Zulip Server 5.4 security release

We released Zulip Server 5.4 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.3.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

• CVE-2022-31134: Exclude private file uploads from exports of public data; see the accompanying Zulip Cloud post for more details. We would like to thank Antoine Benoist for bringing this issue to our attention.
• Upgraded python requirements.
• Improved documentation for load balancers to mention CIDR address ranges.
• Documented an explicit list of supported CPU architectures.
• Switched html2text to run as a subprocess, rather than a Python module, as its GPL license is not compatible with Zulip’s.
• Replaced markdown-include python module with a reimplementation, as its GPL license is not compatible with Zulip’s.
• Relicensed as GPL the tools/check-thirdparty developer tool which verifies third-party licenses, due to a GPL dependency by way of python-debian.
• Closed a potential race condition in the Tornado server, with events arriving at exactly the same time as request causing server errors.
• Added a tool to help automate more of the release process.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).