Zulip Server 3.4 security release

Zulip Server 3.4 was released today! This is a security release, containing important security updates for the 3.x series of Zulip Server.

This will likely be the last release in the 3.x stable release series, as we are getting close to publishing the first release candidate for Zulip 4.0.

What’s new

This releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues:

• CVE-2021-30487: Prevent administrators from moving topics to disallowed streams.
• CVE-2021-30479: Prevent guest user access to all_public_streams API.
• CVE-2021-30478: Prevent API super users from forging messages to other organizations.
• CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.
• Fixed a potential HTML injection bug in outgoing emails.
• Fixed Postfix configuration error which would prevent outgoing email to any email address containing ., +, or starting with mm, when configured to use the local Postfix to deliver outgoing email.
• Fixed a backporting error which caused the manage.py change_user_role tool to not work for admin, member, or guest roles.
• Add support for logout events sent from modern versions of the desktop application.
• Upgraded minor python dependencies.
• Minor documentation fixes.

All of the security bugs in this release were discovered by the Zulip core team.

Upgrading

We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).