Zulip Server 5.5 security release
We released Zulip Server 5.5 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.4.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
Notable changes
- CVE-2022-31168: Fix authorization check for changing bot roles. Due to an incorrect authorization check in Zulip Server 5.4 and all prior releases, a member of an organization could craft an API call that would grant organization administrator privileges to one of their bots.
- Added new options to the
restore-backup
tool to simplify restoring backups on a system with a different configuration. - Updated translations, including major updates to the Mongolian and Serbian translations.
CVE-2022-31168 was discovered by the Zulip security team and has already been patched in Zulip Cloud. This vulnerability has likely not been exploited in the wild prior to this disclosure. In particular, an analysis of Zulip Cloud’s audit logs since October 2019 (when the relevant audit log feature was added) determined that CVE-2022-31168 had not been exploited against Zulip Cloud in that time.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).