8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 241
Joined: Tue Feb 14, 2017 9:40 am

8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by gabrieles »

Hi all
this post is here just to keep the good habits.
Actually (12.58 CEST) the patch covers two vulnerabilities with TBD CVE and score.

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P43
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P36
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.4

The patching updates two packages, zimbra-patch and zimbra-mbox-webclient-war.
After a quick comparison with the previous version of each package, it seems similar to P42: just some files are being removed.

Based on this, no particular problem is expected applying this patch, as well as the previous one.
We'll start tomorrow with some customer and post results here.
bulletxt
Advanced member
Advanced member
Posts: 84
Joined: Sat Sep 13, 2014 1:08 am

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by bulletxt »

I haven't upgraded yet, however this guy posted on the blog post: https://blog.zimbra.com/2023/09/new-pat ... /#comments

Is that a new bug introduced with this patch ?
User avatar
jered
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:35 am
Location: Somerville, MA

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by jered »

bulletxt wrote: Wed Sep 13, 2023 11:31 am Is that a new bug introduced with this patch ?
I did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.

The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?

The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
halfgaar
Outstanding Member
Outstanding Member
Posts: 201
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by halfgaar »

These patches that delete files from install scriopts seems risky to me. If apt installs them in a different order than expected, the file is just installed again from the package it came from. I've seen before that the dependencies of the zimbra-patch package was not good enough to ensure correct installation order.

If files are vulnerable, shouldn't they just be removed from the package they came from?
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
ghen
Outstanding Member
Outstanding Member
Posts: 292
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by ghen »

I also wonder if corresponding files under /opt/zimbra/jetty/work/ shouldn't be removed as well, like the previous patch did for hostedlogin.jsp.
umashankar.avagadda
Zimbra Employee
Zimbra Employee
Posts: 131
Joined: Wed Apr 05, 2023 6:29 am

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by umashankar.avagadda »

jered wrote: Wed Sep 13, 2023 12:38 pm
bulletxt wrote: Wed Sep 13, 2023 11:31 am Is that a new bug introduced with this patch ?
I did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.

The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?

The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
Can you share ZCS version and OS version ?
User avatar
jered
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:35 am
Location: Somerville, MA

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by jered »

umashankar.avagadda wrote: Wed Sep 13, 2023 1:56 pm
jered wrote: Wed Sep 13, 2023 12:38 pm
bulletxt wrote: Wed Sep 13, 2023 11:31 am Is that a new bug introduced with this patch ?
I did a full compare vs the previously installed package and the character encoding issue only affects four comments, so I think this is safe. I've applied it successfully.

The mbox update has a lot of version/timestamp changes, but the only functional ones are two places where a user-provided argument is escaped in postLoginRedirect to avoid a possible XSS. It's unclear to me why this is only included is FOSS and not NETWORK -- was it previously fixed for NETWORK?

The p43 patch update removes two files via install scripts -- otherwise the file contents are identical. The patches are public, so I don't see any reason to be secretive -- Docs.jsp is deleted due to undisclosed XSS vulnerabilities, probably similar to the files deleted in p42. Since it's not replaced, I assume this is an example of various dead pages that never received previous vulnerability updates....
Can you share ZCS version and OS version ?
I am on RHEL 8 (Individual Developer license) and now running Zimbra 8.8.15_GA_5 (build 20230908153606).
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by andras0602 »

I updated on CentOS7 to 8.8.15 Patch-43. No issues, everything work the same as before.
So far so good.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 924
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P42 NETWORK Edition

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by JDunphy »

Single server RHEL 8 uneventful thus far.

Code: Select all

# su - zimbra
% [zimbra@tmail ~]$ zmcontrol -v
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 NETWORK edition, Patch 8.8.15_P43.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2837
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.10 Network Edition
Contact:

Re: 8.8.15 Patch-43 - 9.0.0 P36 - 10.0.4 released, share your experience

Post by L. Mark Stone »

I've updated a number of 8.8.15 Ubuntu 16, 18 and 20 servers so far today with no issues.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply