Zimbra Security Update

[halfgaar]

To come back to this:

Ok, if talking about it is somewhat permitted I would like to share this detail:

When we received the "delete these 3 files" workaround, we first checked if these file existed.
We found them existing on every production environment, but NOT on the test environments: on the test envs only the first existed (it's on the base package).
We tried to call the first of the files, the only one reachable under public, and we found that the request generates the other two files, the ones under jetty/work.
This explicit request leaves a trace on the nginx.access.log, easily greppable with

Code: Select all

grep --fixed-strings --ignore-case hostedlogin /opt/zimbra/log/access_log*

So we supposed that the existence of the second and third files is subordinate to a request of the first one.
But on the production environments, all the three files have been found, and no evidence on the logs of that request.
We store over a year of logs, and checked all of them.

Are we looking in the wrong place? Can someone point us in the right direction?

And:

That's strange, because all 3 files belong to the zimbra-mbox-webclient-war package... So you should have all 3 of them?
(rpm -ql zimbra-mbox-webclient-war | grep hostedlogin)

If you suspect two were generated at runtime, what is the age (mtime) of those files, according to ls -l ?

I just helped someone over DM and found that two of the three files had been regenerated for me too, in 'public_'. Timestamped 'aug 30 19:04', the same time I accessed the URLs (of non-existing files) with curl.

[gabrieles]

I just helped someone over DM and found that two of the three files had been regenerated for me too, in 'public_'. Timestamped 'aug 30 19:04', the same time I accessed the URLs (of non-existing files) with curl.

I've checked after and before having tried to access the non existing url. I haven't found any regenerated file.
Do the installation that you are checking have the mailbox service installed on more than one server?

[halfgaar]

No, it's one. And I thought I checked for generated files at the time. I'm confused.

[joho]

One system here is a single node NETWORK 8.8.15 on P40. So I'm told I need to follow these instructions, rather than just zimbra-patch:

https://wiki.zimbra.com/wiki/Zimbra_Rel ... stallation

So, previously, we needed to go through a really tedious process to do single package installations, re-start services, continue with other installations, re-start services, and so on.

This time, when I started with "apt-get install zimbra-ldap-patch", it wants to pull in 32 of the Zimbra package updates. So I aborted. Looking at our previous patch installation process, this is how we started previously too. But I cannot recall apt-get wanting to install 32 packages when I selected to install zimbra-ldap-patch.

If I instead issue "apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs", I get a slightly more sensible suggestion:

Code: Select all

zimbra-common-core-libs is already the newest version (8.8.15.1684166581-1.u20).
zimbra-mbox-store-libs is already the newest version (8.8.15.1663926687-1.u20).
The following packages will be upgraded:
  zimbra-common-core-jar
1 upgraded, 0 newly installed, 0 to remove and 59 not upgraded.

But it's unclear (to me) if this is actually the right way for a (single node) NETWORK environment...

[Labsy]

Checked the files mentioned at the support portal, they are gone.
So the patch has gone through, even if the version does not say so.

sidenote: the patch seems to have broken my clamav , every message carries now an UNCHECKED tag
off to correct that now.
thank you all for the assistance

Same with my server - files gone, but broken ClamAV, messages marked as ***UNCHECKED***.
Did you resolve? I am still digging, it's almost 3AM and becomming dizzy...

[glenndm]

Checked the files mentioned at the support portal, they are gone.
So the patch has gone through, even if the version does not say so.

sidenote: the patch seems to have broken my clamav , every message carries now an UNCHECKED tag
off to correct that now.
thank you all for the assistance

Same with my server - files gone, but broken ClamAV, messages marked as ***UNCHECKED***.
Did you resolve? I am still digging, it's almost 3AM and becomming dizzy...

Hi Labsy,
Sorry I haven't seen your message earlier, I hope this is already resolved
if not:
on my system two library files were removed during the patch, breaking clamav.

Code: Select all

/opt/zimbra/common/lib/libcrypto.so.1.1
/opt/zimbra/common/lib/libssl.so.1.1

Errors were entered in logfile /opt/zimbra/log/clamd.log
also this link helped viewtopic.php?t=60687&start=20

After restoring the 2 files and restarting zimbra, the unchecked labels disappeared.

From what I gather, my system or rather the clamav bit is not up to the latest version (How I don't know).
This caused the problems during the patch
I still have to resolve this version issue, I will do this next patch

regards

[ghen]

What are your versions of:

zimbra-clamav (1.0.1 should depend on openssl 3.0.9)
zimbra-mta-components (1.0.22 should pull in zimbra-clamav 1.0.1)
zimbra-mta-patch (8.8.15-p41 should pull in zimbra-mta-components 1.0.22)

[glenndm]

What are your versions of:

zimbra-clamav (1.0.1 should depend on openssl 3.0.9)
zimbra-mta-components (1.0.22 should pull in zimbra-clamav 1.0.1)
zimbra-mta-patch (8.8.15-p41 should pull in zimbra-mta-components 1.0.22)

apt list:

Code: Select all

zimbra-clamav/unknown 1.0.1-1zimbra8.8b4.16.04 amd64 [upgradable from: 0.103.3-1zimbra8.8b3.16.04]
zimbra-mta-components/unknown 1.0.22-1zimbra8.8b1.16.04 all [upgradable from: 1.0.15-1zimbra8.8b1.16.04]
zimbra-mta-patch/unknown 8.8.15.1688898888.p41-1.u16 amd64 [upgradable from: 8.8.15.1658841204.p33-1.u16]

zmcontrol -v

Code: Select all

Release 8.8.15.GA.3829.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.15_P41.

I'm not sure how to read the apt-list output, but it seems to indicate zimbra is still at patch 33, while zmcontrol puts it at p41?

[glenndm]

I'm not sure how to read the apt-list output, but it seems to indicate zimbra is still at patch 33, while zmcontrol puts it at p41?

I hadn't noticed previously that the general upgrade command (apt-get update && apt-get upgrade) showed:

Code: Select all

The following packages have been kept back:
  zimbra-apache-components zimbra-clamav zimbra-clamav-lib zimbra-httpd zimbra-mta-components zimbra-mta-patch zimbra-spell-components

which explains (a bit) the version discrepancy.

internet suggests:

Code: Select all

apt-get --with-new-pkgs upgrade <list of packages kept back>

trial run seems to want to upgrade the packages, but first I am going to read up on this more.
Not sure what this will do (or cause)

best regards

[glenndm]

update: the packages were held back because of unfulfilled dependencies
the update command (apt-get --with-new-pkgs) showed the missing packages

reading viewtopic.php?p=307396, I opted to install the missing packages first

Code: Select all

apt-get install libpcre2-8-0 zimbra-aspell-ca

afterwards, apt-get upgrade completed without errors or keptbacks

Code: Select all

zimbra-clamav/unknown,now 1.0.1-1zimbra8.8b4.16.04 amd64 [installed,automatic]
zimbra-mta-components/unknown,now 1.0.22-1zimbra8.8b1.16.04 all [installed]
zimbra-mta-patch/unknown,now 8.8.15.1688898888.p41-1.u16 amd64 [installed]
zimbra-patch/unknown,now 8.8.15.1694190547.p43-2.u16 amd64 [installed]

Release 8.8.15.GA.3829.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.15_P41.

I think I'm done.