Release announcements, Security

Zulip Server 2.1.5 security release

Tim Abbott 4 min read

We released Zulip Server 2.1.5 today. This is a security release, containing a dozen cherry-picked changes since Zulip Server 2.1.4.

What’s new

This releases fixes several important bugs in previous versions of Zulip. It contains fixes for the following issues:

  • CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.
  • CVE-2020-14194: Prevent reverse tabnapping via topic header links.
  • CVE-2020-14215: Fixed use of invitation role data from expired invitations on signup via external authentication methods.
  • CVE-2020-14215: Fixed buggy 0198_preregistrationuser_invited_as database migration from the 2.0.0 release, which incorrectly added the administrator role to invitations.
  • CVE-2020-14215: Added migration to clear the administrator role from any invitation objects already corrupted by the buggy version of the 0198_preregistrationuser_invited_as migration.
  • Fixed missing quoting of certain attributes in HTML templates.
  • auth: Accept next as POST parameter in POST requests.
  • Allow /etc/zulip to be a symlink (for docker-zulip).
  • Disabled access from insecure Zulip Desktop releases below version 5.2.0.
  • Adjusted Slack import documentation to help administrators avoid OOM kills when doing Slack import on low-RAM systems.
  • Fixed a race condition fetching users’ personal API keys.
  • Fixed a few bugs with Slack data import.

Thanks to Pierre-Loup Tristant of SonarSource for reporting CVE-2020-12759 (discovered while testing a new analyzer feature!). Thanks to Tom Daff for reporting the anomaly that was traced to CVE-2020-14215. The other security issues were discovered internally.

Because the fix to CVE-2020-14215 will not remove the administrator permission from any users who were already incorrectly created as administrators, we recommend that server administrators do an audit to make sure there are no unexpected organization administrators in their organization. You can do this audit using the Users tab in Zulip’s organization settings; just click on the “Role” column to sort by role.

To explain the issue in full detail, the 0198_preregistrationuser_invited_as database migration incorrectly swapped converted users invited as members into users invited as organization administrators. As a result, Zulip servers originally installed on Zulip 1.9 or older that were upgraded to Zulip 2.0.0-rc1 or higher had corrupted invitation objects. These records, in turn, could result in the user being created as an administrator should they later sign up using that invitation. Combined with another bug where certain social authentication flows would use the role from an expired invitation object, a user whose email address was invited 2 years ago as a normal user, and signed up with Google authentication on Zulip 2.1.4 or older, could have been incorrectly created as an organization administrator.

Because users typically accept invitations soon after they are sent, this is in practice a rare event. We expect most users who were incorrectly granted administrator privileges due to this bug were unaware that they had administrator permissions. (Using Zulip’s audit log data, we were able to determine that only 14 accounts on Zulip Cloud were incorrectly created with administrator permissions due to this bug. We have removed the permission from those users and are emailing all administrators of the affected organizations.)

This release fixes CVE-2020-14215 by fixing the buggy migration, removing the administrator bit from all preexisting invitation records, and eliminating the bug that allowed data from expired invitation records to be used in determining the role for a new user.

Zulip 2.1.6 release

Zulip 2.1.6 was released shortly after 2.1.5. It removes a line of Python that requires Python 3.6+ and thus does not work on Ubuntu Xenial or Debian Stretch. As a reminder, Zulip 2.2 (coming in a week or two) will not support Ubuntu Xenial or Debian Stretch due to the upcoming end-of-life of Python 3.5 in July; installations running those releases should upgrade their OS.

Upgrading

All installations should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: