Zulip Server 5.5 security release

We released Zulip Server 5.5 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.4.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

  • CVE-2022-31168: Fix authorization check for changing bot roles. Due to an incorrect authorization check in Zulip Server 5.4 and all prior releases, a member of an organization could craft an API call that would grant organization administrator privileges to one of their bots.
  • Added new options to the restore-backup tool to simplify restoring backups on a system with a different configuration.
  • Updated translations, including major updates to the Mongolian and Serbian translations.

CVE-2022-31168 was discovered by the Zulip security team and has already been patched in Zulip Cloud. This vulnerability has likely not been exploited in the wild prior to this disclosure. In particular, an analysis of Zulip Cloud’s audit logs since October 2019 (when the relevant audit log feature was added) determined that CVE-2022-31168 had not been exploited against Zulip Cloud in that time.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: