Maldua's Zimbra FOSS Builds - Share your feedback

[adrian.gibanel.btactic]

Is your 10.1.10 based on official Zimbra tag/source

How to identify the origin tag

Check the download list where all of the Maldua binaries are about to be downloaded.
In the row that matches your platform click on the '+info' link.

Read the download_comment part of the release description.

It's self explanatory:
- If includes Pimbra patches it will tell you so alongside what the actual custom changes are.
- If it does not include Pimbra patches you must assume that it's using Zimbra tag directly.

Be reassured that non-Pimbra builds won't include more stuff than what actually Zimbra provides themselves in their Github repos.

[adrian.gibanel.btactic]

We're not missing much/anything from 10.1.11/10.1.12 updates - they're NE only fixes?

I was about to give you a rant about how you dare to ask a question to has just been answered in the previous post.

Let's talk about the ZCS NE 10.1.12 fix instead.

Related Security fix says: Addressed a Server-Side Request Forgery (SSRF) vulnerability in the chat proxy configuration.
It has also been found that: zimbra-proxy-patch 10.1.12 updates only one file: /opt/zimbra/conf/nginx/templates/nginx.conf.chat.common.template (and the actual nginx config generated from it)..

Does ZCS FOSS contain that file? Yes.

So... as long as I know chat is not part of what it's published in the Github public repos. It's not a feature that we might be using.

But you might have noticed that this affects the proxy part (not the chat service itself).

Should we be concerned about this and try to backport the patch into Pimbra and release a patched 10.1.12?

I actually don't know.

Hopefully someone more knowledgeable than me can jump in and give us some insight.

[halfgaar]

I actually don't know.

Hopefully someone more knowledgeable than me can jump in and give us some insight.

You're in the other thread, so you must have seen it, but for completeness, in Zimbra 10.1.12 Released - Please Post Your Patch/Upgrade Results Here, it was determined that a Zimbra installation can be used as a proxy for requests to any arbitrary place.

I do think the patch is a candidate for inclusion.

[adrian.gibanel.btactic]

in Zimbra 10.1.12 Released - Please Post Your Patch/Upgrade Results Here, it was determined that a Zimbra installation can be used as a proxy for requests to any arbitrary place.

I do think the patch is a candidate for inclusion.

Thank you very much!

Sometimes you need to understand how stuff is being exploited in order to understand if it affects you.
So... having the chat capabilities (which are only found in NE) is not even a requisite for this to be exploited.

It's CSRF-like because of these lines:

Code: Select all

set $chat_host $cookie_ZM_CHAT_DID-$cookie_ZM_CHAT_HASH;
proxy_pass https://$chat_host;

Since host was not validated before the patch, theoretically someone could send cookie values that construct a 3rd party hostname into $chat_host and Zimbra would proxy requests to.

Given akanellis explanation any non-patched Zimbra proxy node which has Internet access could be used in DDoS attacks towards other servers in the Internet.

I will be working on a 10.1.10 patched version as soon as I can.

---

You could also argue on why they put NE-only stuff in the FOSS code but that's how it has always been. It's much easier for them to just maintain one codebase.

---

Also we should start thinking on having some special builds (labels suggestions for such builds are welcomed) that remove NE-specific stuff which might in the future end up being a CVE that otherwise wouldn't have affected FOSS versions.

[adrian.gibanel.btactic]

Regarding the proxy chat vulnerability that appeared in 10.1.12 and that appears to affect FOSS too:

This would be a quick and easy fix that one could apply in FOSS installations where anything related to chat is disabled.

Code: Select all

cd /opt/zimbra/conf/nginx/templates/
sed -i '/chat/ s/^/#/' nginx.conf.web*
su - zimbra -c 'zmcontrol restart'

---

Warning: Not tested.

[adrian.gibanel.btactic]

Hello,

Maldua's Zimbra 10.1.10.p2 FOSS Builds have just been released.

Please share your experience when upgrading or installing from scratch.

Versions (and their platforms):

• 10.1.10.p2
  • RHEL7 (Red Hat Enterprise Linux 7, Oracle Linux 7, CentOS 7)
  • RHEL8 (Red Hat Enterprise Linux 8, Oracle Linux 8, CentOS 8, Rocky Linux 8)
  • RHEL9 (Red Hat Enterprise Linux 9, Oracle Linux 9, Rocky Linux 9)
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04
• 10.0.16.p2
  • RHEL7 (Red Hat Enterprise Linux 7, Oracle Linux 7, CentOS 7)
  • RHEL8 (Red Hat Enterprise Linux 8, Oracle Linux 8, CentOS 8, Rocky Linux 8)
  • Ubuntu 18.04
  • Ubuntu 20.04

Thank you very much!

