Zulip server 2.1.3 security release

We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2.

What’s new

This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues:

  • CVE-2020-9444: Reverse tabnabbing vulnerability in Zulip markdown.
  • CVE-2020-9445: XSS vulnerability in modal_link markdown feature. This was resolved by removing this markdown feature, which hasn't been used in years.
  • CVE-2020-10935: XSS vulnerability in markdown link processing.
  • Blocked access from Zulip Desktop versions below 5.0.0 due to security issues with older releases.  While most clients have already automatically upgraded, you can adjust DESKTOP_MINIMUM_VERSION and DESKTOP_WARNING_VERSION in version.py (and then restart the server) if you want to adjust this policy.
  • Restructured server initialization to simplify initialization of Docker containers (eliminating common classes of user error).
  • Removed buggy feedback bot (the ENABLE_FEEDBACK setting).
  • Migrated GitHub authentication to use their latest OAuth authentication interface.
  • Fixed support for restoring a backup on a different minor release (in the common case in which they have the same database schema).
  • Fixed restoring backups with memcached authentication enabled.
  • Fixed image alt tags appearing before preview content (preheaders) for many emails.
  • Fixed buggy text in missed-message emails with PM content disabled.
  • Fixed buggy loading spinner in "emoji format" widget.
  • Fixed incoming webhook support for AWX 9.x.y.
  • Fixed a couple missing translation tags.
  • Fixed "User groups" settings UI bug for administrators.
  • Fixed error handling for Slack data import.
  • Fixed data import tool to reset resource limits after importing data from a free plan organization on zulipchat.com.
  • Changed the SAML default signature algorithm to SHA-256, overriding
    the SHA-1 default used by python3-saml.
  • Added an integration for Prometheus AlertManager.

Thanks to Matt Austin for reporting CVE-2020-9445, and Luis Ariel Sadovsky and Pablo Zurro of Core Security for reporting CVE-2020-10935.

Upgrading

All installations should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: