Zulip server 2.1.3 security release
We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2.
This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues:
- CVE-2020-9444: Reverse tabnabbing vulnerability in Zulip markdown.
- CVE-2020-9445: XSS vulnerability in modal_link markdown feature. This was resolved by removing this markdown feature, which hasn’t been used in years.
- CVE-2020-10935: XSS vulnerability in markdown link processing.
- Blocked access from Zulip Desktop versions below 5.0.0 due to
security issues with older releases.
While most clients have already automatically upgraded, you can adjust
version.py(and then restart the server) if you want to adjust this policy.
- Restructured server initialization to simplify initialization of Docker containers (eliminating common classes of user error).
- Removed buggy feedback bot (the
- Migrated GitHub authentication to use their latest OAuth authentication interface.
- Fixed support for restoring a backup on a different minor release (in the common case in which they have the same database schema).
- Fixed restoring backups with memcached authentication enabled.
- Fixed image alt tags appearing before preview content (preheaders) for many emails.
- Fixed buggy text in missed-message emails with PM content disabled.
- Fixed buggy loading spinner in “emoji format” widget.
- Fixed incoming webhook support for AWX 9.x.y.
- Fixed a couple missing translation tags.
- Fixed “User groups” settings UI bug for administrators.
- Fixed error handling for Slack data import.
- Fixed data import tool to reset resource limits after importing data from a free plan organization on zulipchat.com.
- Changed the SAML default signature algorithm to SHA-256, overriding
the SHA-1 default used by python3-saml.
- Added an integration for Prometheus AlertManager.
Thanks to Matt Austin for reporting CVE-2020-9445, and Luis Ariel Sadovsky and Pablo Zurro of Core Security for reporting CVE-2020-10935.
All installations should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.
If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
- Follow us on Twitter, or join our announcement mailing list.