==================================================================== CERT-Renater Note d'Information No. 2019/VULN306 _____________________________________________________________________ DATE : 03/10/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zimbra versions prior to 8.8.15 Patch 2, 8.8.12 Patch 6, 8.7.11 Patch 14. ===================================================================== https://blog.zimbra.com/2019/09/new-zimbra-patches-8-8-15-patch-2-and-8-8-12-patch-6-and-8-7-11-patch-14/ _____________________________________________________________________ NEW Zimbra Patches: 8.8.15 Patch 2 + 8.8.12 Patch 6 + 8.7.11 Patch 14 By Urvi Mehta on September 30, 2019 in Product News, Product Updates, Zimbra Server Hello Zimbra Friends, Customers & Partners, We have three new patches to announce: Zimbra 8.8.15 “James Prescott Joule” Patch 2 Zimbra 8.8.12 “Isaac Newton” Patch 6 Zimbra 8.7.11 Patch 14 Zimbra 8.8.15 “James Prescott Joule” Patch 2 Patch 2 is here for the Zimbra 8.8.15 “James Prescott Joule” GA release, and it includes fixes as listed in the release notes. Zimbra 8.8.15 now fully supported on UBUNTU18 (GA). Download the latest UBUNTU-18 binaries from https://www.zimbra.com/downloads. Security Fixes Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details. Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version 12356 Upgraded ClamAV to 0.101.4 CVE-2019-12625 – – 8.8.15 P2 Patch Installation For 8.8.15 Patches, you don’t need to download any patch builds. 8.8.15 Patch packages can be installed using Linux package management commands. Please refer to the release notes for Zimbra 8.8.15 Patch 2 installation on Redhat and Ubuntu platforms. Note: Installing a zimbra-patch package only updates the Zimbra core packages. Zimbra 8.8.12 “Isaac Newton” Patch 6 Patch 6 is here for the Zimbra 8.8.12 “Isaac Newton” GA release, and it includes fixes as listed in the release notes. Security Fixes Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details. Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version 109174 Non-Persistent XSS CWE-79 CVE-2019-12427 4.3 Minor 8.8.12 P6 12356 Upgraded ClamAV to 0.101.4 CVE-2019-12625 – – 8.8.12 P6 Patch Installation For 8.8.12 Patches, you don’t need to download any patch builds. 8.8.12 Patch packages can be installed using Linux package management commands. Please refer to the release notes for Zimbra 8.8.12 Patch 6 installation on Redhat and Ubuntu platforms. Note: Installing a zimbra-patch package only updates the Zimbra core packages. Zimbra 8.7.11 Patch 14 Patch 14 is here for the Zimbra 8.7.11 GA release, and it includes fixes as listed in the release notes. Security Fixes Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details. Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version 109174 Non-Persistent XSS CWE-79 CVE-2019-12427 4.3 Minor 8.7.11 P14 12356 Upgraded ClamAV to 0.101.4 CVE-2019-12625 – – 8.7.11 P14 Patch Installation Download the patch for Network Edition and Open Source Edition. Please refer to the release notes for 8.7.11 Patch 14 installation Note: This patch should be installed only on all mailbox nodes running in your environment. Thank you, Your Zimbra Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================