P34 what do I do?
Can you be more specific than "does not start"? (erorr messages?)

Since Patch 34, slapd is being started as zimbra user with CAP_NET_BIND capability, instead of as root with sudo. Maybe something went wrong with the permissions; can you run /opt/zimbra/libexec/zmfixperms and try again?
I did many times but I found that if I systemctl stop slapd it kinda works still testing

Code: Select all

zimbra@mail:~$ zmcontrol start
Host mail.kingslandintl.com.hk
        Starting ldap...Done.
Failed.
Failed to start slapd.  Attempting debug start to determine error.
634680ea daemon: bind(7) failed errno=13 (Permission denied)
634680ea slap_open_listener: failed on ldap://mail.kingslandintl.com.hk:389
Here is when I do the zmfixperm

Code: Select all

Set capability for /opt/zimbra/common/libexec/slapd
Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by BradC »

cougarmaster wrote: Here is when I do the zmfixperm

Code: Select all

Set capability for /opt/zimbra/common/libexec/slapd
Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Your filesystem doesn't have extended attributes enabled.
cougarmaster
Posts: 16
Joined: Sat Sep 13, 2014 1:19 am

Re: Zimbra 8.8.15 Patch-34 - share experience

Post by cougarmaster »

BradC wrote:
cougarmaster wrote: Here is when I do the zmfixperm

Code: Select all

Set capability for /opt/zimbra/common/libexec/slapd
Failed to set capabilities on file `/opt/zimbra/common/libexec/slapd' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Your filesystem doesn't have extended attributes enabled.

I think this is it thank you for that reminder OMG ...cry cry cry..thank you
Post Reply