Zimbra has released a hotfix for the Zimbra zero-day exploit. If you are using Zimbra 8.8.15 on Ubuntu 16.04 and latest or CentOS7/RHEL7 and latest, You can patch by doing apt update or yum update command.
Unfortunately, the new patch is not available for Zimbra 8.8.15 on Ubuntu 14 or CentOS 6. The latest version for Ubuntu 14 or Centos 6 is patch 28. Fortunately, you can perform manual patch using script that created by JDunphy here.
Here is how I use that script for manual patching
# Update Patch
Please make sure you already patch to the latest version (Patch 28)
apt update -y && apt upgrade -y
yum update -y && yum upgrade -y
# Backup File
mkdir -p /srv/ai/Patch30 cp /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag /srv/ai/Patch30/ cp /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag /srv/ai/Patch30/
# Download Patch Script
curl -k https://raw.githubusercontent.com/imanudin11/script/master/xss-zeroDay.sh > /srv/ai/Patch30/xss-zeroDay.sh chmod +x /srv/ai/Patch30/xss-zeroDay.sh /srv/ai/Patch30/xss-zeroDay.sh
# Compare file (before and after manual patch)
diff /srv/ai/Patch30/multiDay.tag /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
Congratulation, your Zimbra has been patched
Good luck 🙂
after executing the update some zimbra services do not work for me. The services it does not start are amavis, antispam and antivirus. Could you help me?
Please check the error log from zimbra.log to see the problem
Hi there does this only apply to ubuntu 16? currently i have it on ubuntu 18 or would it matter?
For Ubuntu 16 and latest, just run command apt update -y && apt upgrade -y. This article for Ubuntu 14 or CentOS 6 that does not have patch again
thanks for the reply, so i can patch it manually? also if i need sometimes running apt upgrade damages packages
Yes, you can patch it manually. Please take a backup before running patch
Hi, is it possible to install latest patch rpm’s for Centos6 locally (yum localinstall xxx-patch31.rpm)
Is not possible. CentOS 6 has EoL