Zulip Server 7.5 security release
Alex Vandiver We released Zulip Server 7.5 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.4.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
Notable changes
-
CVE-2023-47642: Invalid metadata access for formerly subscribed streams.
It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream’s metadata after they had lost access to the stream. This bug was present in all Zulip releases prior to today’s Zulip Server 7.5.
-
Fixed a bug where backups might be written using
postgresql-client-16, which could not be straightforwardly restored into a Zulip instance, as the format is not backwards-compatible, and Zulip does not yet support PostgreSQL 16. -
Renamed the
reactivate_streammanagement command tounarchive_stream, to match terminology in the app, and documented it. -
Fixed a regression, introduced in 6.0, where users created via the API or LDAP would have English set as their language, ignoring the configured realm default.
-
Improved documentation on
AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL. -
Improved error messages for subdomains being reserved versus being in use.
-
Upgraded Python dependencies.
-
Updated translations.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Mastodon, Twitter/X, or join our announcement mailing list.