Zulip Server 2.1.7 security release
Tim Abbott We released Zulip Server 2.1.7 today. This is a security release, containing a couple cherry-picked changes since Zulip Server 2.1.6.
What’s new
This releases fixes multiple important bugs in previous versions of Zulip. It contains fixes for the following issues:
- CVE-2020-15070: Fix privilege escalation vulnerability with custom profile
fields. A privileged attacker who can write directly to the Zulip postgres
database (which isn’t available to any user role in Zulip) could trigger code
execution the Zulip server by storing an invalid custom profile field value
that was later processed using
eval. - Changed default memcached authentication username to zulip@localhost. This fixes an issue where a Zulip server that was rebooted with a different hostname would be unable to authenticate to its memcached process due to the hostname being encoded in the generated memcached SASL credentials.
CVE-2020-15070 was discovered by the Zulip core team.
Upgrading
All installations using LDAP synchronization should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.
If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org, the Zulip community Zulip server. Several streams have user feedback and discussion as their primary purpose.
- Follow us on Twitter, or join our announcement mailing list.