Zulip Server 4.11 security release

We released Zulip Server 4.11 today! This is a security release, containing a minor security fix.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Reminder: upgrade your host operating system

As a reminder, we have deprecated support for Ubuntu 18.04 Bionic, because the upstream vendor no longer provides security support for important Zulip dependencies. Specifically, Ubuntu 18.04 remains supported in this release and will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.

We recommend upgrading any Zulip servers you manage which are running on Ubuntu 18.04. See our OS upgrade documentation for how to correctly upgrade a Zulip server.

Notable changes:

  • CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a race condition during user deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. This access could theoretically continue until one of the following events happens:
    • The session expires from memcached; this defaults to two weeks, and is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py
    • The session cache is evicted from memcached by other cached data.
    • The server is upgraded, which clears the cache.
  • Updated translations.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: