Zulip Server 7.4 security release
We released Zulip Server 7.4 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.3.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
CVE-2023-4863: Critical security vulnerability in libwebp
CVE-2023-4863 is a critical security vulnerability in the libwebp
library, the
official library for processing the popular webp
image format. The
vulnerability allows an attacker to craft a malicious webp
image that will
execute arbitrary attacker-controlled code when software processes or displays
the malicious image.
Because webp
is a popular image format, this vulnerability affects a great
deal of software, including the Chrome, Edge, and Firefox browsers.
CVE-2023-4863 is
reported
to have been actively exploited in the wild prior to being publicly disclosed by
Google on Tuesday, September 12.
The Zulip server bundles libwebp
as part of its support for uploaded avatars,
custom emoji, realm icons, and other image types that can be uploaded in the
settings part of the web application. This Zulip Server 7.4 release upgrades
libwebp
, fixing CVE-2023-4863 for the Zulip Server.
Mitigation
We recommend upgrading to this release to close this vulnerability as soon as possible.
If your installation cannot upgrade for whatever reason, one can protect the
Zulip server from this vulnerability by deleting the PIL._webp
plugin from the
Zulip Python environment and then restarting the Zulip server:
rm -f /srv/zulip-venv-cache/*/zulip-py3-venv/lib/python*/site-packages/PIL/_webp.*.so
/home/zulip/deployments/current/scripts/restart-server
While the Zulip server supports uploading webp
images, the Zulip 7.x web
application does not allow uploading them via the UI, so this mitigation will
not impact the Zulip user experience.
Zulip Desktop release for CVE-2023-4863
The Zulip Desktop app supports displaying webp
images and thus was also
affected by CVE-2023-4863.
Zulip Desktop v5.10.2 was released yesterday with an upgraded version of this library fixing the vulnerability. The Zulip desktop app upgrades automatically, but installations that manage the package themselves should be sure to upgrade their installations.
Notable changes
- CVE-2023-4863: Upgrade vulnerable
libwebp
dependency. - Fixed a left sidebar layout bug affecting languages like Russian with very long translations of certain menu items.
- Fixed a bug in the reverse proxy misconfiguration warnings introduced in 7.2.
- Fixed a bug causing some exception report emails generated by the Zulip server to be unpleasantly verbose.
- Fixed the compose area “Enter sends” configuration incorrectly advertising “Enter” instead of “Return” on macOS systems.
- Fixed a bug in the password reset form introduced in 7.3.
- Improved troubleshooting guide discussion of restarting services.
- Upgrade dependencies.
- Updated translations.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Mastodon, Twitter/X, or join our announcement mailing list.