Zulip Server 5.6 security release

We released Zulip Server 5.6 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.5.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

  • Fixed an issue where an attacker who can send messages could trick the server into embedding a link that violates Zulip’s security model.
    • This fixes a security vulnerability (CVE-2022-36048): When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information.
    • This fix also protects against a vulnerability in the Zulip mobile app (CVE-2022-35962), discussed in detail below.
  • Added hardening against timing attacks to an internal authentication check.
  • Improved documentation for hosting multiple organizations on a server.
  • Updated dependencies.
  • Updated translations.

CVE-2022-36048 was discovered internally by the Zulip team.

Zulip Mobile v27.190 security release

Users of the Zulip mobile apps should upgrade to v27.190, which was released simultaneously with this Zulip Server release. This mobile release fixes a security issue:

  • CVE-2022-35962: An attacker who can send messages could craft a malformed image link which, if tapped in the Zulip mobile apps, could disclose the recipient’s Zulip credentials.

CVE-2022-35962 was discovered internally by the Zulip team. We have performed a complete audit, and determined that this vulnerability has never been exploited in Zulip Cloud. The vulnerability is present in all previous mobile releases.

As discussed above, upgrading to Zulip Server 5.6 also protects against CVE-2022-35962, even for users running older versions of Zulip Mobile. Zulip Cloud has also been upgraded to protect against this vulnerability.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: