Security - The Zulip Blog

Zulip Server 3.4 security release

Zulip Server 3.4 was released today! This is a security release, containing important security updates for the 3.x series of Zulip Server. This will likely be the last release in the 3.x stable release series, as we are getting close to publishing the first release candidate for

Security

March 18 Zulip Cloud security incident

On Thursday, March 18, 2021, Zulip Cloud had an important security incident. In short, a subtle caching bug resulted in up to 149 users being shown a broken read-only version of the Zulip UI from one of 26 other users whose data was incorrectly cached. This malfunctioning interface did not

Security

Zulip Desktop 5.4.3 security release

Today we released Zulip Desktop 5.4.3, fixing a security issue: CVE-2020-24582: Zulip Desktop failed to escape various strings interpolated into the user interface HTML. This could result in code execution when connecting to a maliciously altered Zulip server. The Zulip security team discovered this issue during internal auditing.

Release announcements

Zulip Server 2.1.7 security release

We released Zulip Server 2.1.7 today. This is a security release, containing a couple cherry-picked changes since Zulip Server 2.1.6. What’s newThis releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-15070: Fix privilege escalation vulnerability with

Release announcements

Zulip Server 2.1.5 security release

We released Zulip Server 2.1.5 today. This is a security release, containing a dozen cherry-picked changes since Zulip Server 2.1.4. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-12759: Fix reflected XSS vulnerability in

Release announcements

Zulip Desktop 5.2.0 security release

Today we released Zulip Desktop 5.2.0, fixing a critical security issue: CVE-2020-12637: Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented ignoreCerts option available by manually editing the configuration file. However, the handler inadvertently disabled all certificate validation, whether or not ignoreCerts was

Release announcements

Zulip server 2.1.3 security release

We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: CVE-2020-9444: Reverse tabnabbing vulnerability in Zulip

Release announcements

Zulip Desktop 5.0.0 security release

Today we released Zulip Desktop 5.0.0, fixing multiple critical security issues as well as several other important issues: CVE-2020-10856: Remote code execution due to missing context isolation.CVE-2020-10857: Remote code execution due to unsafe use of shell.openExternal and shell.openItem.Downloaded files will no longer be opened

Release announcements

Zulip Desktop 4.0.3 security release

Today we released Zulip Desktop 4.0.3, fixing a critical security issue: CVE-2020-9443: Web security was disabled in the Electron webview.This is a critical security issue because Zulip's security model for uploaded files relies on the browser (in this case Electron) enforcing the web security model. Huge thanks

Release announcements

Zulip 2.1.2 security release

We released Zulip Server 2.1.2 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.1. What’s newThis releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues: Corrected fix for CVE-2019-19775 (the original

Release announcements

Zulip 2.0.8 security release

We released Zulip Server 2.0.8 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.7. What’s newThis release fixes a security bug in Zulip 1.9.0 and greater: CVE-2019-19775: Close open redirect in thumbnail view.UpgradingAll installations should upgrade

Release announcements

Zulip 2.0.7 security release

We released Zulip Server 2.0.7 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.6. What’s newThis release fixes an important security bug in previous versions of Zulip. Quoting from the commit fixing it: CVE-2019-18933: Fix insecure account creation via

Release announcements

Zulip Server 2.0.5 security release

We released Zulip Server 2.0.5 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.4. What’s new This releases fixes a few important bugs in previous versions of Zulip. It contains fixes for the following security issues: CVE-2019-16215: Fix DoS

Release announcements

Zulip 1.7.2 security release

Today we’re releasing Zulip Server 1.7.2. This is a security release, containing just a handful of cherry-picked changes since 1.7.1. What’s new This release fixes several security issues: CVE-2018-9986: Fix XSS issues with frontend markdown processor. CVE-2018-9987: Fix XSS issue with muting notifications. CVE-2018-9990:

Release announcements

Zulip 1.7.1 security (+ Korean!) release

Today we’re releasing Zulip Server 1.7.1. This is a security release, containing just a handful of cherry-picked changes since 1.7.0. To readers in the US: happy Thanksgiving! We generally avoid making a security release just before a major holiday, but we’ve made an exception