Security

32 posts published

Release announcements, Security

Zulip Server 7.4 security release

We released Zulip Server 7.4 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.3. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, …

Tim AbbottSep 16, 2023•3 min read

Release announcements, Security

Zulip Server 7.3 security release

We released Zulip Server 7.3 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 7.2. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, …

Alex VandiverAug 25, 2023•3 min read

Release announcements, Security

Zulip Server 6.2 security release

We released Zulip Server 6.2 today! This is a security release, containing two security fixes and several cherry-picked changes since Zulip Server 6.1. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, …

Alex VandiverMay 19, 2023•3 min read

Release announcements, Security

Zulip Server 5.7 security release

We released Zulip Server 5.7 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.6. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort …

Alex VandiverNov 16, 2022•2 min read

Release announcements, Security

Zulip Server 5.6 security release

We released Zulip Server 5.6 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.5. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need …

Greg PriceAug 24, 2022•2 min read

Release announcements, Security

Zulip Server 5.5 security release

We released Zulip Server 5.5 today! This is a security release, containing an important security fix and several cherry-picked changes since Zulip Server 5.4. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need …

Matt KellerJul 22, 2022•2 min read

Zulip Cloud, Security

Data exported by Zulip Cloud organization administrators contained private files

Administrators of Zulip Cloud organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate …

Alex VandiverJul 12, 2022•2 min read

Release announcements, Security

Zulip Server 5.4 security release

We released Zulip Server 5.4 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.3. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort …

Alex VandiverJul 12, 2022•2 min read

Release announcements, Security

Zulip Server 5.3 security release

We released Zulip Server 5.3 today! This is a security release, containing a minor security fix and several cherry-picked changes since Zulip Server 5.2. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, …

Alex VandiverJun 21, 2022•3 min read

Release announcements, Security

Zulip Server 4.11 security release

We released Zulip Server 4.11 today! This is a security release, containing a minor security fix. Upgrading We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org. …

Alex VandiverMar 15, 2022•2 min read

Security, Zulip Cloud

Zulip Cloud security vulnerability with reusable invitation links

An internal investigation recently uncovered a vulnerability (identified as CVE-2022-21706) in Zulip’s invitation links. Specifically, a reusable invitation link could be used to join a different organization than the one it was created for. As a result, there was a potential for users to join any organization …

Alex VandiverFeb 25, 2022•2 min read

Release announcements, Security

Zulip Server 4.10 security release

We released Zulip Server 4.10 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.9. Upgrading We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. …

Alex VandiverFeb 25, 2022•3 min read

Release announcements, Security

Zulip Server 4.9 security release

We released Zulip Server 4.9 today! This is a security release, containing critical security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.8. Upgrading We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. …

Alex VandiverJan 25, 2022•7 min read

Security

CVE-2021-3866: XSS in stream names

This is an important security announcement for Zulip installations running the main (development) branch of the Zulip server. The main branch of Zulip Server, since a commit merged on December 4th, was vulnerable to a stored cross-site scripting vulnerability in stream names. A malicious user with permission …

Alex VandiverJan 19, 2022•3 min read

Release announcements, Security

Zulip Server 4.8 security release

We released Zulip Server 4.8 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.7. Deprecating support for Ubuntu 18.04 Bionic With this release, we are deprecating support for Ubuntu 18.04 Bionic. Specifically, …

Alex VandiverDec 1, 2021•3 min read

Release announcements, Security

Zulip Server 4.7 security release

We released Zulip Server 4.7 today! This is a security release, containing minor security fixes since Zulip Server 4.6. What’s new This release fixes CVE-2021-41115, which prevents organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier …

Alex VandiverOct 4, 2021•1 min read

Release announcements, Security

Zulip Server 4.4 security release

We released Zulip Server 4.4 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.3. What’s new This release fixes the following issues: Added a tool to fix potential database corruption caused by host OS upgrades; …

Alex VandiverJul 22, 2021•5 min read

Release announcements, Security

Zulip Server 3.4 security release

Zulip Server 3.4 was released today! This is a security release, containing important security updates for the 3.x series of Zulip Server. This will likely be the last release in the 3.x stable release series, as we are getting close to publishing the first release candidate for Zulip 4.0. What’s new …

Alex VandiverApr 14, 2021•2 min read

Security, Zulip Cloud

March 18 Zulip Cloud security incident

On Thursday, March 18, 2021, Zulip Cloud had an important security incident. In short, a subtle caching bug resulted in up to 149 users being shown a broken read-only version of the Zulip UI from one of 26 other users whose data was incorrectly cached. This malfunctioning interface did not display …

