Zimbra Security Update

[ghen]

That's strange, because all 3 files belong to the zimbra-mbox-webclient-war package... So you should have all 3 of them?
(rpm -ql zimbra-mbox-webclient-war | grep hostedlogin)

If you suspect two were generated at runtime, what is the age (mtime) of those files, according to ls -l ?

[maumar]

Hello
after upgrade ubuntu 22.04 from 10.0.2 -> 10.0.3
all is working well, but on admin gui we see still 10.0.2

zmcontrol -v instead

Code: Select all

10:12:32 zimbra@mail3: ~/jetty $ zmcontrol -v
Release 10.0.3.GA.4518.UBUNTU20_64 NETWORK edition.

I have grepped for 10.0.2

Code: Select all

10:12:29 zimbra@mail3: ~/jetty $ grep -rF  "10.0.2" webapps/zimbra/
webapps/zimbra/js/NewWindow_2_all.js:   this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});
webapps/zimbra/js/zimbraMail/share/model/ZmSettings.js: this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});
webapps/zimbra/js/Startup1_2_all.js:    this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});

[uttam.takalkar]

Hello
after upgrade ubuntu 22.04 from 10.0.2 -> 10.0.3
all is working well, but on admin gui we see still 10.0.2

zmcontrol -v instead

Code: Select all

10:12:32 zimbra@mail3: ~/jetty $ zmcontrol -v
Release 10.0.3.GA.4518.UBUNTU20_64 NETWORK edition.

I have grepped for 10.0.2

Code: Select all

10:12:29 zimbra@mail3: ~/jetty $ grep -rF  "10.0.2" webapps/zimbra/
webapps/zimbra/js/NewWindow_2_all.js:   this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});
webapps/zimbra/js/zimbraMail/share/model/ZmSettings.js: this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});
webapps/zimbra/js/Startup1_2_all.js:    this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"10.0.2_GA_4565"});

This will be corrected in next patch.. currently we just shipped one package to fix this vulnerability. Showing mismatch version is not an issue while running system.
can you share more information about your setup and since when you are running on Ubuntu 22.04

[gabrieles]

That's strange, because all 3 files belong to the zimbra-mbox-webclient-war package... So you should have all 3 of them?
(rpm -ql zimbra-mbox-webclient-war | grep hostedlogin)

If you suspect two were generated at runtime, what is the age (mtime) of those files, according to ls -l ?

Unfortunately I can tell it only for a single server, the one still not patched and it's July 26. There's no ctime because all of our customers use xfs

[tuandungtb89]

I use OracleLinux 8 and yum update all package successfully, but when I check version it's only show p41

[zimbra@mail1 ~]$ zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 FOSS edition, Patch 8.8.15_P41.

I checked p41, p42 have installed

[root@mail1 ~]# rpm -qa | grep -i p41
zimbra-proxy-patch-8.8.15.1688898888.p41-1.r8.x86_64
zimbra-mta-patch-8.8.15.1688898888.p41-1.r8.x86_64
[root@mail1 ~]#
[root@mail1 ~]# rpm -qa | grep -i p42
zimbra-patch-8.8.15.1692274621.p42-1.r8.x86_64

Anyone can help me to upgrade to P42.
Thanks!

[halfgaar]

Did you restart?

[uttam.takalkar]

I use OracleLinux 8 and yum update all package successfully, but when I check version it's only show p41

[zimbra@mail1 ~]$ zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 FOSS edition, Patch 8.8.15_P41.

I checked p41, p42 have installed

[root@mail1 ~]# rpm -qa | grep -i p41
zimbra-proxy-patch-8.8.15.1688898888.p41-1.r8.x86_64
zimbra-mta-patch-8.8.15.1688898888.p41-1.r8.x86_64
[root@mail1 ~]#
[root@mail1 ~]# rpm -qa | grep -i p42
zimbra-patch-8.8.15.1692274621.p42-1.r8.x86_64

Anyone can help me to upgrade to P42.
Thanks!

Zimbra have shipped just one package (zimbra-patch) to fix this security issue. Showing mismatch version is not an issue while running system. This will be corrected in next patch and other packages like MTA, Proxy will get updated.

[tuandungtb89]

Did you restart?

Yes, I did
I restarted server too

[tuandungtb89]

I use OracleLinux 8 and yum update all package successfully, but when I check version it's only show p41

[zimbra@mail1 ~]$ zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 FOSS edition, Patch 8.8.15_P41.

I checked p41, p42 have installed

[root@mail1 ~]# rpm -qa | grep -i p41
zimbra-proxy-patch-8.8.15.1688898888.p41-1.r8.x86_64
zimbra-mta-patch-8.8.15.1688898888.p41-1.r8.x86_64
[root@mail1 ~]#
[root@mail1 ~]# rpm -qa | grep -i p42
zimbra-patch-8.8.15.1692274621.p42-1.r8.x86_64

Anyone can help me to upgrade to P42.
Thanks!

Zimbra have shipped just one package (zimbra-patch) to fix this security issue. Showing mismatch version is not an issue while running system. This will be corrected in next patch and other packages like MTA, Proxy will get updated.

But in this page, some one show version is P42
viewtopic.php?t=72204
Do you have any more ideas?

[L. Mark Stone]

Patch 42 is installed on a mailbox server. I con confirm that a number of the 8.8.15 systems I have updated, for the Proxy/MTA/LDAP servers after doing "apt-get update && apt-get dist-upgrade -y" still show the version as Patch 41. This is totally OK, as described above.