Zulip Desktop 4.0.3 security release

Today we released Zulip Desktop 4.0.3, fixing a critical security issue:

  • CVE-2020-9443: Web security was disabled in the Electron webview.

This is a critical security issue because Zulip's security model for uploaded files relies on the browser (in this case Electron) enforcing the web security model. Huge thanks to Matt Austin for reporting this issue. We have not completed our postmortem, but I expect we will be making major changes in how the Electron desktop app is maintained in response to this issue.

Upgrading

Because the desktop app updates automatically, many users have already have upgraded to this new version.

However, Zulip Desktop 2.3.82, released in late 2018, had buggy auto-update functionality and will not auto-update (while claiming it's up-to-date), and some users are still using that release. To help users running Zulip Desktop 2.3.82, we have implemented a large, red notice at the top of the Zulip UI telling them that auto-update is broken and they need to download the latest app from https://zulipchat.com/apps.

This notice was deployed to zulipchat.com today, and will be included in the Zulip Server 2.1.3 release scheduled for next week.

For server administrators

Server administrators who want the notice on their installation now can get it by installing the "2.1.x" branch that we use to stage changes planned for the next minor release (current changelog). You can update your installation to the 2.1.x branch using the following command:

/home/zulip/deployments/current/scripts/upgrade-zulip-from-git 2.1.x

See the server upgrade documentation for details on upgrading to pre-release versions of the Zulip server. I should mention that we support installations running stable release branches (like 2.1.x) as though they were running a release, so don't be discouraged from updating because of concerns about support.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: