Release announcements, Security

Zulip Server 6.2 security release

Alex Vandiver 3 min read

We released Zulip Server 6.2 today! This is a security release, containing two security fixes and several cherry-picked changes since Zulip Server 6.1.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

  • CVE-2023-28623: Fixed a vulnerability that would allow users to sign up for a Zulip Server account with an unauthorized email address, despite the server being configured to require that email addresses be in LDAP. Specifically, if the organization permissions don’t require invitations to join, and the only configured authentication backends were ZulipLDAPAuthBackend and some other external authentication backend (any aside from ZulipLDAPAuthBackend and EmailAuthBackend), then an unprivileged remote attacker could have created a new account in the organization with an arbitrary email address in their control that was not in the organization’s LDAP directory.

  • CVE-2023-32677: Fixed a vulnerability which allowed users to invite new users to streams when inviting them to the server, even if they did not have permission to invite existing users to streams. This did not allow users to invite others to streams that they themselves were not a member of, and only affected deployments with the rare configuration of a permissive realm invitation policy and a strict stream invitation policy.

  • Fixed a bug that could cause duplicate push notifications when using the mobile push notifications service.

  • Fixed several bugs in the Zulip server and PostgreSQL version upgrade processes.

  • Fixed multiple Recent conversations display bugs for private message conversations.

  • Fixed the left sidebar stream list exiting “more topics” during background re-rendering, and a related rendering bug.

  • Fixed a bug where uploaded files sent via the email gateway were not correctly associated with the message’s sender.

  • Improved error handling for certain puppet failures.

  • Silenced a distracting caniuse browserlist warning in install/upgrade output.

  • Simplified UI for inviting new users to make it easy to select the default streams.

  • Fixed GPG check error handling for PGroonga apt repository.

  • Documented how to manage email address changes when using the LDAP backend.

  • Documented how to use SMTP without authentication.

  • Documented that the Zulip mobile/desktop apps now only support Zulip Server 4.0 and newer (released 22 months ago), following our 18-month support policy.

  • Extracted the documentation on modifying Zulip to a dedicated page.

  • Added a new send_welcome_bot_message management command, to allow the sysadmin to send Welcome Bot messages manually after a data import.

  • Added new RABBITMQ_USE_TLS and RABBITMQ_PORT settings for installations wanting to configure the RabbitMQ connection with a remote RabbitMQ host.

  • Added a new timesync deployment option to allow installations to override Zulip’s default of chrony for time synchronization.

  • Upgraded dependencies for security and bug fixes.