Zulip Server 7.4 security release
We released Zulip Server 7.4 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.3.
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
CVE-2023-4863: Critical security vulnerability in libwebp
CVE-2023-4863 is a critical security vulnerability in the
libwebp library, the
official library for processing the popular
webp image format. The
vulnerability allows an attacker to craft a malicious
webp image that will
execute arbitrary attacker-controlled code when software processes or displays
the malicious image.
webp is a popular image format, this vulnerability affects a great
deal of software, including the Chrome, Edge, and Firefox browsers.
to have been actively exploited in the wild prior to being publicly disclosed by
Google on Tuesday, September 12.
The Zulip server bundles
libwebp as part of its support for uploaded avatars,
custom emoji, realm icons, and other image types that can be uploaded in the
settings part of the web application. This Zulip Server 7.4 release upgrades
libwebp, fixing CVE-2023-4863 for the Zulip Server.
We recommend upgrading to this release to close this vulnerability as soon as possible.
If your installation cannot upgrade for whatever reason, one can protect the
Zulip server from this vulnerability by deleting the
PIL._webp plugin from the
Zulip Python environment and then restarting the Zulip server:
rm -f /srv/zulip-venv-cache/*/zulip-py3-venv/lib/python*/site-packages/PIL/_webp.*.so
While the Zulip server supports uploading
webp images, the Zulip 7.x web
application does not allow uploading them via the UI, so this mitigation will
not impact the Zulip user experience.
Zulip Desktop release for CVE-2023-4863
The Zulip Desktop app supports displaying
webp images and thus was also
affected by CVE-2023-4863.
Zulip Desktop v5.10.2 was released yesterday with an upgraded version of this library fixing the vulnerability. The Zulip desktop app upgrades automatically, but installations that manage the package themselves should be sure to upgrade their installations.
- CVE-2023-4863: Upgrade vulnerable
- Fixed a left sidebar layout bug affecting languages like Russian with very long translations of certain menu items.
- Fixed a bug in the reverse proxy misconfiguration warnings introduced in 7.2.
- Fixed a bug causing some exception report emails generated by the Zulip server to be unpleasantly verbose.
- Fixed the compose area “Enter sends” configuration incorrectly advertising “Enter” instead of “Return” on macOS systems.
- Fixed a bug in the password reset form introduced in 7.3.
- Improved troubleshooting guide discussion of restarting services.
- Upgrade dependencies.
- Updated translations.
We love feedback from the Zulip user community. Here are a few ways you can connect: