Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
- oetiker
- Outstanding Member
- Posts: 313
- Joined: Fri Mar 07, 2014 1:05 pm
- Location: Switzerland
- ZCS/ZD Version: Release 10.1.2.GA.4633.UBUNTU20_64
- Contact:
Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Release Notes:
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.2
Please post your patching and/or upgrading results here.
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.2
Please post your patching and/or upgrading results here.
- oetiker
- Outstanding Member
- Posts: 313
- Joined: Fri Mar 07, 2014 1:05 pm
- Location: Switzerland
- ZCS/ZD Version: Release 10.1.2.GA.4633.UBUNTU20_64
- Contact:
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Hi,
I had no problem with the upgrade from 10.1.1 to 10.1.2
Release 10.1.2.GA.4633.UBUNTU20_64 NETWORK edition.
ZBUG-4317 (Autocomplete failure after updating to 10.1.1) is still not fixed in this release (classic and modern ui)
Product Management's comments on the bug: This bug has been classified as an S2 severity issue. We acknowledge its impact, and our engineering team is working on fixing the issue.
I had no problem with the upgrade from 10.1.1 to 10.1.2
Release 10.1.2.GA.4633.UBUNTU20_64 NETWORK edition.
ZBUG-4317 (Autocomplete failure after updating to 10.1.1) is still not fixed in this release (classic and modern ui)
Product Management's comments on the bug: This bug has been classified as an S2 severity issue. We acknowledge its impact, and our engineering team is working on fixing the issue.
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Hi,
how can I verify, if this security issue is closed now?
When I check the new local config option, I get an error:
Makes no difference if I execute this on a patched or unpatched system.
Best regards
how can I verify, if this security issue is closed now?
When I check the new local config option, I get an error:
Code: Select all
zmlocalconfig zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed
Warning: null valued key 'zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed'
Best regards
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Hello,
localconfig is not set by default (hence shown as null). Default behaviour is graphql get method getting disabled after patch upgrade.
To Verify that issue is resolved you can verify if GET Method is Disabled for GraphQL Extension
https://<HOSTNAME>/service/extension/graphql
localconfig is not set by default (hence shown as null). Default behaviour is graphql get method getting disabled after patch upgrade.
To Verify that issue is resolved you can verify if GET Method is Disabled for GraphQL Extension
https://<HOSTNAME>/service/extension/graphql
Last edited by dtomar on Wed Oct 09, 2024 12:37 pm, edited 3 times in total.
-
- Zimbra Employee
- Posts: 5
- Joined: Tue Nov 28, 2023 9:05 am
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Please check whether the GraphQL GET method is disabled by default. You can do this by accessing the following URL:
https://<zimbra-hostname>/service/extension/graphql
If the patch is successfully applied, you should receive the following error message:
HTTP ERROR 500 javax.servlet.ServletException: HTTP GET requests are disabled on GraphQL endpoint. To re-enable, contact Zimbra Support.
This will confirm that the GET method is disabled as expected.
Note: The default value of zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed is FALSE (right now getting displayed as null), and customers are recommended not to set it to TRUE.
https://<zimbra-hostname>/service/extension/graphql
If the patch is successfully applied, you should receive the following error message:
HTTP ERROR 500 javax.servlet.ServletException: HTTP GET requests are disabled on GraphQL endpoint. To re-enable, contact Zimbra Support.
This will confirm that the GET method is disabled as expected.
Note: The default value of zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed is FALSE (right now getting displayed as null), and customers are recommended not to set it to TRUE.
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Hi,
Thank you for this information.
Upgrade from 10.1.1 to 10.1.2 : no problem
test ok (with bugs like ZBUG-4317)
Thank you for this information.
Upgrade from 10.1.1 to 10.1.2 : no problem
test ok (with bugs like ZBUG-4317)
- JDunphy
- Outstanding Member
- Posts: 925
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P42 NETWORK Edition
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Can we do something like this at the nginx level and restart the proxy until we can test and deploy this recent patch that may have non security related updates.ashish.kataria wrote: ↑Wed Oct 09, 2024 12:46 pm https://<zimbra-hostname>/service/extension/graphql
If the patch is successfully applied, you should receive the following error message:
HTTP ERROR 500 javax.servlet.ServletException: HTTP GET requests are disabled on GraphQL endpoint. To re-enable, contact Zimbra Support.
Code: Select all
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
{
# ZBUG-2706 Memcached poisoning with unauthenticated request
if ($request_uri ~* "%0A|%0D") {
return 403;
}
#%%% tmp until patch can be tested?
if ($request_uri ~* "graphql" && $request_method = GET) {
return 403;
}
-
- Ambassador
- Posts: 2804
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
Here's what seems to be the code patch for the GraphQL issue: https://github.com/Zimbra/zm-gql/pull/6 ... 6d49dd1e37#
This is not going to be easy to fix for the 8.8.15 users (except maybe by some NGINX filtering).
This is not going to be easy to fix for the 8.8.15 users (except maybe by some NGINX filtering).
Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here
oetiker,oetiker wrote: ↑Tue Oct 08, 2024 5:18 pm ZBUG-4317 (Autocomplete failure after updating to 10.1.1) is still not fixed in this release (classic and modern ui)
Product Management's comments on the bug: This bug has been classified as an S2 severity issue. We acknowledge its impact, and our engineering team is working on fixing the issue.
The current commits for the fix found here
https://github.com/Zimbra/zm-mailbox/pull/1660/commits
patch two files in the zm-mailbox repository
Provisioning.java
LdapProvisioning.java
When built these classes are found in zimbrastore.jar which is part of zimbra-common-core-jar_10.1.2.1725992150-1.u20_amd64.deb.
I'm testing 10.1.2 FOSS on ubuntu 20.04.
An account was getting the 'autocomplete failed' error so I patched zimbrastore.jar to test.
However it turned out to be caused by a bad entry in contacts, not this bug.
No other accounts are getting is error.
Do you have a test server to try swapping /opt/zimbra/lib/jars/zimbrastore.jar with the patched version?
If so, it can be found here:
https://filebin.net/en0d3eo7v4pxsh7x
with md5
46c8d878db42c423fe80b2ccb462d95c
Since FOSS doesn't contain the modern ui, I'm not sure if this version of zimbrastore.jar will work with NE.
Send later not working
Hello,
While testing 10.1.2 FOSS on unbuntu 20.04, it appears the 'send later' feature is broken.
After checking mailbox.log this might have started with 10.1.1.
If an email is scheduled to send later on the same day it will successfully deliver.
However if the scheduled date is the next day or later, the email will be deleted from the drafts folder without sending.
When a scheduled email is successfully delivered the log entries are
When the scheduled delivery date is later than the current day the only entry is
While testing 10.1.2 FOSS on unbuntu 20.04, it appears the 'send later' feature is broken.
After checking mailbox.log this might have started with 10.1.1.
If an email is scheduled to send later on the same day it will successfully deliver.
However if the scheduled date is the next day or later, the email will be deleted from the drafts folder without sending.
When a scheduled email is successfully delivered the log entries are
Code: Select all
[ScheduledTask-1] [] mailop - Adding Message:...
[ScheduledTask-1] [] smtp - Sending message to MTA at mail:...
[ScheduledTask-1] [] mailop - Deleting Message ...
Code: Select all
[ScheduledTask-2] [] mailop - Deleting Message ...