We released Zulip Server 5.5 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.4.
- CVE-2022-31168: Fix authorization check for changing bot roles. Due to an incorrect authorization check in Zulip Server 5.4 and all prior releases, a member of an organization could craft an API call that would grant organization administrator privileges to one of their bots.
- Added new options to the
restore-backuptool to simplify restoring backups on a system with a different configuration.
- Updated translations, including major updates to the Mongolian and Serbian translations.
CVE-2022-31168 was discovered by the Zulip security team and has already been patched in Zulip Cloud. This vulnerability has likely not been exploited in the wild prior to this disclosure. In particular, an analysis of Zulip Cloud’s audit logs since October 2019 (when the relevant audit log feature was added) determined that CVE-2022-31168 had not been exploited against Zulip Cloud in that time.
We love feedback from the Zulip user community. Here are a few ways you can connect: