8.8.15 Patch 40 GA Release

[bulletxt]

Hi, as subject says Zimbra has just released 8.8.15 Patch 40.

Please share your experience

[ghen]

I think those guidelines regarding ClientUploader installation are a bit unclear. As I understand it, it's recommended NOT to install it, it has been removed from the core product because it's not secure (CVE-2023-34193). Only if you still use the ClientUploader extension, you can now install it separately, at your own risk, by following those instructions. But I think many people will just blindly install it as it appears to be part of the P40 installation instructions.

[uttam.takalkar]

I think those guidelines regarding ClientUploader installation are a bit unclear. As I understand it, it's recommended NOT to install it, it has been removed from the core product because it's not secure (CVE-2023-34193). Only if you still use the ClientUploader extension, you can now install it separately, at your own risk, by following those instructions. But I think many people will just blindly install it as it appears to be part of the P40 installation instructions.

There was no concrete evidence that attacker can use ClientUploader feature, as you know ClientUploader can be used only by authenticated admin user. But it has been still considered as part of hardening Zimbra application. And as mentioned in release notes, there are many other options to distribute packages to the end users these days, so having ClientUploader in Zimbra is completely became optional.

[gabrieles]

It seems that the old policy "first update the repos, THEN send the email" is still active. If I remember well it was that way that the P32 broke half of the world zimbra installations...
I thought that someone was at least crucifixed for that, but probably no.
So we patched at day zero, luckily only a couple of old stateless machines with LDAP, MTA and Proxy services. 8.8.15 Network on Ubuntu 18 and 16. No issues reported.
We'll test the fatter patch this week on some mailstore.

[rainer_d]

I did update our CentOS 7 P39 multi-server install and least it came up again and the control-panel shows all services up. I also could login into my email-account.

More extensive tests will be done today.

[porokh]

Just updated a test single-server instance of 8.8.15 P39 / CentOS 7 to P40. Everything looks OK, web client was updated to 8.8.15_GA_4545 (build 20230516032547), webadmin client was updated to 8.8.15_GA_4545.FOSS (build 20230516032547). Extension com_zimbra_clientupload was disappeared from Configure / Admin Extensions menu. Both incoming and outgoing mails were checked, works well. Will wait until weekend before updating production servers.

[zenekbg]

So far, no problem.

[rwalcott]

Updated a single-server instance of 8.8.15 P38 / CentOS 7 to P40, after the upgrade all services are shown to be running and the base web UI loads up. But when a user try's to login a message saying "A network service error has occurred" appears, also the admin page shows up blank when we try to access it through the admin url. Inspecting the page shows 503 (service Unavailable) errors.

Here is what we see in the logs:

Code: Select all

2023-05-31 22:47:55,838 ERROR [qtp439928219-42:https://mail.example.com/] [] webclient - Unable to get domain config
com.zimbra.common.service.ServiceException: error while proxying request to target server: Service Unavailable

Code: Select all

2023-05-31 18:53:27,660 WARN  [qtp439928219-23:https://mail.example.com/] [] webclient - system failure: error while proxying request to target server: Service Unavailable
com.zimbra.common.service.ServiceException: system failure: error while proxying request to target server: Service Unavailable

Has anyone else experience this problem?

[JDunphy]

Single Server. Uneventful here and fairly fast. We don't utilize the client uploader.

Code: Select all

% zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 NETWORK edition, Patch 8.8.15_P40.

This is the same test box I am currently doing some modsecurity 3 investigation. Only had to re-apply patches to amavisd.conf, amavisd, and a skin. Everything else untouched including my nginx templates and other updates, etc. Still need to run it through more tests and then hopefully patch this weekend on production servers. It reads email, sends email, and admin console looks good including Backup NG, and HSM (local disk).

Jim

[khawkins]

Updated a single-server instance of 8.8.15 P38 / CentOS 7 to P40, after the upgrade all services are shown to be running and the base web UI loads up. But when a user try's to login a message saying "A network service error has occurred" appears, also the admin page shows up blank when we try to access it through the admin url. Inspecting the page shows 503 (service Unavailable) errors.

Here is what we see in the logs:

Code: Select all

2023-05-31 22:47:55,838 ERROR [qtp439928219-42:https://mail.example.com/] [] webclient - Unable to get domain config
com.zimbra.common.service.ServiceException: error while proxying request to target server: Service Unavailable

Code: Select all

2023-05-31 18:53:27,660 WARN  [qtp439928219-23:https://mail.example.com/] [] webclient - system failure: error while proxying request to target server: Service Unavailable
com.zimbra.common.service.ServiceException: system failure: error while proxying request to target server: Service Unavailable

Has anyone else experience this problem?

I did single-server P38 to p40 on my RHEL7 test server and did not encounter this issue. It's not a perfect replica of prod though, so your issue makes me a bit nervous.