Zulip Server 5.4 security release
We released Zulip Server 5.4 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.3.
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
- CVE-2022-31134: Exclude private file uploads from exports of public data; see the accompanying Zulip Cloud post for more details. We would like to thank Antoine Benoist for bringing this issue to our attention.
- Upgraded python requirements.
- Improved documentation for load balancers to mention CIDR address ranges.
- Documented an explicit list of supported CPU architectures.
html2textto run as a subprocess, rather than a Python module, as its GPL license is not compatible with Zulip’s.
markdown-includepython module with a reimplementation, as its GPL license is not compatible with Zulip’s.
- Relicensed as GPL the
tools/check-thirdpartydeveloper tool which verifies third-party licenses, due to a GPL dependency by way of
- Closed a potential race condition in the Tornado server, with events arriving at exactly the same time as request causing server errors.
- Added a tool to help automate more of the release process.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).