Tim AbbottMar 20, 2021•12 min read

Release announcements, Security

Zulip Desktop 5.4.3 security release

Today we released Zulip Desktop 5.4.3, fixing a security issue: CVE-2020-24582: Zulip Desktop failed to escape various strings interpolated into the user interface HTML. This could result in code execution when connecting to a maliciously altered Zulip server. The Zulip security team discovered this …

Anders KaseorgSep 10, 2020•1 min read

Release announcements, Security

Zulip Server 2.1.7 security release

We released Zulip Server 2.1.7 today. This is a security release, containing a couple cherry-picked changes since Zulip Server 2.1.6. What’s new This releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-15070: Fix privilege escalation …

Tim AbbottJun 26, 2020•2 min read

Release announcements, Security

Zulip Server 2.1.5 security release

We released Zulip Server 2.1.5 today. This is a security release, containing a dozen cherry-picked changes since Zulip Server 2.1.4. What’s new This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-12759: Fix reflected XSS vulnerability …

Tim AbbottJun 17, 2020•4 min read

Release announcements, Security

Zulip Desktop 5.2.0 security release

Today we released Zulip Desktop 5.2.0, fixing a critical security issue: CVE-2020-12637: Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented ignoreCerts option available by manually editing the configuration file. However, the handler inadvertently disabled …

Anders KaseorgMay 6, 2020•2 min read

Release announcements, Security

Zulip server 2.1.3 security release

We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2. What’s new This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-9444: Reverse tabnabbing vulnerability …

Tim AbbottApr 1, 2020•2 min read

Release announcements, Security

Zulip Desktop 5.0.0 security release

Today we released Zulip Desktop 5.0.0, fixing multiple critical security issues as well as several other important issues: CVE-2020-10856: Remote code execution due to missing context isolation. CVE-2020-10857: Remote code execution due to unsafe use of shell.openExternal and shell.openItem. Downloaded …

Tim AbbottApr 1, 2020•3 min read

Release announcements, Security

Zulip Desktop 4.0.3 security release

Today we released Zulip Desktop 4.0.3, fixing a critical security issue: CVE-2020-9443: Web security was disabled in the Electron webview. This is a critical security issue because Zulip’s security model for uploaded files relies on the browser (in this case Electron) enforcing the web security model. …

Tim AbbottFeb 29, 2020•2 min read

Release announcements, Security

Zulip 2.1.2 security release

We released Zulip Server 2.1.2 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.1. What’s new This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: Corrected fix for CVE-2019-19775 (the original …

Tim AbbottJan 16, 2020•2 min read

Release announcements, Security

Zulip 2.0.8 security release

We released Zulip Server 2.0.8 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.7. What’s new This release fixes a security bug in Zulip 1.9.0 and greater: CVE-2019-19775: Close open redirect in thumbnail view. Upgrading All installations should upgrade …

Tim AbbottDec 13, 2019•1 min read

Release announcements, Security

Zulip 2.0.7 security release

We released Zulip Server 2.0.7 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.6. What’s new This release fixes an important security bug in previous versions of Zulip. Quoting from the commit fixing it: CVE-2019-18933: Fix insecure account creation via …

Tim AbbottNov 21, 2019•3 min read

Release announcements, Security

Zulip Server 2.0.5 security release

We released Zulip Server 2.0.5 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.4. What’s new This releases fixes a few important bugs in previous versions of Zulip. It contains fixes for the following security issues: CVE-2019-16215: Fix DoS vulnerability …

Tim AbbottSep 11, 2019•2 min read

Release announcements, Security

Zulip 1.7.2 security release

Today we’re releasing Zulip Server 1.7.2. This is a security release, containing just a handful of cherry-picked changes since 1.7.1. What’s new This release fixes several security issues: CVE-2018-9986: Fix XSS issues with frontend markdown processor. CVE-2018-9987: Fix XSS issue with muting notifications. …

Tim AbbottApr 12, 2018•2 min read

Release announcements, Security

Zulip 1.7.1 security (+ Korean!) release

Today we’re releasing Zulip Server 1.7.1. This is a security release, containing just a handful of cherry-picked changes since 1.7.0. To readers in the US: happy Thanksgiving! We generally avoid making a security release just before a major holiday, but we’ve made an exception in this case because the …

Greg PriceNov 23, 2017•2 min read