Release announcements, Security

Zulip 1.7.1 security (+ Korean!) release

Greg Price 2 min read

Today we’re releasing Zulip Server 1.7.1. This is a security release, containing just a handful of cherry-picked changes since 1.7.0.

To readers in the US: happy Thanksgiving! We generally avoid making a security release just before a major holiday, but we’ve made an exception in this case because the issue only affects a few sites.

What’s new

  • This release fixes CVE-2017-0910: On a server with multiple realms, a vulnerability in the invitation system allowed an authorized user of one realm to create an account on any other realm. (Thanks to Vishnu Ks for reporting and fixing this issue.)
  • We’ve updated to the latest translated strings for the Zulip user interface, in all languages. We’re especially happy with the progress in the Korean translation, from almost nothing in 1.7.0 to 100% complete in 1.7.1. The French translation is now nearly complete, and several other languages have smaller updates.
  • We’ve fixed two issues in the install and upgrade scripts which affected some environments.

Upgrading

If you host multiple realms on your Zulip server, you should upgrade promptly. See the upgrade instructions in the Zulip documentation.

If you’re upgrading from 1.7.0, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low. Note that because of the fix for CVE-2017-0910, any existing new-user invitations will be expired; they can be re-sent as needed.

If you’re running a version older than 1.7.0, you should upgrade anyway to get all the great features in 1.7! But also if you have multiple realms, you should upgrade promptly to 1.7.1 to close the vulnerability. If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

—Greg Price