Security - The Zulip Blog

Tagged

Security

A collection of 28 posts

Release announcements

Zulip Server 5.6 security release

We released Zulip Server 5.6 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.5. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort

Release announcements

Zulip Server 5.5 security release

We released Zulip Server 5.5 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.4. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort

Data exported by Zulip Cloud organization administrators contained private files

Administrators of Zulip Cloud organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate process that

Release announcements

Zulip Server 5.4 security release

We released Zulip Server 5.4 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.3. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support

Release announcements

Zulip Server 5.3 security release

We released Zulip Server 5.3 today! This is a security release, containing a minor security fix and several cherry-picked changes since Zulip Server 5.2. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort

Release announcements

Zulip Server 4.11 security release

We released Zulip Server 4.11 today! This is a security release, containing a minor security fix. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org. Reminder: upgrade

Zulip Cloud security vulnerability with reusable invitation links

An internal investigation recently uncovered a vulnerability (identified as CVE-2022-21706) in Zulip’s invitation links. Specifically, a reusable invitation link could be used to join a different organization than the one it was created for. As a result, there was a potential for users to join any organization without an

Release announcements

Zulip Server 4.10 security release

We released Zulip Server 4.10 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.9. Upgrading We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you

Release announcements

Zulip Server 4.9 security release

We released Zulip Server 4.9 today! This is a security release, containing critical security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.8. UpgradingWe strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need

CVE-2021-3866: XSS in stream names

This is an important security announcement for Zulip installations running the main (development) branch of the Zulip server. The main branch of Zulip Server, since a commit merged on December 4th, was vulnerable to a stored cross-site scripting vulnerability in stream names. A malicious user with permission to create or

Release announcements

Zulip Server 4.8 security release

We released Zulip Server 4.8 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.7. Deprecating support for Ubuntu 18.04 BionicWith this release, we are deprecating support for Ubuntu 18.04 Bionic. Specifically, Ubuntu 18.04

Release announcements

Zulip Server 4.7 security release

We released Zulip Server 4.7 today! This is a security release, containing minor security fixes since Zulip Server 4.6. What's newThis release fixes CVE-2021-41115, which prevents organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier patterns. Parts of this vulnerability were discovered by

Release announcements

Zulip Server 4.4 security release

We released Zulip Server 4.4 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.3. What’s newThis release fixes the following issues: Added a tool to fix potential database corruption caused by host OS upgrades; see

Release announcements

Zulip Server 3.4 security release

Zulip Server 3.4 was released today! This is a security release, containing important security updates for the 3.x series of Zulip Server. This will likely be the last release in the 3.x stable release series, as we are getting close to publishing the first release candidate for

March 18 Zulip Cloud security incident

On Thursday, March 18, 2021, Zulip Cloud had an important security incident. In short, a subtle caching bug resulted in up to 149 users being shown a broken read-only version of the Zulip UI from one of 26 other users whose data was incorrectly cached. This malfunctioning interface did not

Zulip Desktop 5.4.3 security release

Today we released Zulip Desktop 5.4.3, fixing a security issue: CVE-2020-24582: Zulip Desktop failed to escape various strings interpolated into the user interface HTML. This could result in code execution when connecting to a maliciously altered Zulip server. The Zulip security team discovered this issue during internal auditing.

Release announcements

Zulip Server 2.1.7 security release

We released Zulip Server 2.1.7 today. This is a security release, containing a couple cherry-picked changes since Zulip Server 2.1.6. What’s newThis releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-15070: Fix privilege escalation vulnerability with

Release announcements

Zulip Server 2.1.5 security release

We released Zulip Server 2.1.5 today. This is a security release, containing a dozen cherry-picked changes since Zulip Server 2.1.4. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-12759: Fix reflected XSS vulnerability in

Release announcements

Zulip Desktop 5.2.0 security release

Today we released Zulip Desktop 5.2.0, fixing a critical security issue: CVE-2020-12637: Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented ignoreCerts option available by manually editing the configuration file. However, the handler inadvertently disabled all certificate validation, whether or not ignoreCerts was

Release announcements

Zulip server 2.1.3 security release

We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-9444: Reverse tabnabbing vulnerability in Zulip

Release announcements

Zulip Desktop 5.0.0 security release

Today we released Zulip Desktop 5.0.0, fixing multiple critical security issues as well as several other important issues: CVE-2020-10856: Remote code execution due to missing context isolation.CVE-2020-10857: Remote code execution due to unsafe use of shell.openExternal and shell.openItem.Downloaded files will no longer be opened

Release announcements

Zulip Desktop 4.0.3 security release

Today we released Zulip Desktop 4.0.3, fixing a critical security issue: CVE-2020-9443: Web security was disabled in the Electron webview.This is a critical security issue because Zulip's security model for uploaded files relies on the browser (in this case Electron) enforcing the web security model. Huge thanks

Release announcements

Zulip 2.1.2 security release

We released Zulip Server 2.1.2 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.1. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: Corrected fix for CVE-2019-19775 (the original

Release announcements

Zulip 2.0.8 security release

We released Zulip Server 2.0.8 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.7. What’s newThis release fixes a security bug in Zulip 1.9.0 and greater: CVE-2019-19775: Close open redirect in thumbnail view.UpgradingAll installations should upgrade

Release announcements

Zulip 2.0.7 security release

We released Zulip Server 2.0.7 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.6. What’s newThis release fixes an important security bug in previous versions of Zulip. Quoting from the commit fixing it: CVE-2019-18933: Fix insecure account creation via