Release announcements, Security

Zulip Server 7.4 security release

Tim Abbott 3 min read

We released Zulip Server 7.4 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.3.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

CVE-2023-4863: Critical security vulnerability in libwebp

CVE-2023-4863 is a critical security vulnerability in the libwebp library, the official library for processing the popular webp image format. The vulnerability allows an attacker to craft a malicious webp image that will execute arbitrary attacker-controlled code when software processes or displays the malicious image.

Because webp is a popular image format, this vulnerability affects a great deal of software, including the Chrome, Edge, and Firefox browsers. CVE-2023-4863 is reported to have been actively exploited in the wild prior to being publicly disclosed by Google on Tuesday, September 12.

The Zulip server bundles libwebp as part of its support for uploaded avatars, custom emoji, realm icons, and other image types that can be uploaded in the settings part of the web application. This Zulip Server 7.4 release upgrades libwebp, fixing CVE-2023-4863 for the Zulip Server.

Mitigation

We recommend upgrading to this release to close this vulnerability as soon as possible.

If your installation cannot upgrade for whatever reason, one can protect the Zulip server from this vulnerability by deleting the PIL._webp plugin from the Zulip Python environment and then restarting the Zulip server:

rm -f /srv/zulip-venv-cache/*/zulip-py3-venv/lib/python*/site-packages/PIL/_webp.*.so
/home/zulip/deployments/current/scripts/restart-server

While the Zulip server supports uploading webp images, the Zulip 7.x web application does not allow uploading them via the UI, so this mitigation will not impact the Zulip user experience.

Zulip Desktop release for CVE-2023-4863

The Zulip Desktop app supports displaying webp images and thus was also affected by CVE-2023-4863.

Zulip Desktop v5.10.2 was released yesterday with an upgraded version of this library fixing the vulnerability. The Zulip desktop app upgrades automatically, but installations that manage the package themselves should be sure to upgrade their installations.

Notable changes

  • CVE-2023-4863: Upgrade vulnerable libwebp dependency.
  • Fixed a left sidebar layout bug affecting languages like Russian with very long translations of certain menu items.
  • Fixed a bug in the reverse proxy misconfiguration warnings introduced in 7.2.
  • Fixed a bug causing some exception report emails generated by the Zulip server to be unpleasantly verbose.
  • Fixed the compose area “Enter sends” configuration incorrectly advertising “Enter” instead of “Return” on macOS systems.
  • Fixed a bug in the password reset form introduced in 7.3.
  • Improved troubleshooting guide discussion of restarting services.
  • Upgrade dependencies.
  • Updated translations.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: