Zulip Server 4.8 security release

We released Zulip Server 4.8 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.7.

Deprecating support for Ubuntu 18.04 Bionic

With this release, we are deprecating support for Ubuntu 18.04 Bionic. Specifically, Ubuntu 18.04 will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.

While Ubuntu 18.04 is expected to reach the end of standard support in April 2023, packages in its universe package set (including nginx-full, redis-server, and supervisor) are already out of support. Additionally, it only contains support for Python 3.6, which reaches EOL at the end of 2021.

We recommend planning to upgrade any Zulip servers you manage which are running on Ubuntu 18.04 over the next few months. See our OS upgrade documentation for how to correctly upgrade a Zulip server.

Notable changes

  • CVE-2021-43791: Zulip could fail to enforce expiration dates on confirmation keys, allowing users to potentially use expired invitations, self-registrations, or realm creation links.
  • Began installing Smokescreen to harden Zulip against SSRF attacks by default. Zulip has offered Smokescreen as an option since Zulip 4.0. Existing installs which configured an outgoing proxy which is not on localhost:4750 will continue to use that; all other installations will begin having a Smokescreen installation listening on 127.0.0.1, which Zulip will proxy traffic through. The version of Smokescreen was also upgraded.
  • Replaced the camo image proxy with go-camo, a maintained reimplementation that also protects against SSRF attacks. This server now listens only on 127.0.0.1 when it is deployed as part of a standalone deployment.
  • Began using camo for images displayed in URL previews. This improves privacy and also resolves an issue where an image link to a third party server with an expired or otherwise invalid SSL certificate would trigger a confusing pop-up window for Zulip Desktop users.
  • Fixed a bug which could cause Tornado to shut down improperly (causing an immediate full-page reload for their clients) when restarting a heavily loaded Zulip server.
  • Updated Python dependencies.
  • Truncated large “remove” mobile notification events so that marking hundreds of private messages or other notifiable messages as read at once won’t exceed Apple’s 4 KB notification size limit.
  • Slack importer improvements:
    • Ensured that generated fake email addresses for Slack bots are unique.
    • Added support for importing Slack exports from a directory, not just a .zip file.
    • Provided better error messages with invalid Slack tokens.
    • Added support for non-ASCII Unicode folder names on Windows.
  • Add support for V3 Pagerduty webhook.
  • Updated documentation for Apache SSO, which now requires additional configuration now that Zulip uses a C extension (the re2 module).
  • Fixed a bug where an empty name in a SAML response would raise an error.
  • Ensured that deliver_scheduled_emails and deliver_scheduled_messages did not double-deliver if run on multiple servers at once.
  • Extended Certbot troubleshooting documentation.
  • Fixed a bug in soft deactivation catch-up code, in cases where a race condition had created multiple subscription deactivation entries for a single user and single stream in the audit log.
  • Updated translations, including adding a Sinhala translation.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: