We released Zulip Server 2.1.7. This is a security release, containing a couple cherry-picked changes since Zulip Server 2.1.6.

What’s new

This releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues:

  • CVE-2020-15070: Fix privilege escalation vulnerability with custom profile fields. A privileged attacker who can write directly to the Zulip postgres database (which isn't available to any user role in Zulip) could trigger code execution the Zulip server by storing an invalid custom profile field value that was later processed using  eval.  
  • Changed default memcached authentication username to zulip@localhost. This fixes an issue where a Zulip server that was rebooted with a different hostname would be unable to authenticate to its memcached process due to the hostname being encoded in the generated memcached SASL credentials.

CVE-2020-15070 was discovered by the Zulip core team.

Upgrading

All installations using LDAP synchronization should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: