ZCS FOSS 10.1.12 - Upcoming FOSS release issues

[BradC]

the people that announced it are gone now.

You mean the people that actually used to communicate between Synacor and the community?

[zmcontrol]

At a glance it appears that several repositories have been recently updated in the last 12 hours.
Unfortunately my time is currently limited to audit over the commits and 10.1.14 tags.
Did some security commit embargoes finally get lifted?

For example is this the commit for CVE-2025-68645 - Addressed an unauthenticated local file inclusion vulnerability in the RestFilter?

https://github.com/Zimbra/zm-ajax/commi ... d05db2b894

[ghen]

Looks like preparation for 10.1.16, not publication of previously embargoed commits.
(as a release/10.1.16 branch appeared on zm-mailbox)

[liverpoolfcfan]

For the moment, 10.1.16 FOSS actually builds and runs (from a basic smoke test) and is using

Code: Select all

zimbra-jetty-distribution.x86_64    9.4.57.v20241219-2.r8     @zimbra-1000-oss

So, hopefully we will get a cleaner build this time round once they announce availability

[adrian.gibanel.btactic]

At a glance it appears that several repositories have been recently updated in the last 12 hours.
Unfortunately my time is currently limited to audit over the commits and 10.1.14 tags.
Did some security commit embargoes finally get lifted?

For example is this the commit for CVE-2025-68645 - Addressed an unauthenticated local file inclusion vulnerability in the RestFilter?

https://github.com/Zimbra/zm-ajax/commi ... d05db2b894

Thank you!

Hopefully, one of these days I can finish Zimbra Tracker project and we can track those sudden changes in a more easy and tidy way.

Looks like preparation for 10.1.16, not publication of previously embargoed commits.
(as a release/10.1.16 branch appeared on zm-mailbox)

Not everything revolves around the zm-mailbox repo. This seems to me to be an actual lift of ZCS FOSS 10.1.13 embargo.

Building ZCS FOSS 10.1.13 right away might not be a good idea because it messed up with Imap connections.

So... my current question is... Were the 10.1.14 and 10.1.15 commits already lift because they were not security commits?

[zmcontrol]

Not everything revolves around the zm-mailbox repo. This seems to me to be an actual lift of ZCS FOSS 10.1.13 embargo.

adrian.gibanel.btactic,

I confirmed that this is the CVE-2025-68645 security fix.

Under ubuntu 22 in /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/lib swapping:

zm-ajax-10.1.10.1747208650.jar
with
zm-ajax-10.1.13.1752232236.jar

gives a 500 error from an unauthenticated/authenticated get to
https://{yourservername}/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
instead of disclosing information.

For reference zm-ajax-10.1.13.1752232236.jar can be extracted from
https://repo.zimbra.com/apt/1010-ne/poo ... _amd64.deb

Swap the jar file then as zimbra user:
zmmailboxdctl restart

This updated jar also contains the fix for
ZBUG-5081: preserve css resource order during deduplication
https://github.com/Zimbra/zm-ajax/commi ... 5753273cec

[zmcontrol]

So... my current question is... Were the 10.1.14 and 10.1.15 commits already lift because they were not security commits?

adrian.gibanel.btactic,

I audited the commits and can confirm 10.1.14 and 10.1.15 are public.

10.1.14
A critical issue was identified in patch v10.1.13, where IMAP clients in multi-server environments displayed messages incorrectly or failed to synchronize properly.
In patch v10.1.14, the issue has been resolved by rolling back the MINA library to the previous stable (v2.1.6).
This rollback restores proper IMAP synchronization and message display behavior.

https://github.com/Zimbra/zm-mailbox/co ... acc57de989
https://github.com/Zimbra/zm-web-client ... bc6f627e1c
https://github.com/Zimbra/zm-zcs-lib/co ... d852aaed2e

10.1.14
Fixed an issue that caused delays when switching to the Zimbra user after upgrading to v10.1.13.
The slowdown occurred because the system repeatedly fetched license-related data during each switch.
In v10.1.14, this has been optimized by storing the information in cache, making the switch to the Zimbra user faster and more responsive.

https://github.com/Zimbra/zm-build/comm ... ee4b7085bf
https://github.com/Zimbra/zm-build/comm ... 20765a5f2d

10.1.15
The previous upgraded antisamy engine.. may occasionally affect the rendering of incoming emails that use non-standard, legacy, or invalid CSS formatting (common in third-party marketing and bulk mailers).
This update includes a Rendering Optimization enhancement that refines the parser logic to better distinguish between potential security threats and harmless non-standard CSS attributes.
This maintains all security safeguards while ensuring diverse HTML email formats render as intended without unnecessary sanitization interference.
**To note the 10.1.15 tag includes the previous antisamy upgrade to 1.7.8,advisory fix, and updated libs.
**It's referenced here https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.15 that these upgrades were included in 10.1.13 not 10.1.15.

https://github.com/Zimbra/antisamy/comm ... b20364713f
https://github.com/Zimbra/antisamy/comm ... 7177a82cde

[adrian.gibanel.btactic]

So... my current question is... Were the 10.1.14 and 10.1.15 commits already lift because they were not security commits?

adrian.gibanel.btactic,

I audited the commits and can confirm 10.1.14 and 10.1.15 are public.

Thank you for your audit!
I already checked 10.1.14 and 10.1.15 yesterday but, unfortunately, I was not able to update this forum thread with my results.

You can check those in the Zimbra Foss CVE Commits wiki page.

Also, anyone is invited to add 10.0.18 commits there.