Zulip Server 4.11 security release
Alex Vandiver We released Zulip Server 4.11 today! This is a security release, containing a minor security fix.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
Reminder: upgrade your host operating system
As a reminder, we have deprecated support for Ubuntu 18.04 Bionic, because the upstream vendor no longer provides security support for important Zulip dependencies. Specifically, Ubuntu 18.04 remains supported in this release and will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.
We recommend upgrading any Zulip servers you manage which are running on Ubuntu 18.04. See our OS upgrade documentation for how to correctly upgrade a Zulip server.
Notable changes:
- CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a race
condition during user deactivation, where a simultaneous access by the user
being deactivated may, in rare cases, allow continued access by the
deactivated user. This access could theoretically continue until one of the
following events happens:
- The session expires from memcached; this defaults to two weeks, and is
controlled by
SESSION_COOKIE_AGEin/etc/zulip/settings.py - The session cache is evicted from memcached by other cached data.
- The server is upgraded, which clears the cache.
- The session expires from memcached; this defaults to two weeks, and is
controlled by
- Updated translations.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).