Hello,
When building 10.1.8 FOSS two packages are lower versions than the NE equivalents.
10.1.8.1745958496-1 -> FOSS zimbra-common-core-jar
10.1.8.1746025108-1 -> NE zimbra-common-core-jar
and
10.1.8.1745958376-1 -> FOSS zimbra-common-mbox-conf-attrs
10.1.8.1746025108-1 -> NE zimbra-common-mbox-conf-attrs
Regarding zimbra-common-core-jar, there are two files that differ.
LC.class (zimbracommon.jar)
UserServlet.class (zimbrastore.jar)
LC.class adds the new 'ajax_uri_max_assets_requests_allowed' attribute which is the new security fix to prevent Dos attacks.
UserServlet.class fixes an issue where users were unable to download attachments from the web client if the "zimbraFeatureExportFolderEnabled" setting was set to FALSE at the user or COS level.
Regarding zimbra-common-mbox-conf-attrs, there are two files that differ.
zimbra-attrs-schema and zimbra-attrs.xml
zimbra-attrs-schema contains the schema version FOSS 1739786767, NE 1746022363.
zimbra-attrs.xml changes are for the new NE only feature Delivery Status Notification (DSN).
Other observations.
While running the 10.1.8 install script there was an error:The output of zmsetup.log:However after the upgrade there are no cert issues.
If history repeats, it will be 60 days until the FOSS community has an official Dos security fix.
I'm testing patches for FOSS. If anyone has a PoC please share, imho at this point security through obscurity is mitigated since the all the info is now public.
When building 10.1.8 FOSS two packages are lower versions than the NE equivalents.
10.1.8.1745958496-1 -> FOSS zimbra-common-core-jar
10.1.8.1746025108-1 -> NE zimbra-common-core-jar
and
10.1.8.1745958376-1 -> FOSS zimbra-common-mbox-conf-attrs
10.1.8.1746025108-1 -> NE zimbra-common-mbox-conf-attrs
Regarding zimbra-common-core-jar, there are two files that differ.
LC.class (zimbracommon.jar)
UserServlet.class (zimbrastore.jar)
LC.class adds the new 'ajax_uri_max_assets_requests_allowed' attribute which is the new security fix to prevent Dos attacks.
UserServlet.class fixes an issue where users were unable to download attachments from the web client if the "zimbraFeatureExportFolderEnabled" setting was set to FALSE at the user or COS level.
Regarding zimbra-common-mbox-conf-attrs, there are two files that differ.
zimbra-attrs-schema and zimbra-attrs.xml
zimbra-attrs-schema contains the schema version FOSS 1739786767, NE 1746022363.
zimbra-attrs.xml changes are for the new NE only feature Delivery Status Notification (DSN).
Other observations.
While running the 10.1.8 install script there was an error:
Code:
Setting local config values...done.Initializing core config...Setting up CA...C = US, ST = N/A, L = N/A, O = Zimbra Collaboration Server, OU = Zimbra Collaboration Server, CN = my.domainerror 10 at 0 depth lookup: certificate has expirederror /opt/zimbra/conf/ca/ca.pem: verification faileddone.Deploying CA to /opt/zimbra/conf/ca ...done.
Code:
Initializing core config...Setting up CA...** Running as root user: /opt/zimbra/common/bin/openssl verify -purpose sslserver -CAfile /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | egrep "^error 10"*** Running as zimbra user: /opt/zimbra/bin/zmcertmgr createca** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'** Using Commercial CA cert in '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'done.Deploying CA to /opt/zimbra/conf/ca ...*** Running as zimbra user: /opt/zimbra/bin/zmcertmgr deployca -localonly** Importing cert '/opt/zimbra/ssl/zimbra/ca/ca.pem' as 'my_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'** NOTE: restart mailboxd to use the imported certificate.** Cleaning up 11 files from '/opt/zimbra/conf/ca'
If history repeats, it will be 60 days until the FOSS community has an official Dos security fix.
I'm testing patches for FOSS. If anyone has a PoC please share, imho at this point security through obscurity is mitigated since the all the info is now public.
Statistics: Posted by zmcontrol — Fri May 16, 2025 8:17 pm