Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN371 _____________________________________________________________________ DATE : 18/06/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zimbra versions prior to 9.0.0 Patch 46, 10.0.15, 10.1.9. ===================================================================== https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://blog.zimbra.com/2025/06/emergency-patch-release-zimbra-daffodil-10-1-9-10-0-15-and-zimbra-9-0-0-p46/ _____________________________________________________________________ Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version Reporter Addressed a denial of service (DoS) vulnerability in the admin console that could lead to service disruptions. - 9.0.0 Patch 46 10.0.15 10.1.9 This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately. CVE-2025-27915 TBD - 9.0.0 Patch 46 10.0.15 10.1.9 _____________________________________________________________________ Emergency Patch Release: Zimbra Daffodil 10.1.9, 10.0.15 and Zimbra 9.0.0 P46 By Yasuko Komiyama on June 18, 2025 in Product Updates Patch Security Severity: High Deployment Risk: Low This patch updated on June 18, 2025 focuses on essential security fixes for the following editions: Zimbra Daffodil 10.1.9 (Release Notes) Zimbra Daffodil 10.0.15 (Release Notes) 9.0.0 P46 (Release Notes) Security Fix – 10.1.9, 10.1.15, 9.0.0 P46 Addressed a XSS attack with ICS file in Classic UI Addressed a denial of service (DoS) vulnerability on Admin Console Please note that this is the final patch release for: Zimbra Collaboration 9.0.0 P46 before its End of Life (EOL) on June 30, 2025 Zimbra Daffodil v. 10.0.x set to reach End of General Support on June 30, 2025 After this date, no further updates will be provided to the 10.0.x and 9.0 editions. We’re Here to Support Your Migration We strongly recommend upgrading to a supported version like Zimbra Daffodil 10.1 to maintain security, performance, and access to our dedicated support. We’re here to help make this transition as smooth as possible: Migration Guides: Access comprehensive resources to guide your upgrade. Personalized Assistance: Need a hand? Our team is ready to assist you. To ensure you benefit from the most secure and advanced solutions, please note the upcoming product lifecycle updates for the following Zimbra editions: Upgrade Documents Non-NG setup In-Place Upgrade Guide (Single and Multi-Node setup) Rolling-Upgrade Guide (Multi-Node setup) NG setup – For 9.0.0, 8.8.15 (Network and FOSS) In-Place Upgrade Multi-Node | In-Place Upgrade Single-Node Rolling Upgrade Multi-Node | Rolling Upgrade Single-Node For assistance during this transition, contact Zimbra Support. Zimbra Daffodil 10.1 is the active and supported version. CentOS/RHEL 7 OS and Oracle Linux 7 It is equally important to install operating system security updates and have Zimbra run on supported operating systems. After July 1, 2025, RHEL/CentOS 7 and Oracle Linux 7 will no longer be supported for Zimbra. We recommend upgrading to RHEL/Rocky/Oracle Linux 9. If you have questions or need guidance with upgrading your operating system, please open a support case through the Zimbra Support. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================