[Users] Zimbra 8.8.8 Patch 1 release - Seems to break FOSS only servers

Barry de Graaff info at barrydegraaff.tk
Fri Apr 13 09:13:30 CEST 2018 

Hello Tony and Phil, 

It seems the patch 8.8.8 p1 is distributed via the repos. 

It does NOT seem to work if one runs a FOSS only server (aka without Zextras). 

I am addressing Phil as there is a CVE 5.8 Major security fix in the patch. 

[root at zimbra1 ~]# yum update -y 
Loaded plugins: fastestmirror, langpacks 
Loading mirror speeds from cached hostfile 
* base: centos.mirror.triple-it.nl 
* epel: mirror.1000mbps.com 
* extras: mirror.denit.net 
* updates: mirror.prolocation.net 
Resolving Dependencies 
--> Running transaction check 
---> Package zimbra-chat.x86_64 0:1.0.13.1521626727-2.r7 will be obsoleted 
---> Package zimbra-common-core-jar.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-common-core-jar.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-conf.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-conf.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-service.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-service.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-war.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-war.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-webclient-war.x86_64 0:1.0.0.1521723166-1.r7 will be updated 
---> Package zimbra-mbox-webclient-war.x86_64 0:1.0.0.1523095946-1.r7 will be an update 
---> Package zimbra-talk.x86_64 0:1.0.3.1523266296-1.r7 will be obsoleting 
--> Processing Dependency: zimbra-network-modules-ng >= 1.0.14 for package: zimbra-talk-1.0.3.1523266296-1.r7.x86_64 
--> Running transaction check 
---> Package zimbra-network-modules-ng.x86_64 0:1.0.14.1522918190-1.r7 will be installed 
--> Processing Dependency: zimbra-network-store >= 8.8.8 for package: zimbra-network-modules-ng-1.0.14.1522918190-1.r7.x86_64 
--> Finished Dependency Resolution 
Error: Package: zimbra-network-modules-ng-1.0.14.1522918190-1.r7.x86_64 (zimbra-888-patch) 
Requires: zimbra-network-store >= 8.8.8 
You could try using --skip-broken to work around the problem 
You could try running: rpm -Va --nofiles --nodigest 

[root at zimbra1 ~]# su zimbra 
[zimbra at zimbra1 root]$ zmcontrol -v 
Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition. 

This is a FOSS only server, and should not fetch zimbra-network-modules-ng. 


Funny thing is, that on a FOSS server with Zextras installed, it does work: 
[root at mail ~]# yum update -y 
Loaded plugins: fastestmirror 
Loading mirror speeds from cached hostfile 
* base: mirrors.centos.webair.com 
* epel: mirror.math.princeton.edu 
* extras: mirrors.centos.webair.com 
* updates: mirrors.tripadvisor.com 
Resolving Dependencies 
--> Running transaction check 
---> Package zimbra-common-core-jar.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-common-core-jar.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-conf.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-conf.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-service.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-service.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-war.x86_64 0:1.0.0.1521707697-1.r7 will be updated 
---> Package zimbra-mbox-war.x86_64 0:1.0.0.1522952748-1.r7 will be an update 
---> Package zimbra-mbox-webclient-war.x86_64 0:1.0.0.1521723166-1.r7 will be updated 
---> Package zimbra-mbox-webclient-war.x86_64 0:1.0.0.1523095946-1.r7 will be an update 
--> Finished Dependency Resolution 

Dependencies Resolved 

================================================================================ 
Package Arch Version Repository Size 
================================================================================ 
Updating: 
zimbra-common-core-jar x86_64 1.0.0.1522952748-1.r7 zimbra-888-patch 13 M 
zimbra-mbox-conf x86_64 1.0.0.1522952748-1.r7 zimbra-888-patch 35 k 
zimbra-mbox-service x86_64 1.0.0.1522952748-1.r7 zimbra-888-patch 3.7 k 
zimbra-mbox-war x86_64 1.0.0.1522952748-1.r7 zimbra-888-patch 21 M 
zimbra-mbox-webclient-war x86_64 1.0.0.1523095946-1.r7 zimbra-888-patch 24 M 

Transaction Summary 
================================================================================ 
Upgrade 5 Packages 

