ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by phoenix »

The latest patch release is now available from Zimbra, it can be downloaded from the ZCS Repo - make sure you take a backup first and reboot after the patch is installed.

Details of the patch is on the Zimbra wiki here: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26

BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.

I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
bulletxt
Advanced member
Advanced member
Posts: 81
Joined: Sat Sep 13, 2014 1:08 am

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by bulletxt »

phoenix wrote:
BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.

I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server. :)

What does that mean? Is zimbra releasing Zimbra 9 as OSS?
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by barrydegraaff »

You can download Zimbra 8.8.15 FOSS for Rocky Linux 8
or
Zimbra 9 Network Edition for Rocky Linux 8.

AFAIK there is no Zimbra 9 FOSS build on Zimbra.com for any OS.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by phoenix »

barrydegraaff wrote:AFAIK there is no Zimbra 9 FOSS build on Zimbra.com for any OS.
You can blame my poor English for that, without a version number it implies that ZCS 9 OSS was available when I should have added that OSS version 8.8.15 was available - my apologies for the confusion.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by maxxer »

Last time I tried to upgrade ZCS9 from Zextras (no longer than last Sat) I miserably failed, with several mailboxd errors I haven't been able to sort out. Has anyone living on the edge of Zextras9OSS been able to keep up with updates?

Is there any workaround for these vulnerabilities?

Thanks
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by maxxer »

The 9.0 OSS repo is far behind NE.

NE:

Code: Select all

# apt list  | grep zimbra-patch
zimbra-patch/unknown 9.0.0.1658845137.p26-2.u18 amd64 [upgradable from: 9.0.0.1643374608.p23-2.u18]
OSS:

Code: Select all

# apt list  | grep zimbra-patch
zimbra-patch/unknown,now 9.0.0.1618926120.p14-1.u18 amd64 [installed]
Can we at least have some mitigation steps? thanks
User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 341
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by cayaraa »

On Zimbra 8 (not sure about 9 as we haven't gone there yet) I'm thinking of editing the Nginx templates nginx.conf.web.https.default.template and nginx.conf.web.https.template and adding in something like this:

Code: Select all

    location ^~ /service/extension/backup/mboximport {
        # Location block to mboximport
        
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }
I'm bring up my test site to try it out right now.
User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 341
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by cayaraa »

So far this seems like it might be a temporary mitigation before patching.

Before putting the above in nginx a post with curl would give me a 401 auth error after touching the mailbox:

Code: Select all

<title>Error 401 no authtoken cookie</title>
After the code I now get 403 forbidden and the mailbox doesn't get touched:

Code: Select all

<head><title>403 Forbidden</title></head>
Checking with curl:

Code: Select all

$ curl -X POST --data-binary test.txt "https://zimbrasitename.com/service/extension/backup/mboximport?account-name=admin&account-status=active&ow=true&no-switch=true"
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by ghen »

Yes, we did the same on 8.8.15 (we don't want to go to P33 yet because of this regression).

Code: Select all

 	     # block MailboxImportServlet requests for CVE-2022-37042 exploit
 	     location = /service/extension/backup/mboximport {
 	         return 403;
 	     }
 
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by maxxer »

Thank you for sharing the nginx patch!
Post Reply