Zulip Server 8.3 security release

We released Zulip Server 8.3 today! This is a security release, containing important security fixes and cherry-picked changes since Zulip Server 8.2.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

CVE-2024-27286: Incorrectly preserved access when moving messages between streams.

In some cases, a Zulip user who previously had permission to see a given message may have continued to have access to the message even after it was moved to a stream the user lacked permission to read. For users who are not guests, that means a private stream that they are not subscribed to. Users would be able to access the message in their search results, including potentially seeing the name of a private stream where the message had been moved to.

Any user who could access a message as a result of this bug had previously had access to that message, and thus could theoretically have retained access to the message’s content in some other way (e.g., by taking a screenshot earlier, or saving an email notification containing the message). There were two different cases which triggered this bug:

1. Moving a single message between streams. This bug was triggered only when a user moved a single message from a public stream to a private stream, not an entire topic or multiple messages at once. While the move succeeded, Zulip did not remove permission to view the message from many users who had permission to view messages in the source stream, but not the destination stream. Additionally, active users might continue to see the message in the source stream until the server was updated or they reloaded their Zulip window.
2. Moving any number of messages after a user was unsubscribed from the source stream. If a message received by a user was moved to another stream after that user was unsubscribed from the source stream, Zulip did not remove that user’s permission to view the message, even when they did not have permission to view messages in the destination stream.

Both bugs were present since 2021, when the feature that allows moving messages into private streams was introduced. However, the buggy option to move a single message was rarely used before December 2023, when it became the default option for moving the last message in a topic. The Zulip development team discovered CVE-2024-27286 while investigating an anomaly in the Zulip development community.

This release fixes both bugs and includes a database migration that will remove the incorrect message access control records, so upgrading to Zulip 8.3 is sufficient to fully remediate the issue. A log file, /var/log/zulip/migrations_0501_delete_dangling_usermessages.log, records any messages that had been affected by either bug.

Those Zulip Cloud customers who had at least one affected message have just received an email from us detailing the impact on their organization.

Notable changes

• CVE-2024-27286: Incorrectly preserved access when moving messages between streams.
• Added beta support for the upcoming Ubuntu 24.04 release.
• Added new DM search options to the compliant export tool.
• Added a helpful error page for installations trying to access “plan management” when they had not configured the mobile push notifications service yet.
• Added a local-disk database backup option.
• Added the ability to store incremental database backups.
• Improved performance of bulk-moving messages between streams by ~2x.
• Streamlined documentation for the Zulip server installer.
• Fixed the “Topics are required for this organization” pop-up incorrectly closing on some keypresses.
• Fixed the analytics cron job leaking its lock if unexpectedly interrupted (e.g. by a reboot).
• Fixed sorting by expiration date in the “Invites” settings panel.
• Fixed the gear menu staying open after clicking on “plan management”.
• Fixed a small visual issue with bot icons in the left sidebar DM section.
• Fixed installation with an existent but empty zulip database.
• Backported various developer tooling improvements.
• Upgraded dependencies.
• Updated translations, including new translations for Gujarati and Greek.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect:

• Join chat.zulip.org and provide feedback directly to the development community!
• Follow us on Mastodon, Twitter/X, or join our announcement mailing list.