Zulip Server 9.4 security release

We released Zulip Server 9.4 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 9.3.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation.

Commercial support for server upgrades is available for installations that purchase a Business or Enterprise plan. For community support, everyone is welcome to drop by the Zulip development community.

Notable changes

• CVE-2024-56136: Fixed a bug where servers hosting multiple organizations could leak information to an unauthenticated attacker about which email addresses were in use. Servers hosting only a single organization are unaffected by this vulnerability.
• Upgraded the Slack integration to support Slack’s Events API (while still supporting their legacy outgoing webhook API). Installations using the Slack integration should consider recreating their integration with the more modern API, as Slack will eventually remove the legacy API and some planned improvements to the integration are only possible with Slack’s modern API.
• Merged two Traditional Chinese localizations into each other.
• Improved support for bot avatars in Slack imports.
• Fixed localization of the integrations page for some languages.
• Fixed a bug where users would be shown the UI for changing another user’s avatar, even if they did not have that permission.
• Updated the requirements documentation to suggest allocating swap space for hosts with less than 5GB of RAM.
• Updated python dependencies.
• Updated translations.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on LinkedIn, Mastodon, Twitter/X, or join our announcement mailing list.