Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 313
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.1.2.GA.4633.UBUNTU20_64
Contact:

Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by oetiker »

Release Notes:
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.2

Please post your patching and/or upgrading results here.
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 313
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.1.2.GA.4633.UBUNTU20_64
Contact:

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by oetiker »

Hi,

I had no problem with the upgrade from 10.1.1 to 10.1.2

Release 10.1.2.GA.4633.UBUNTU20_64 NETWORK edition.

ZBUG-4317 (Autocomplete failure after updating to 10.1.1) is still not fixed in this release (classic and modern ui)
Product Management's comments on the bug: This bug has been classified as an S2 severity issue. We acknowledge its impact, and our engineering team is working on fixing the issue.
ghandalf
Posts: 5
Joined: Wed Aug 17, 2022 11:19 am

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by ghandalf »

Hi,

how can I verify, if this security issue is closed now?

When I check the new local config option, I get an error:

Code: Select all

zmlocalconfig zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed
Warning: null valued key 'zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed'
Makes no difference if I execute this on a patched or unpatched system.

Best regards
dtomar
Posts: 1
Joined: Fri Nov 03, 2023 5:27 am

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by dtomar »

Hello,

localconfig is not set by default (hence shown as null). Default behaviour is graphql get method getting disabled after patch upgrade.

To Verify that issue is resolved you can verify if GET Method is Disabled for GraphQL Extension
https://<HOSTNAME>/service/extension/graphql
Last edited by dtomar on Wed Oct 09, 2024 12:37 pm, edited 3 times in total.
ashish.kataria
Zimbra Employee
Zimbra Employee
Posts: 5
Joined: Tue Nov 28, 2023 9:05 am

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by ashish.kataria »

Please check whether the GraphQL GET method is disabled by default. You can do this by accessing the following URL:
https://<zimbra-hostname>/service/extension/graphql

If the patch is successfully applied, you should receive the following error message:
HTTP ERROR 500 javax.servlet.ServletException: HTTP GET requests are disabled on GraphQL endpoint. To re-enable, contact Zimbra Support.

This will confirm that the GET method is disabled as expected.

Note: The default value of zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed is FALSE (right now getting displayed as null), and customers are recommended not to set it to TRUE.
jzzr
Posts: 17
Joined: Fri Aug 12, 2022 5:03 pm

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by jzzr »

Hi,

Thank you for this information.

Upgrade from 10.1.1 to 10.1.2 : no problem
test ok (with bugs like ZBUG-4317)
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 925
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P42 NETWORK Edition

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by JDunphy »

ashish.kataria wrote: Wed Oct 09, 2024 12:46 pm https://<zimbra-hostname>/service/extension/graphql

If the patch is successfully applied, you should receive the following error message:
HTTP ERROR 500 javax.servlet.ServletException: HTTP GET requests are disabled on GraphQL endpoint. To re-enable, contact Zimbra Support.
Can we do something like this at the nginx level and restart the proxy until we can test and deploy this recent patch that may have non security related updates.

Code: Select all

    location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
    {
        # ZBUG-2706  Memcached poisoning with unauthenticated request
        if ($request_uri ~* "%0A|%0D") {
            return 403;
        }

        #%%% tmp until patch can be tested?
        if ($request_uri ~* "graphql"  && $request_method = GET) {
            return 403;
        }
Klug
Ambassador
Ambassador
Posts: 2804
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by Klug »

Here's what seems to be the code patch for the GraphQL issue: https://github.com/Zimbra/zm-gql/pull/6 ... 6d49dd1e37#

This is not going to be easy to fix for the 8.8.15 users (except maybe by some NGINX filtering).
zmcontrol
Posts: 43
Joined: Fri Jul 24, 2020 12:43 am

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by zmcontrol »

oetiker wrote: Tue Oct 08, 2024 5:18 pm ZBUG-4317 (Autocomplete failure after updating to 10.1.1) is still not fixed in this release (classic and modern ui)
Product Management's comments on the bug: This bug has been classified as an S2 severity issue. We acknowledge its impact, and our engineering team is working on fixing the issue.
oetiker,

The current commits for the fix found here
https://github.com/Zimbra/zm-mailbox/pull/1660/commits

patch two files in the zm-mailbox repository
Provisioning.java
LdapProvisioning.java

When built these classes are found in zimbrastore.jar which is part of zimbra-common-core-jar_10.1.2.1725992150-1.u20_amd64.deb.

I'm testing 10.1.2 FOSS on ubuntu 20.04.
An account was getting the 'autocomplete failed' error so I patched zimbrastore.jar to test.
However it turned out to be caused by a bad entry in contacts, not this bug.
No other accounts are getting is error.

Do you have a test server to try swapping /opt/zimbra/lib/jars/zimbrastore.jar with the patched version?
If so, it can be found here:
https://filebin.net/en0d3eo7v4pxsh7x
with md5
46c8d878db42c423fe80b2ccb462d95c

Since FOSS doesn't contain the modern ui, I'm not sure if this version of zimbrastore.jar will work with NE.
zmcontrol
Posts: 43
Joined: Fri Jul 24, 2020 12:43 am

Send later not working

Post by zmcontrol »

Hello,

While testing 10.1.2 FOSS on unbuntu 20.04, it appears the 'send later' feature is broken.
After checking mailbox.log this might have started with 10.1.1.

If an email is scheduled to send later on the same day it will successfully deliver.
However if the scheduled date is the next day or later, the email will be deleted from the drafts folder without sending.

When a scheduled email is successfully delivered the log entries are

Code: Select all

[ScheduledTask-1] [] mailop - Adding Message:...
[ScheduledTask-1] [] smtp - Sending message to MTA at mail:...
[ScheduledTask-1] [] mailop - Deleting Message ...
When the scheduled delivery date is later than the current day the only entry is

Code: Select all

[ScheduledTask-2] [] mailop - Deleting Message ...
Post Reply