Zulip Server 4.8 security release
We released Zulip Server 4.8 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.7.
Deprecating support for Ubuntu 18.04 Bionic
With this release, we are deprecating support for Ubuntu 18.04 Bionic. Specifically, Ubuntu 18.04 will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.
While Ubuntu 18.04 is expected to reach the
end of standard support in April 2023, packages
universe package set (including
supervisor) are already out of support. Additionally, it only contains support
for Python 3.6, which
reaches EOL at the end of 2021.
We recommend planning to upgrade any Zulip servers you manage which are running on Ubuntu 18.04 over the next few months. See our OS upgrade documentation for how to correctly upgrade a Zulip server.
- CVE-2021-43791: Zulip could fail to enforce expiration dates on confirmation keys, allowing users to potentially use expired invitations, self-registrations, or realm creation links.
- Began installing Smokescreen to
harden Zulip against
attacks by default. Zulip has offered Smokescreen as an option since Zulip
4.0. Existing installs which configured an outgoing proxy which is not on
localhost:4750will continue to use that; all other installations will begin having a Smokescreen installation listening on 127.0.0.1, which Zulip will proxy traffic through. The version of Smokescreen was also upgraded.
- Replaced the camo image proxy with go-camo, a maintained reimplementation that also protects against SSRF attacks. This server now listens only on 127.0.0.1 when it is deployed as part of a standalone deployment.
- Began using camo for images displayed in URL previews. This improves privacy and also resolves an issue where an image link to a third party server with an expired or otherwise invalid SSL certificate would trigger a confusing pop-up window for Zulip Desktop users.
- Fixed a bug which could cause Tornado to shut down improperly (causing an immediate full-page reload for their clients) when restarting a heavily loaded Zulip server.
- Updated Python dependencies.
- Truncated large “remove” mobile notification events so that marking hundreds of private messages or other notifiable messages as read at once won’t exceed Apple’s 4 KB notification size limit.
- Slack importer improvements:
- Ensured that generated fake email addresses for Slack bots are unique.
- Added support for importing Slack exports from a directory, not just a .zip file.
- Provided better error messages with invalid Slack tokens.
- Added support for non-ASCII Unicode folder names on Windows.
- Add support for V3 Pagerduty webhook.
- Updated documentation for Apache SSO, which now requires additional
configuration now that Zulip uses a C extension (the
- Fixed a bug where an empty name in a SAML response would raise an error.
- Ensured that
deliver_scheduled_messagesdid not double-deliver if run on multiple servers at once.
- Extended Certbot troubleshooting documentation.
- Fixed a bug in soft deactivation catch-up code, in cases where a race condition had created multiple subscription deactivation entries for a single user and single stream in the audit log.
- Updated translations, including adding a Sinhala translation.
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).