Zulip server 2.1.3 security release

We released Zulip Server 2.1.3 today. This is a security release, containing a few dozen cherry-picked changes since Zulip 2.1.2.

What’s new

This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues:

• CVE-2020-9444: Reverse tabnabbing vulnerability in Zulip markdown.
• CVE-2020-9445: XSS vulnerability in modal_link markdown feature. This was resolved by removing this markdown feature, which hasn’t been used in years.
• CVE-2020-10935: XSS vulnerability in markdown link processing.
• Blocked access from Zulip Desktop versions below 5.0.0 due to security issues with older releases. While most clients have already automatically upgraded, you can adjust DESKTOP_MINIMUM_VERSION and DESKTOP_WARNING_VERSION in version.py (and then restart the server) if you want to adjust this policy.
• Restructured server initialization to simplify initialization of Docker containers (eliminating common classes of user error).
• Removed buggy feedback bot (the ENABLE_FEEDBACK setting).
• Migrated GitHub authentication to use their latest OAuth authentication interface.
• Fixed support for restoring a backup on a different minor release (in the common case in which they have the same database schema).
• Fixed restoring backups with memcached authentication enabled.
• Fixed image alt tags appearing before preview content (preheaders) for many emails.
• Fixed buggy text in missed-message emails with PM content disabled.
• Fixed buggy loading spinner in “emoji format” widget.
• Fixed incoming webhook support for AWX 9.x.y.
• Fixed a couple missing translation tags.
• Fixed “User groups” settings UI bug for administrators.
• Fixed error handling for Slack data import.
• Fixed data import tool to reset resource limits after importing data from a free plan organization on zulipchat.com.
• Changed the SAML default signature algorithm to SHA-256, overriding
  the SHA-1 default used by python3-saml.
• Added an integration for Prometheus AlertManager.

Thanks to Matt Austin for reporting CVE-2020-9445, and Luis Ariel Sadovsky and Pablo Zurro of Core Security for reporting CVE-2020-10935.

Upgrading

All installations should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
• Follow us on Twitter, or join our announcement mailing list.