Total download size: 59 M 
Downloading packages: 
Delta RPMs disabled because /usr/bin/applydeltarpm not installed. 
(1/5): zimbra-mbox-conf-1.0.0.1522952748-1.r7.x86_64.rpm | 35 kB 00:00 
(2/5): zimbra-mbox-service-1.0.0.1522952748-1.r7.x86_64.rp | 3.7 kB 00:00 
(3/5): zimbra-common-core-jar-1.0.0.1522952748-1.r7.x86_64 | 13 MB 00:01 
(4/5): zimbra-mbox-war-1.0.0.1522952748-1.r7.x86_64.rpm | 21 MB 00:02 
(5/5): zimbra-mbox-webclient-war-1.0.0.1523095946-1.r7.x86 | 24 MB 00:02 
-------------------------------------------------------------------------------- 
Total 13 MB/s | 59 MB 00:04 
Running transaction check 
Running transaction test 
Transaction test succeeded 
Running transaction 
Warning: RPMDB altered outside of yum. 
Updating : zimbra-common-core-jar-1.0.0.1522952748-1.r7.x86_64 1/10 
Updating : zimbra-mbox-war-1.0.0.1522952748-1.r7.x86_64 2/10 
Updating : zimbra-mbox-conf-1.0.0.1522952748-1.r7.x86_64 3/10 
Updating : zimbra-mbox-service-1.0.0.1522952748-1.r7.x86_64 4/10 
Updating : zimbra-mbox-webclient-war-1.0.0.1523095946-1.r7.x86_64 5/10 
Cleanup : zimbra-mbox-service-1.0.0.1521707697-1.r7.x86_64 6/10 
Cleanup : zimbra-mbox-war-1.0.0.1521707697-1.r7.x86_64 7/10 
Cleanup : zimbra-mbox-conf-1.0.0.1521707697-1.r7.x86_64 8/10 
Cleanup : zimbra-common-core-jar-1.0.0.1521707697-1.r7.x86_64 9/10 
Cleanup : zimbra-mbox-webclient-war-1.0.0.1521723166-1.r7.x86_64 10/10 
Verifying : zimbra-mbox-conf-1.0.0.1522952748-1.r7.x86_64 1/10 
Verifying : zimbra-mbox-war-1.0.0.1522952748-1.r7.x86_64 2/10 
Verifying : zimbra-mbox-service-1.0.0.1522952748-1.r7.x86_64 3/10 
Verifying : zimbra-mbox-webclient-war-1.0.0.1523095946-1.r7.x86_64 4/10 
Verifying : zimbra-common-core-jar-1.0.0.1522952748-1.r7.x86_64 5/10 
Verifying : zimbra-mbox-webclient-war-1.0.0.1521723166-1.r7.x86_64 6/10 
Verifying : zimbra-mbox-war-1.0.0.1521707697-1.r7.x86_64 7/10 
Verifying : zimbra-mbox-service-1.0.0.1521707697-1.r7.x86_64 8/10 
Verifying : zimbra-common-core-jar-1.0.0.1521707697-1.r7.x86_64 9/10 
Verifying : zimbra-mbox-conf-1.0.0.1521707697-1.r7.x86_64 10/10 

Updated: 
zimbra-common-core-jar.x86_64 0:1.0.0.1522952748-1.r7 
zimbra-mbox-conf.x86_64 0:1.0.0.1522952748-1.r7 
zimbra-mbox-service.x86_64 0:1.0.0.1522952748-1.r7 
zimbra-mbox-war.x86_64 0:1.0.0.1522952748-1.r7 
zimbra-mbox-webclient-war.x86_64 0:1.0.0.1523095946-1.r7 

Complete! 
[root at mail ~]# su zimbra 
[zimbra at mail root]$ zmcontrol restart 

Good thing it's Friday! 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
zetalliance.org | github.com/Zimbra-Community 

+31 617 220 227 | skype: barrydegraaff.tk 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 


From: "L Mark Stone" <lmstone at lmstone.com> 
To: "Randy Leiker" <randy at skywaynetworks.com>, users at lists.zetalliance.org, "Tony Publiski" <tonster at tonster.com> 
Sent: Friday, April 13, 2018 2:03:48 AM 
Subject: Re: [Users] Zimbra 8.8.8 Patch 1 release 



On a single Zimbra 8.8.8 server, a number of the Zimbra packages today were given updates that I installed prior to installing the patch, FWIW. 




Not sure how/if they are connected? 










Start-Date: 2018-04-12 18:40:46 


Commandline: apt-get dist-upgrade 


Upgrade: zimbra-mbox-service:amd64 (1.0.0.1521707697-1.u16, 1.0.0.1522952748-1.u16) , plymouth-theme-ubuntu-text:amd64 (0.9.2-3ubuntu13.3, 0.9.2-3ubuntu13.4), zimbra-mbox-conf:amd64 (1.0.0.1521707697-1.u16, 1.0.0.1522952748-1.u16) , libplymouth4:amd64 (0.9.2-3ubuntu13.3, 0.9.2-3ubuntu13.4), apport:amd64 (2.20.1-0ubuntu2.15, 2.20.1-0ubuntu2.16), zimbra-talk:amd64 (1.0.2.1521642559-1.u16, 1.0.3.1523266296-1.u16) , python3-apport:amd64 (2.20.1-0ubuntu2.15, 2.20.1-0ubuntu2.16), zimbra-mbox-war:amd64 (1.0.0.1521707697-1.u16, 1.0.0.1522952748-1.u16) , plymouth:amd64 (0.9.2-3ubuntu13.3, 0.9.2-3ubuntu13.4), zimbra-common-core-jar:amd64 (1.0.0.1521707697-1.u16, 1.0.0.1522952748-1.u16), zimbra-network-modules-ng:amd64 (1.0.13+1521603981-1.u16, 1.0.14.1522918190-1.u16) , python3-problem-report:amd64 (2.20.1-0ubuntu2.15, 2.20.1-0ubuntu2.16), zimbra-mbox-webclient-war:amd64 (1.0.0.1521723166-1.u16, 1.0.0.1523095946-1.u16) 


