Patch 34 for ZIMBRA 9 has been released regarding global security

@mik yes... just that.... but I noticed some issues with maildrop folder pemission as well... and all it takes to fix it is reboot the whole server.

So, run zmfixperms and reboot

@anahuac 
Thanks! I will probably take a snapshot of my zimbra later and give this a try!

Hello there,

I have also fixed the LDAP issue with fixpermission command.

But I am currently struggeling with building a new version myself and installing it.

From my point of view any newer version of Zimbra includes Onlyoffice - which is not being part of the build process.

After the build process I run ./install to upgrade it but it does not start as there is no Onlyoffice running on Zimbra.

Anyone got a clue how to bypass this?

@jansko djakujem for the build! (I hope I typed it the right way)

@jansko: I have tried your build as well but it also fails due to missing Onlyoffice.

How did you fixed that on your side?

@anahuac 

I can confirm that

apt update
apt upgrade
/opt/zimbra/libexec/zmfixperms
zmcontrol restart

worked for me!

Is there any way to verify that patch34 is installed and the vulnerability for CVE-2023-38750/CVE-2023-0464 is fixed?
Because the build number will not change.

Probably found the answer myself by comparing https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P34#Security_Fixes with

dpkg -l | grep zimbra

@anahuac Thank you again for sharing the steps!

Have one minor issue after patching: Zimbra is no longer logging to /var/log/zimbra.log

@mik 

chown syslog.adm /var/log/zimbra.log
systemctl restart rsyslog.service

Posted by: @anahuac

↑

@john_doe So... I figured there is some sort of issue with permission to run zmslapd as user zimbra and I don't know why yet.

What I did was a workaround giving it sudo permissions to it to run and it worked. If you're in the hurry do this:

1 - vi /etc/sudoers.d/02_zimbra-core

add this lines:

%zimbra ALL=NOPASSWD:/opt/zimbra/common/libexec/slapd
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/bin/kill

2 - vi /opt/zimbra/bin/ldap

add "sudo" in fron of every line that have "zmslapd" and "kill"

3 - zmcontrol restart

it works

Yessss, you're the Boss !

@dominix LOL tyvm... but running 

/opt/zimbra/libexec/zmfixperms

fix it in a better and faster way =)

@mik same for me 🙁   ...........................................................

Anyone was able to install the build mentioned earlier?

@anahuac 

Went for a more brutal approach - deleted zimbra.log, zmcontrol restart, came back right away 😀 😀 😀 
I guess you would not even have to restart.

After applying the latest patches I see following error at imapd.out:

[Fatal Error] :1:1: Content is not allowed in prolog.
ERROR StatusLogger Error parsing null
 org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at org.apache.logging.log4j.core.config.xml.XmlConfiguration.<init>(XmlConfiguration.java:92)
        at org.apache.logging.log4j.core.config.xml.XmlConfigurationFactory.getConfiguration(XmlConfigurationFactory.java:46)
        at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:578)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:179)
        at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:86)
        at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:67)
        at com.zimbra.cs.imap.ImapDaemon.main(ImapDaemon.java:100)
ERROR StatusLogger No logging configuration
12:32:10.875 [main] ERROR zimbra.store - Failed to initialize VolumeManager
com.zimbra.common.service.ServiceException: system failure: Database connection pool not initialized.
        at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:293) ~[zimbracommon.jar:9.0.0_GA_3954]
        at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:327) ~[zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:322) ~[zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.volume.VolumeManager.load(VolumeManager.java:61) ~[zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.volume.VolumeManager.<init>(VolumeManager.java:50) [zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.volume.VolumeManager.<clinit>(VolumeManager.java:41) [zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.store.StoreManager.getInstance(StoreManager.java:79) [zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.imap.ImapDaemon.main(ImapDaemon.java:106) [zimbrastore.jar:9.0.0_GA_3954]
12:32:10.889 [main] FATAL zimbra.system - unable to initialize blob store
java.lang.NullPointerException: Cannot invoke "com.zimbra.cs.volume.Volume.getId()" because the return value of "com.zimbra.cs.volume.VolumeManager.getCurrentMessageVolume()" is null
        at com.zimbra.cs.store.StoreManager.getInstance(StoreManager.java:79) [zimbrastore.jar:9.0.0_GA_3954]
        at com.zimbra.cs.imap.ImapDaemon.main(ImapDaemon.java:106) [zimbrastore.jar:9.0.0_GA_3954]

But in general the imap service works and clients can connect to the server.

Any ideas?