Latest downloads are now available:

Network Edition Downloads

Open Source Edition Downloads

The releases of ZCS 6.0.9 and 5.0.25 address a recently announced OpenSSL security vulnerability and fix:

TLS extension parsing race condition

The CVE notification is here:
CVE - CVE-2010-3864 (under review)

Due to the number of ZCS components where OpenSSL is used, this is a full release and not a patch. Zimbra considers this release critical for any site allowing TLS and SSL connections from the Internet.

You are strongly encouraged to update to one of these versions at the first possible opportunity, if you are allowing SSL/TLS connections from untrusted sources (i.e., the Internet) on any protocol directly to any ZCS component.

The 6.0.9 also includes the following bug fixes:

ID Sev Summary
45030 cri Wrong attachment after saving draft on child account
51898 cri ical/webdav allows unrestricted GAL query - no current ability to deny this
50191 cri error HTTP 500 on shared notebooks in zcs 6.0.8 when not in English
53002 cri OpenSSL security vulnerability
51328 cri LDAP connection leak
52279 maj Cannot compose email on first try
52695 maj Chrome : delegatees cannot open shared calendar invitation email
51092 maj unable to set message size limit for IMAP
49987 maj Workaround for iCal 4 sending cancellations to all attendees
when one attendee is removed
50398 maj Invitations with empty CN field result
50517 maj HSM NPE when revisions are stored on multiple volumes
49624 maj Appointment doesnt show the details in Calendar (after it was
50785 nor Delegated admin loses "List Name" Field
52580 nor zimbraFeatureMailEnabled set to false unable to create new
50156 nor zimbra.log not logged to after log rotation on UBUNTU10_64
50174 nor UB10: Clamav unnecessarily depends on libtool
53409 nor Special 6.0.9 ZCO
51175 nor Use negative domain cache for domain lookup by virtual host
50251 nor Deleting messages does not remove them from message list view
47488 nor Preemptive auth incorrectly applied to http requests
50419 nor UserServlet basic auth challenge is not working
49412 nor zmmailbox modifyFolderGrant bug with all
52438 nor http acceptor becomes unresponsive - Socket operation on
49717 nor Same blob is added twice to the blobs zip file during backup,
causing error during restore
50953 nor malformed appointment disrupts iCal sync
53096 nor Upgrade to JDK 1.6u22
51005 nor Calendar sync inconsistent on iPhone 4
50603 nor When emptying large folder, batch size ignores zimbraMailEmptyFolderBatchSize
47361 enh support for SLES11 SP1

Version 5.0.25 only contains one bug fixed:

53002 cri OpenSSL security vulnerability