ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
The latest patch release is now available from Zimbra, it can be downloaded from the ZCS Repo - make sure you take a backup first and reboot after the patch is installed.
Details of the patch is on the Zimbra wiki here: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26
BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.
I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server.
Details of the patch is on the Zimbra wiki here: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26
BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.
I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server.
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
phoenix wrote:
BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.
I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server.
What does that mean? Is zimbra releasing Zimbra 9 as OSS?
- barrydegraaff
- Outstanding Member
- Posts: 251
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
You can download Zimbra 8.8.15 FOSS for Rocky Linux 8
or
Zimbra 9 Network Edition for Rocky Linux 8.
AFAIK there is no Zimbra 9 FOSS build on Zimbra.com for any OS.
or
Zimbra 9 Network Edition for Rocky Linux 8.
AFAIK there is no Zimbra 9 FOSS build on Zimbra.com for any OS.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
You can blame my poor English for that, without a version number it implies that ZCS 9 OSS was available when I should have added that OSS version 8.8.15 was available - my apologies for the confusion.barrydegraaff wrote:AFAIK there is no Zimbra 9 FOSS build on Zimbra.com for any OS.
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
Last time I tried to upgrade ZCS9 from Zextras (no longer than last Sat) I miserably failed, with several mailboxd errors I haven't been able to sort out. Has anyone living on the edge of Zextras9OSS been able to keep up with updates?
Is there any workaround for these vulnerabilities?
Thanks
Is there any workaround for these vulnerabilities?
Thanks
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
The 9.0 OSS repo is far behind NE.
NE:
OSS:
Can we at least have some mitigation steps? thanks
NE:
Code: Select all
# apt list | grep zimbra-patch
zimbra-patch/unknown 9.0.0.1658845137.p26-2.u18 amd64 [upgradable from: 9.0.0.1643374608.p23-2.u18]
Code: Select all
# apt list | grep zimbra-patch
zimbra-patch/unknown,now 9.0.0.1618926120.p14-1.u18 amd64 [installed]
- cayaraa
- Outstanding Member
- Posts: 344
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 10 NE & ZCS 10 FOSS
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
On Zimbra 8 (not sure about 9 as we haven't gone there yet) I'm thinking of editing the Nginx templates nginx.conf.web.https.default.template and nginx.conf.web.https.template and adding in something like this:
I'm bring up my test site to try it out right now.
Code: Select all
location ^~ /service/extension/backup/mboximport {
# Location block to mboximport
allow 127.0.0.1;
allow ::1;
deny all;
}
- cayaraa
- Outstanding Member
- Posts: 344
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 10 NE & ZCS 10 FOSS
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
So far this seems like it might be a temporary mitigation before patching.
Before putting the above in nginx a post with curl would give me a 401 auth error after touching the mailbox:
After the code I now get 403 forbidden and the mailbox doesn't get touched:
Checking with curl:
Before putting the above in nginx a post with curl would give me a 401 auth error after touching the mailbox:
Code: Select all
<title>Error 401 no authtoken cookie</title>
Code: Select all
<head><title>403 Forbidden</title></head>
Code: Select all
$ curl -X POST --data-binary test.txt "https://zimbrasitename.com/service/extension/backup/mboximport?account-name=admin&account-status=active&ow=true&no-switch=true"
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
Yes, we did the same on 8.8.15 (we don't want to go to P33 yet because of this regression).
Code: Select all
# block MailboxImportServlet requests for CVE-2022-37042 exploit
location = /service/extension/backup/mboximport {
return 403;
}
Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build
Thank you for sharing the nginx patch!