=====================================================================

                               CERT-Renater

                    Note d'Information No. 2021/VULN628
_____________________________________________________________________

DATE                : 25/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zimbra versions prior to
                          9.0.0 Patch 21, 8.8.15 Patch 28.

=====================================================================
https://blog.zimbra.com/2021/11/new-zimbra-patches-9-0-0-patch-21-and-8-8-15-patch-28/
_____________________________________________________________________

NEW Zimbra Patches: 9.0.0 Patch 21 + 8.8.15 Patch 28
by Urvi Mehta on November 22, 2021


Zimbra Patch Alert

Hello Zimbra Friends, Customers & Partners,

Zimbra 9.0.0 “Kepler” Patch 21 and 8.8.15 “James Prescott Joule” Patch 
28 are here.
Security Recommendation
Zimbra strongly recommends that you review whether the Proxy Servlet is 
configured to allow a particular host (via the zimbraProxyAllowedDomains 
configuration setting on each class of service). Please make sure:

Each entry in zimbraProxyAllowedDomains is a safe and trusted host.
There are NO wild card entries like *.webex.com. Instead use specific 
hosts like example.webex.com.
Zimbra 9.0.0 is now fully supported on Ubuntu 20 (GA).

Download the latest Ubuntu 20 binaries from https://www.zimbra.com/downloads

Apache has been upgraded from 2.4.46 to 2.4.51.


Security Fixes

Summary	CVE-ID	CVSS Score	Zimbra Rating	Fix Patch Version

Upgraded Apache to 2.4.51 to avoid multiple vulnerabilities. 
CVE-2021-30641   CVE-2020-35452	7.3	High	9.0.0 P21
8.8.15 P28


Zimbra 9.0.0 “Kepler” Patch 21

Patch 21 is here for the Zimbra 9.0.0 “Kepler” GA release, and it
includes What’s New, Fixed Issues and Known Issues as listed in the
release notes. Please refer to the release notes for Zimbra 9.0.0 Patch
21 installation on Red Hat and Ubuntu platforms.


Zimbra 8.8.15 “James Prescott Joule” Patch 28

Patch 28 is here for the Zimbra 8.8.15 “James Prescott Joule” GA 
release, and it includes What’s New, Fixed Issues and Known Issues as 
listed in the release notes. Please refer to the release notes for 
Zimbra 8.8.15 Patch 28 installation on Red Hat and Ubuntu platforms.

Note:

For Zimbra 8.8.8 and above, you don’t need to download any patch builds.
The patch packages can be installed using Linux package management
commands.

You cannot revert to the previous ZCS release after you upgrade to the
patch.


Take care and thanks,
Your Zimbra Team

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================