From : https://wiki.zimbra.com/wiki/Security_Center
ZCS 9.0.0 Patch 27 was released on October 11, 2022. The release includes security fixes for:
An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352.
Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393
XSS can occur via one of the attribute of an IMG element, leading to information disclosure. CVE-2022-41348
So the Question to Zextras is : should we update any of Zextras Zimbra 9 build ?
Hi,
Thank you for writing to us.
The current patch available for Zimbra 9(Zextras Build) is Patch 25.
Though Zimbra 9(Network edition) has released patches 26 & 27.
Our team is working to complete the release of the next build with the latest patch for Zimbra 9(Zextras Build).
So if you are using Zimbra 9(Zextras Build) we would request you wait until we release an official build with the latest patch
Many of our users are also concerned just like you, so we assure you that we are working to release the build with the latest patch
considering its importance.
Thanks and regards,
Sharif
Where do you find the patch number? I'll I can see is the build number which contains two different dates, how do you correlate the two?
For example,
zcs-9.0.0_ZEXTRAS_20220713.RHEL7_64.20220705100521
Hi @tom11011
it's a matter of date. zcs-9.0.0_ZEXTRAS_20220713 is patch 25.
I have compiled and tested 9.0.0 Patch 28 for RedHat + Rocky. If you're interested, send me a message - I'll send you a link.