Zulip Desktop 5.4.3 security release

Anders Kaseorg Sep 10, 2020 • 1 min read

Today we released Zulip Desktop 5.4.3, fixing a security issue:

CVE-2020-24582: Zulip Desktop failed to escape various strings interpolated into the user interface HTML. This could result in code execution when connecting to a maliciously altered Zulip server.

The Zulip security team discovered this issue during internal auditing. Zulip Desktop versions 5.4.2 and earlier are affected.

This release also includes the following changes since 5.4.2:

Upstream dependencies have been upgraded to the latest compatible releases, including Electron 9.3.0.

Upgrading

All installations should upgrade to this latest release as soon as possible. Installations with the default automatic upgrades enabled will be upgraded to the new release when next launched.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
Follow us on Twitter, or join our announcement mailing list.