Zulip Server 3.4 security release
Zulip Server 3.4 was released today! This is a security release, containing important security updates for the 3.x series of Zulip Server.
This will likely be the last release in the 3.x stable release series, as we are getting close to publishing the first release candidate for Zulip 4.0.
This releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues:
- CVE-2021-30487: Prevent administrators from moving topics to disallowed streams.
- CVE-2021-30479: Prevent guest user access to
- CVE-2021-30478: Prevent API super users from forging messages to other organizations.
- CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.
- Fixed a potential HTML injection bug in outgoing emails.
- Fixed Postfix configuration error which would prevent outgoing email to any
email address containing
+, or starting with
mm, when configured to use the local Postfix to deliver outgoing email.
- Fixed a backporting error which caused the
manage.py change_user_roletool to not work for
- Add support for logout events sent from modern versions of the desktop application.
- Upgraded minor python dependencies.
- Minor documentation fixes.
All of the security bugs in this release were discovered by the Zulip core team.
We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).