End-Date: 2018-04-12 18:41:17 





Start-Date: 2018-04-12 18:44:25 


Commandline: apt-get install zimbra-patch 


Install: zimbra-patch:amd64 (8.8.8.1.1522961836-1.u16) 


End-Date: 2018-04-12 18:44:32 














_________________________________________________ 

Another Message From... L. Mark Stone 








From: Users <users-bounces at lists.zetalliance.org> on behalf of Tony Publiski <tonster at tonster.com> 
Sent: Thursday, April 12, 2018 7:09 PM 
To: Randy Leiker; users at lists.zetalliance.org 
Subject: Re: [Users] Zimbra 8.8.8 Patch 1 release 
I haven't actually looked at what's fixed in this patch, however *most* of the time you don't need to ever patch anything but the store server, so really I wouldn't even both with the other nodes. Yes, the zimbra-common-core-jar package is used by zmprov, and thus exists on all nodes, however it's almost certain that nothing patched affects the non-mailbox server nodes. The former patch would, of course, run on all nodes, but only actually copied files based on what services were installed, and I can't remember a patch I was involved in actually patching anything on non-store nodes. 

Tony 

------ Original Message ------ 
From: "Randy Leiker" < [ mailto:randy at skywaynetworks.com | randy at skywaynetworks.com ] > 
To: [ mailto:users at lists.zetalliance.org | 
users at lists.zetalliance.org ] 
Sent: 4/12/2018 7:03:31 PM 
Subject: [Users] Zimbra 8.8.8 Patch 1 release 


BQ_BEGIN

Hi Everyone, 

Today Zimbra 8.8.8 Patch 1 was released as GA: [ https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 | https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ] 

One of the bug fixes included (35115) helps with the Zimbra High Availability open source project I've been working on developing. I'll be publishing the initial reference designs for that project very soon on its own web site. In the meantime, I deployed 8.8.8 patch 1 to begin testing in my lab environment which is running CentOS 7, with ZCS 8.8.8. The install instructions as written in the release notes for Red Hat/CentOS servers ( [ https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1#Install_the_Patch | https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1#Install_the_Patch ] ) work fine if you're running a single server install of ZCS. But, if you're running a multi-node install of ZCS, the patch install instructions in the release notes are inaccurate. 

In my lab environment, I have the following ZCS nodes provisioned: 


    * 2 x LDAP MMR nodes 
    * 2 x MTA nodes 
    * 2 x Proxy nodes 
    * 2 x Mailbox nodes 
If you attempt to follow the install instructions for the patch with a similar ZCS multi-node environment as noted above, you'll see a dependency failure in Yum that will prevent the patch from installing: 

Error: Package: zimbra-patch-8.8.8.1.1522961836-1.r7.x86_64 (zimbra-888-patch) 
Requires: zimbra-store >= 8.8.8 
You could try using --skip-broken to work around the problem 
You could try running: rpm -Va --nofiles --nodigest 

This occurs because the zimbra-store package isn't installed on all of the ZCS nodes. I nstead, what you'll need to do is on your LDAP, MTA, and Proxy nodes, or essentially any ZCS node where the zimbra-store package is NOT installed, simply run these commands: 


    * As the root user: 
        * yum upgrade (upgrades the zimbra-common-core-jar package) 
    * As the zimbra user: 
        * zmcontrol restart 
Then, on your ZCS mailbox nodes (where the zimbra-store package is installed), follow the install instructions as written in the 8.8.8 Patch 1 release notes. 

When you get to the section in the release notes that advises running: 


    * yum install zimbra-network-modules-ng 
    * yum install zimbra-chat OR yum install zimbra-talk 
If you've already upgraded to 8.8.8, which would of course be the case if you're trying to install patch 1, the 8.8.8 install process uninstalls the zimbra-chat package & replaces it with zimbra-talk, so you only need to run: 


    * As the root user: 
        * yum install zimbra-network-modules-ng 
        * yum install zimbra-talk 
    * As the zimbra user: 
        * zmmailboxdctl restart 
Otherwise, all of the ZCS services appeared to start successfully following the install of Patch 1. I wasn't able to test it within my Zimbra lab environment, but I suspect the Ubuntu install instructions in the release notes need a similar clarification for multi-node ZCS installs. 


Randy Leiker ( [ mailto:randy at skywaynetworks.com | randy at skywaynetworks.com ] ) 
Skyway Networks, LLC 
1.800.538.5334 / 913.663.3900 Ext. 100 
[ http://www.skywaynetworks.com/ | https://www.skywaynetworks.com ] 


BQ_END


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180413/bd885bb3/attachment.html>

More information about the Users mailing list