Notes:

• This 10.1.10.p2 version should be equivalent to ZCS NE 10.1.10 (Regarding security fixes).
• The 10.1.10.p2 version backports a Chat Proxy vulnerability fixed in ZCS NE 10.1.12. This vulnerability enables your Zimbra proxy node to be used in DDoS attacks so make sure to upgrade.
• Both 10.1.10.p2 and 10.0.16.p2 versions include a custom fix on zm-web-client to avoid having submission errors when a logged-in user refreshes the page.
• This is not an official Zimbra/Synacor build.

---

TIP: If you want a quick fix for the Chat Proxy vulnerability without having to reinstalling again please check: Proxy chat vulnerability - Quick fix for FOSS post above.

---

- Latest Maldua Zimbra FOSS Downloads: Stable, Recent and Experimental.
- Subscribe to Maldua Zimbra FOSS Releases announcements: Stable, Recent and Experimental. (Once logged in Github click on Subscribe button below Notifications.)

[halfgaar]

Excellent, thanks. I will likely try the full build soon.

[leelists]

build of version 10.1.13 fails with missing library antisamy-1.7.8z it seem's this version was not pushed to

https://github.com/Zimbra/antisamy

any clues ?

Thanks,

[adrian.gibanel.btactic]

build of version 10.1.13 fails with missing library antisamy-1.7.8z it seem's this version was not pushed to

https://github.com/Zimbra/antisamy

any clues ?

Thanks,

Thank you for your feedback!

I wasn't aware that I was missing to add a BIG WARNING on the zimbra-foss-builder project regarding not attempting to build embargoed builds ( Explanation (1) and Explanation(2) ).

[sdieckmann]

Hello,

Maldua's Zimbra 10.1.10.p2 FOSS Builds have just been released.

Please share your experience when upgrading or installing from scratch.

Versions (and their platforms):

• 10.1.10.p2
  • RHEL7 (Red Hat Enterprise Linux 7, Oracle Linux 7, CentOS 7)
  • RHEL8 (Red Hat Enterprise Linux 8, Oracle Linux 8, CentOS 8, Rocky Linux 8)
  • RHEL9 (Red Hat Enterprise Linux 9, Oracle Linux 9, Rocky Linux 9)
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04
• 10.0.16.p2
  • RHEL7 (Red Hat Enterprise Linux 7, Oracle Linux 7, CentOS 7)
  • RHEL8 (Red Hat Enterprise Linux 8, Oracle Linux 8, CentOS 8, Rocky Linux 8)
  • Ubuntu 18.04
  • Ubuntu 20.04

Thank you very much!

Notes:

• This 10.1.10.p2 version should be equivalent to ZCS NE 10.1.10 (Regarding security fixes).
• The 10.1.10.p2 version backports a Chat Proxy vulnerability fixed in ZCS NE 10.1.12. This vulnerability enables your Zimbra proxy node to be used in DDoS attacks so make sure to upgrade.
• Both 10.1.10.p2 and 10.0.16.p2 versions include a custom fix on zm-web-client to avoid having submission errors when a logged-in user refreshes the page.
• This is not an official Zimbra/Synacor build.

---

TIP: If you want a quick fix for the Chat Proxy vulnerability without having to reinstalling again please check: Proxy chat vulnerability - Quick fix for FOSS post above.

---

- Latest Maldua Zimbra FOSS Downloads: Stable, Recent and Experimental.
- Subscribe to Maldua Zimbra FOSS Releases announcements: Stable, Recent and Experimental. (Once logged in Github click on Subscribe button below Notifications.)

Hi,

big trouble with this build...the jetty server has trouble starting with my config file /opt/zimbra/jetty_base/etc/jetty.xml - how to fix this?

Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Failed.


Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Failed.


Starting zimbra webapp...Failed.


Starting zimbraAdmin webapp...Failed.


Starting zimlet webapp...Failed.



from Logfile: /opt/zimbra/log/zmmailboxd.out


OpenJDK 64-Bit Server VM warning: .hotspot_compiler file is present but has been ignored. Run with -XX:CompileCommandFile=.hotspot_compiler to load the file.
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
at org.eclipse.jetty.start.Main.start(Main.java:491)
at org.eclipse.jetty.start.Main.main(Main.java:77)
Caused by: java.security.PrivilegedActionException: org.xml.sax.SAXParseException; Unable to parse: file:///opt/zimbra/jetty_base/etc/jetty.xml
at java.base/java.security.AccessController.doPrivileged(AccessController.java:573)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1881)
... 7 more
Caused by: org.xml.sax.SAXParseException; Unable to parse: file:///opt/zimbra/jetty_base/etc/jetty.xml
at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:234)
at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$3(XmlConfiguration.java:1905)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
... 8 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 26; columnNumber: 24; Attribute value "pool" of type ID must be unique within the document.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.validateDTDattribute(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.addDTDDefaultAttrsAndValidate(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.handleStartElement(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.emptyElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
at org.eclipse.jetty.xml.XmlParser.parse(XmlParser.java:254)
at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:229)
... 10 more