BTW, it looks as though Zimbra is back to building the OSS Version of Zimbra and it's available for Rocky Linux 8, download details are on the wiki Patch page.
I've just installed the patch on my Zextras build of ZCS without any noticeable effect on the server. 🙂
I may not getting it right, but they announce Zimbra 9 support for Rocky Linux didn't specifically mention OSS version, hence rules are the same, no OSS version support whatsoever. I would be strange having full support for Rocky, but not for Ubuntu.
Imagine that Zimbra coming back for OSS support, would Zextras build make my Zimbra 9 Installation somehow "irreversible" to Zimbra updates, if it will be any?
Hi, my system currently shows
Release 9.0.0.ZEXTRAS.20220713.UBUNTU20.64 UBUNTU20_64 FOSS edition, Patch 9.0.0_P18.
I used this command as described for the patch:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
It returnes:
Reading package lists... Done
Building dependency tree
Reading state information... Done
zimbra-common-core-jar is already the newest version (9.0.0.1656544293-1.u20).
zimbra-common-core-libs is already the newest version (9.0.0.1654854341-1.u20).
zimbra-mbox-store-libs is already the newest version (9.0.0.1654854341-1.u20).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
---
Can anyone describe me what to do in order to make sure that Patch 26 gets installed?
As shown above, i have the ZEXTRAS build.
I already read the previous replies on this topic, but somehow it is not clear to me what i should do now to ensure that patch 26 is installed?
I am fairly confused now. Since the great fun of mid June I seem to hear conflicting detail about upgrade/updates to Zimbra 9 Zextras build.
Zextras seem to be saying you need to upgrade with an install (sort of in place install) process from a new build of Zextra's Zimbra 9.0 as not all the updates are included in the Zimbra/Zynacor repos so those that are not, are baked into the new install download.
My problem with this is the current signpost Latest build is from May and a fair few critical updates have been released since them
If Zextras is not likely make such updates available promptly how do we keep machines most safe from zero day expoits when it seems months pass without those key new builds. I would like to consider Carbonio but this potential limbo land stuff makes me nervous that will get the updates in a timely fashion either as they come from the same back stock.
Anyone from Zextras able to clarify once and for all what the Zimbra 9 status is and how and when it is due to be updated/updateable safely?
If you're feeling adventurous you could always build it yourself, there are build script available on the Zimbra Forums (and on the internet IIRC). You could an already built from those scripts. BTW, the company name is Synacor not Zynacor. 😉
@donty builds from are available here, but are from May as well. You can rebuild using Docker.
Anyway OSS is not affected by the bug, only NE is.
@donty builds from are available here, but are from May as well. You can rebuild using Docker.
Anyway OSS is not affected by the bug, only NE is.
This link explain how to "compromise" zimbra : https://paper.seebug.org/1924/
This works only if you have /opt/zimbra/lib/ext/backup/zimbrabackup.jar (library used by network edition ).
p.s. if you read on patch 31 release note you notify that they started to fix mboximport problem :
| RCE through mboximport from authenticated user. | CVE-2022-27925 |
Main problems about this bug is about the path traversal for unzip files... probably they fixed this on p31 and on p33 they blocked the access to non authorized users.
@donty builds from are available here, but are from May as well. You can rebuild using Docker.
Anyway OSS is not affected by the bug, only NE is.
This link explain how to "compromise" zimbra : https://paper.seebug.org/1924/
This works only if you have /opt/zimbra/lib/ext/backup/zimbrabackup.jar (library used by network edition ).
p.s. if you read on patch 31 release note you notify that they started to fix mboximport problem :
RCE through mboximport from authenticated user. CVE-2022-27925 Main problems about this bug is about the path traversal for unzip files... probably they fixed this on p31 and on p33 they blocked the access to non authorized users.
Hello,
The latest Patch 26 is out, but on Zextras' site it shows Latest Version: 9.0.0p25.
Our customers want Patch 26 to be passed. What should we answer in this situation?
Is there a more recent version?
[zimbra@mail ~]$ zmcontrol -v Release 9.0.0_ZEXTRAS_20220713.RHEL7_64_20220705100521 RHEL7_64 FOSS edition.
Hi,
Zimbra released patch 26 keeping their Network edition subscribers in mind as your mentioned
vulnerability (CVE-2022-27925) only affects Zimbra 9 network edition.
Zextras build Zimbra 9 Open Source edition with patch 25 is completely safe from this vulnerability. Patch 25 is not affected by that CVE because zimbrabackup.jar is not present in the OSE of Zextras build Zimbra 9.
Therefore, we are taking time to release our next patch in a complete manner.
So you can assure your customers that their Zextras build Zimbra 9 open source edition with patch 25 will receive
the next patch before any issue arises. We will update the social media and forums whenever the next patch is released.
Thanks for your understanding.
Regards,
Hello everyone,
I'm glad to inform you the new Zimbra 9.0.0 OSE built by Zextras based on patch 28 is now available for download.
- Download the package: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository/
- Read more about patches and updating: https://community.zextras.com/how-we-solved-the-issue-of-updating-zimbra-9/
Have a nice one!