Zulip Server 5.4 security release

We released Zulip Server 5.4 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.3.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

  • CVE-2022-31134: Exclude private file uploads from exports of public data; see the accompanying Zulip Cloud post for more details. We would like to thank Antoine Benoist for bringing this issue to our attention.
  • Upgraded python requirements.
  • Improved documentation for load balancers to mention CIDR address ranges.
  • Documented an explicit list of supported CPU architectures.
  • Switched html2text to run as a subprocess, rather than a Python module, as its GPL license is not compatible with Zulip’s.
  • Replaced markdown-include python module with a reimplementation, as its GPL license is not compatible with Zulip’s.
  • Relicensed as GPL the tools/check-thirdparty developer tool which verifies third-party licenses, due to a GPL dependency by way of python-debian.
  • Closed a potential race condition in the Tornado server, with events arriving at exactly the same time as request causing server errors.
  • Added a tool to help automate more of the release process.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: