Zulip Server 5.7 security release

We released Zulip Server 5.7 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.6.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

  • CVE-2022-41914: Fixed the verification of the SCIM account management bearer tokens to use a constant-time comparator. Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable. Zulip Server installations which have not explicitly enabled SCIM are not affected.
  • Fixed an error with deactivating users with manage.py sync_ldap_user_data when LDAP_DEACTIVATE_NON_MATCHING_USERS was enabled.
  • Fixed several subtle bugs that could lead to browsers reloading repeatedly when the server was updated.
  • Fixed a live-update bug when changing certain notifications settings.
  • Improved error logs when sending push notifications to the push notifications service fails.
  • Upgraded Python requirements.

CVE-2022-41914 was discovered internally by the Zulip security team.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: