Zulip Server 2.0.5 security release
We released Zulip Server 2.0.5 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.4.
This releases fixes a few important bugs in previous versions of Zulip. It contains fixes for the following security issues:
- CVE-2019-16215: Fix DoS vulnerability in Markdown LINK_RE.
- CVE-2019-16216: Fix MIME type validation bug allowing XSS.
CVE-2019-16215 affects all past version of Zulip. CVE-2019-16216 affects common configurations of Zulip 1.8.0 and newer.
This release also contains some bug fixes for new installations:
- Fixed email gateway postfix configuration for Ubuntu Bionic.
- Fixed support for hidden_by_limit messages in Slack import.
- Fixed confusing output from the
We expect Zulip 2.1 to be released in the coming weeks, with hundreds of new features and other changes.
All users should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.
If you’re upgrading from 2.0.x, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low. If you’re upgrading from an older version, we recommend upgrading directly to 2.0.5.
If you’re running a fork of master, you will need to rebase your fork to get these fixes.
If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
- Follow us on Twitter, or join our announcement mailing list.