Release announcements, Security

Zulip 2.1.2 security release

Tim Abbott 2 min read

We released Zulip Server 2.1.2 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.1.

What’s new

This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues:

  • Corrected fix for CVE-2019-19775 (the original fix was affected by an unfixed security bug in Python’s urllib, CVE-2015-2104).
  • Migrated data for handling replies to missed-message emails from semi-persistent redis to the fully persistent database.
  • Added authentication for redis and memcached even in configurations where these are running on localhost, for added hardening against attacks from malicious processes running on the Zulip server.
  • Improved error tracebacks for invalid memcached keys.
  • Improved logging for misconfigurations of LDAP authentication.
  • Improved error handling for invalid LDAP configurations.
  • Fixed support for using LDAP with email address visibility limited to administrators.
  • Fixed styling of complex markup within /me messages.
  • Fixed left sidebar duplicating some group private message threads.
  • Fixed the “Mentions” narrow being unable to mark messages as read.
  • Fixed error handling bug preventing rerunning the installer.
  • Fixed a few minor issues with migrations for upgrading from 2.0.x.

Upgrading

All installations should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: