Kopano version 8.5.8 provides an important fix for two critical CVE's (CVE-2018-8950 and CVE-2018-8951). Kopano 8.7.x is an upgrade to 8.5.8.
Unfortunately, Kopano's recommend upgrade process to patch these vulnerabilities makes it difficult to automatically deploy these packages via the regular ClearOS update process.
You can read more about the Kopano upgrade here.
If you are running Kopano on ClearOS 7, it is likely version 8.4.5. You will need to upgrade to Kopano 8.7.5 (2019-12-11).
grep mysql_database /etc/kopano/server.cfg
For this article we'll call the mysql_database you find DATABASE. Most of the instructions are common using the DATABASE parameter. The mysql user is the same as the DATABASE.
Stop any incoming mail…close your firewall, port 25 from Webconfig. New mail coming in will usually attempt re-delivery so you won't lose any messages.
systemctl stop kopano-server kopano-gateway kopano-dagent
If you don't have an up to date backup of the database, now is a good time to start.
Get the Kopano database password:
[root@system]# cat /var/clearos/system_database/kopano
Then dump the database:
[root@system]# /usr/clearos/sandbox/usr/bin/mysqldump -ukopano -p"xxx" kopano > /tmp/kopano.dmp
Where xxx is the password retrieved from the first step.
Get the Kopano database password:
[root@system]# cat /var/clearos/system_database/zarafa
Then dump the database:
[root@system]# /usr/clearos/sandbox/usr/bin/mysqldump -uzarafa -p"xxx" zarafa > /tmp/kopano.dmp
Where xxx is the password retrieved from the first step.
yum upgrade *kopano* --enablerepo=clearos-paid-testing
Login to the system database using the “xxx” password obtained above.
/usr/clearos/sandbox/usr/bin/mysql -ukopano -p"xxx" kopano
/usr/clearos/sandbox/usr/bin/mysql -uzarafa -p"xxx" zarafa
Run:
MariaDB> SELECT MAX(id) from names;
If this returns a value of 31485 or higher, there are too many entries and the database needs to be cleaned.
Run:
MariaDB> select namestring, count(*) as c from names group by guid,nameid,namestring having c>=2;
If this returns any row(s), the database is inconsistent and needs to be cleaned.
Exit MariaDB:
MariaDB [kopano]> quit
If either of the two cases indicate areas for concern, run from the command line:
kopano-dbadm np-stat kopano-dbadm k-1216
If you have any issues, check Kopano's troubleshooting guide.
Check that following cfg files exist in /etc/kopano:
gateway.cfg ical.cfg ldap.cfg presence.cfg search.cfg server.cfg spooler.cfg
If any are missing, you must run the upgrade script below.
Run the following script to fix systemctl unit files for Kopano:
/usr/clearos/apps/kopano/deploy/upgrade
This should be unnecessary as it has already run as part of the yum upgrade, but let's do it anyway.
Run:
systemctl restart kopano-dagent kopano-server kopano-gateway kopano-ical kopano-monitor kopano-spooler kopano-search httpd
Re-Open Port 25 on your firewall to allow new mail to come in.
Unfortunately, if you are running Zarafa on ClearOS 6, you have no alternative to patch these vulnerabilities other than upgrading to ClearOS 7 and Kopano.
Follow the upgrading 6 to 7 knowledge base article here.
If you on ClearOS 7, an upgrade to Kopano will work. Follow the Zarafa to Kopano upgrade documentation here.
This can be an issue for ex-Zarafa users. If you see an error message performing the upgrade:
Transaction check error: file /usr/lib64/libxapian.so.22 from install of xapian-core-libs-1.2.22-1.el7.x86_64 conflicts with file from package libxapian22-1.2.21-1.7.x86_64
Please do an:
rpm -e libxapian22 --nodeps
Do not use “yum” to uninstall.
If you see an installation error referencing libtcmalloc.so.4 blocking the upgrade, please do an:
rpm -e --nodeps libtcmalloc4
The installation should proceed and you should notice gperftools-libs being installed from the centos repos.
Do not use “yum” to uninstall.
Please check you fully completed the Zarafa to Kopano Upgrade instructions so you have removed all zarafa* packages and disabled the Zarafa repos. You can check with:
rpm -qa | grep zarafa
The only zarafa package you should have is zarafa-z-push.
If Outlook shows the black warning triangle and “Disconnected” in the status bar, please check the log file /var/log/z-push/z-push-error.log. If you see errors like:
08/10/2019 13:20:35 [ 4610] [FATAL] [test] Fatal error: /usr/share/zarafa-z-push/lib/utils/utils.php:1144 - Call to undefined function mb_detect_encoding() (1)
Please install php-mbstring and php-soap with a:
yum install php-mbstring php-soap -y systemctl restart httpd