8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
Hi all
this post is here just to keep the good habits.
Actually (12.58 CEST) the patch covers two vulnerabilities with TBD CVE and score.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P43
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P36
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.4
The patching updates two packages, zimbra-patch and zimbra-mbox-webclient-war.
After a quick comparison with the previous version of each package, it seems similar to P42: just some files are being removed.
Based on this, no particular problem is expected applying this patch, as well as the previous one.
We'll start tomorrow with some customer and post results here.
this post is here just to keep the good habits.
Actually (12.58 CEST) the patch covers two vulnerabilities with TBD CVE and score.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P43
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P36
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.4
The patching updates two packages, zimbra-patch and zimbra-mbox-webclient-war.
After a quick comparison with the previous version of each package, it seems similar to P42: just some files are being removed.
Based on this, no particular problem is expected applying this patch, as well as the previous one.
We'll start tomorrow with some customer and post results here.
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I haven't upgraded yet, however this guy posted on the blog post: https://blog.zimbra.com/2023/09/new-pat ... /#comments
Is that a new bug introduced with this patch ?
Is that a new bug introduced with this patch ?
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.
The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?
The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
-
- Outstanding Member
- Posts: 201
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
These patches that delete files from install scriopts seems risky to me. If apt installs them in a different order than expected, the file is just installed again from the package it came from. I've seen before that the dependencies of the zimbra-patch package was not good enough to ensure correct installation order.
If files are vulnerable, shouldn't they just be removed from the package they came from?
If files are vulnerable, shouldn't they just be removed from the package they came from?
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I also wonder if corresponding files under /opt/zimbra/jetty/work/ shouldn't be removed as well, like the previous patch did for hostedlogin.jsp.
-
- Zimbra Employee
- Posts: 131
- Joined: Wed Apr 05, 2023 6:29 am
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
Can you share ZCS version and OS version ?jered wrote: ↑Wed Sep 13, 2023 12:38 pmI did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.
The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?
The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I am on RHEL 8 (Individual Developer license) and now running Zimbra 8.8.15_GA_5 (build 20230908153606).umashankar.avagadda wrote: ↑Wed Sep 13, 2023 1:56 pmCan you share ZCS version and OS version ?jered wrote: ↑Wed Sep 13, 2023 12:38 pmI did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.
The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?
The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
- andras0602
- Advanced member
- Posts: 62
- Joined: Sat May 21, 2022 3:11 pm
- ZCS/ZD Version: 8.8.15
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I updated on CentOS7 to 8.8.15 Patch-43. No issues, everything work the same as before.
So far so good.
So far so good.
- JDunphy
- Outstanding Member
- Posts: 924
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P42 NETWORK Edition
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
Single server RHEL 8 uneventful thus far.
Code: Select all
# su - zimbra
% [zimbra@tmail ~]$ zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 NETWORK edition, Patch 8.8.15_P43.
- L. Mark Stone
- Ambassador
- Posts: 2837
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.10 Network Edition
- Contact:
Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience
I've updated a number of 8.8.15 Ubuntu 16, 18 and 20 servers so far today with no issues.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate