Zulip Server 7.3 security release

We released Zulip Server 7.3 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.2.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Notable changes

• CVE-2023-32678: Users who used to be subscribed to a private stream, and have since been removed from it, retained the ability to edit messages/topics and delete messages that they used to have access to, if other relevant organization permissions allowed these actions. For example, a user may have still been able to edit or delete their old messages they had posted in such a private stream.
• Fixed a bug, introduced in Zulip Server 7.0, which would cause uploaded files attached to some messages to be mistakenly deleted after some, but not all, messages linking to the uploaded file were deleted by the user. See our blog post for more details.
• Fixed a bug, introduced in Zulip Server 7.2 in the operating system upgrade process, which would cause errors of the form venv was not set up for this Python version.
• Fixed a bug, introduced in Zulip Server 7.2, when the email gateway was used in conjunction with a reverse proxy.
• Improved the performance of resolving or moving long topics.
• Fixed bad rendering of stream links in stream descriptions.
• Fixed broken and misaligned images in Zulip welcome emails.
• Fixed YouTube video previews to be ordered in the order they are linked, not reverse order.
• Upgraded Python requirements.
• Updated puppet dependencies.
• Improved the Sentry integration, including making the “Test plugin” button in Sentry work properly.
• Reduced memory usage by replacing a custom error reporting handler with the default Django implementation. This will result in a slight change in the format of server exception emails. Such emails should be rare in most self-hosted systems; installations with a large amount of server exception volume should be using the Sentry integration.
• Updated the data export tool to handle bots created in very early versions of Zulip Server.
• Fixed a bug with the data export tool and deleted users in group DMs.
• Added a ./manage.py reactivate-stream command to reactivate archived streams.
• Fixed links in the documentation to Modify Zulip and Upgrade Zulip pages.
• Linked the documentation on how to host multiple Zulip organizations on one server.
• Fixed missing images in documentation for the “XKCD” bot.
• Fixed “Back to login page” button alignment in the desktop app.
• Added a reference to PostgreSQL upgrades in the release upgrade section.
• Clarified that PostgreSQL versions must match in “Restoring backups” section, and explain how to do that.
• Reformatted Changelog.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on Mastodon, Twitter, or join our announcement mailing list.