====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN195
_____________________________________________________________________

DATE                : 01/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zimbra versions prior to 9.0.0
           “Kepler” Patch 13, 8.8.15 “James Prescott Joule” Patch 20.

=====================================================================
https://blog.zimbra.com/2021/03/new-zimbra-patches-9-0-0-patch-13-and-8-8-15-patch-20/
_____________________________________________________________________


NEW Zimbra Patches: 9.0.0 Patch 13 + 8.8.15 Patch 20
By Urvi Mehta on March 30, 2021 in Product News, Product Updates, Zimbra
Server


Hello Zimbra Friends, Customers & Partners,
Zimbra 9.0.0 “Kepler” Patch 13 and 8.8.15 “James Prescott Joule” Patch
20 are here.

For Zimbra 8.8.8 and above, you don’t need to download any patch builds.
The patch packages can be installed using Linux package management
commands. Please refer to the respective release notes for patch
installation on Red Hat and Ubuntu platforms.


Note: Installing a zimbra-patch package only updates the Zimbra core
packages.

Security Fixes

Summary 	CVE-ID 	CVSS Score 	Zimbra Rating 	Fix Patch Version

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10
CVE-2019-9641 CVE-2019-9640 	9.8 	Critical 	9.0.0 P13
8.8.15 P20

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.
CVE-2019-0211 CVE-2019-0217 	7.8 	High 	9.0.0 P13
8.8.15 P20


Announcing GA

The following packages are now GA:

    OpenSSL 1.1.1h support for TLS 1.3.
    OpenSSL 1.1.1h with FIPS module support.
    Postfix 3.5.6 support for TLSv1.3
    Nginx 1.19.0 support for TLSv1.3

Zimbra 9.0.0 “Kepler” Patch 13

Patch 13 is here for the Zimbra 9.0.0 “Kepler” GA release, and it
includes Security Fixes, What’s New, Fixed Issues and Known Issues as
listed in the release notes.

Please refer to the release notes for Zimbra 9.0.0 Patch 13 installation
on Red Hat and Ubuntu platforms.


Zimbra 8.8.15 “James Prescott Joule” Patch 20

Patch 20 is here for the Zimbra 8.8.15 “James Prescott Joule” GA
release, and it includes Security Fixes, What’s New, Fixed Issues 
and
Known Issues as listed in the release notes.

Please refer to the release notes for Zimbra 8.8.15 Patch 20
installation on Red Hat and Ubuntu platforms.


Take care and thanks,
Your Zimbra Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================