Zulip Versions Save

Release Zulip Server 5.0-rc1.

• CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a race condition during user deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. This access could theoretically continue until one of the following events happens:
  • The session expires from memcached; this defaults to two weeks, and is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py
  • The session cache is evicted from memcached by other cached data.
  • The server is upgraded, which clears the cache.
• Updated translations.

• CVE-2022-21706: Reusable invitation links could be improperly used for other organizations.
• CVE-2021-3967: Enforce that regenerating an API key must be done with an API key, not a cookie. Thanks to nhiephon (twitter.com/_nhiephon) for their responsible disclosure of this vulnerability.
• Fixed a bug with the reindex-textual-data tool, where it would sometimes fail to find the libraries it needed.
• Pin PostgreSQL to 10.19, 11.14, 12.9, 13.5 or 14.1 to avoid a regression which caused deploys with PGroonga enabled to unpredictably fail database queries with the error variable not found in subplan target list.
• Fix ARM64 support; however, the wal-g binary is not yet supported on ARM64 (zulip/zulip#21070).

• CVE-2021-43799: Remote execution of code involving RabbitMQ.
• Closed access to RabbitMQ port 25672; initial installs tried to close this port, but failed to restart RabbitMQ for the configuration.
• Removed the rabbitmq.nodename configuration in zulip.conf; all RabbitMQ instances will be reconfigured to have a nodename of zulip@localhost. You can remove this setting from your zulip.conf configuration file, if it exists.
• Added missing support for the Camo image proxy in the Docker image. This resolves a longstanding issue with image previews, if enabled, appearing as broken images for Docker-based installs.
• Fixed a bug which allowed a user to edit a message to add a wildcard mention when they did not have permissions to send such messages originally.
• Fixed a bug in the tool that corrects database corruption caused by updating the operating system hosting PostgreSQL, which previously omitted some indexes from its verification. If you updated the operating system of your Zulip instance from Ubuntu 18.04 to 20.04, or from Debian Stretch to Debian Buster, you should run the tool, even if you did so previously; full details and instructions are available in the previous blog post.
• Began routing requests from the Camo image proxy through a non-Smokescreen proxy, if one is configured; because Camo includes logic to deny access to private subnets, routing its requests through Smokescreen is generally not necessary.
• Fixed a bug where changing the Camo secret required running zulip-puppet-apply.
• Fixed scripts/setup/compare-settings-to-template to be able to run from any directory.
• Switched Let's Encrypt renewal to use its own timer, rather than our custom cron job. This fixes a bug where occasionally nginx would not reload after getting an updated certificate.
• Updated documentation and tooling to note that installs using upgrade-zulip-from-git require 3 GB of RAM, or 2 GB and at least 1 GB of swap.

• CVE-2021-43791: Zulip could fail to enforce expiration dates on confirmation keys, allowing users to potentially use expired invitations, self-registrations, or realm creation links.
• Began installing Smokescreen to harden Zulip against SSRF attacks by default. Zulip has offered Smokescreen as an option since Zulip 4.0. Existing installs which configured an outgoing proxy which is not on localhost:4750 will continue to use that; all other installations will begin having a Smokescreen installation listening on 127.0.0.1, which Zulip will proxy traffic through. The version of Smokescreen was also upgraded.
• Replaced the camo image proxy with go-camo, a maintained reimplementation that also protects against SSRF attacks. This server now listens only on 127.0.0.1 when it is deployed as part of a standalone deployment.
• Began using camo for images displayed in URL previews. This improves privacy and also resolves an issue where an image link to a third party server with an expired or otherwise invalid SSL certificate would trigger a confusing pop-up window for Zulip Desktop users.
• Fixed a bug which could cause Tornado to shut down improperly (causing an immediate full-page reload for their clients) when restarting a heavily loaded Zulip server.
• Updated Python dependencies.
• Truncated large “remove” mobile notification events so that marking hundreds of private messages or other notifiable messages as read at once won’t exceed Apple’s 4 KB notification size limit.
• Slack importer improvements:
  • Ensured that generated fake email addresses for Slack bots are unique.
  • Added support for importing Slack exports from a directory, not just a .zip file.
  • Provided better error messages with invalid Slack tokens.
  • Added support for non-ASCII Unicode folder names on Windows.
• Add support for V3 Pagerduty webhook.
• Updated documentation for Apache SSO, which now requires additional configuration now that Zulip uses a C extension (the re2 module).
• Fixed a bug where an empty name in a SAML response would raise an error.
• Ensured that deliver_scheduled_emails and deliver_scheduled_messages did not double-deliver if run on multiple servers at once.
• Extended Certbot troubleshooting documentation.
• Fixed a bug in soft deactivation catch-up code, in cases where a race condition had created multiple subscription deactivation entries for a single user and single stream in the audit log.
• Updated translations, including adding a Sinhala translation.

• CVE-2021-41115: Prevent organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier patterns.

4.6 -- 2021-09-23

• Documented official support for Debian 11 Bullseye, now that it is officially released by Debian upstream.
• Fixed installation on Debian 10 Buster. Upstream infrastructure had broken the Python virtualenv tool on this platform, which we've worked around for this release.
• Zulip releases are now distributed from https://download.zulip.com/server/, replacing the old www.zulip.org server.
• Added support for LDAP synchronization of the is_realm_owner and is_moderator flags.
• upgrade-zulip-from-git now uses git fetch --prune; this ensures upgrade-zulip-from-git master with return an error rather than using a stale cached version of the master branch, which was renamed to main this month.
• Added a new reset_authentication_attempt_count management command to allow sysadmins to manually reset authentication rate limits.
• Fixed a bug that caused the upgrade-postgresql tool to incorrectly remove supervisord configuration for process-fts-updates.
• Fixed a rare migration bug when upgrading from Zulip versions 2.1 and older.
• Fixed a subtle bug where the left sidebar would show both old and new names for some topics that had been renamed.
• Fixed incoming email gateway support for configurations with the http_only setting enabled.
• Fixed issues where Zulip's outgoing webhook, with the Slack-compatible interface, had a different format from Slack's documented interface.
• The installation and upgrade documentations now show the latest release's version number.
• Backported many improvements to the ReadTheDocs documentation.
• Updated translation data from Transifex.

Fixed possible 0257_fix_has_link_attribute.py database migration failure, which would cause errors during the upgrade process.

Note: We recommend that most users install or upgrade to the latest release, but users who need to stay on the 2.1.x branch can upgrade to 2.1.8.

4.5 -- 2021-07-25

• Added a tool to fix potential database corruption caused by host OS upgrades (was listed in 4.4 release notes, but accidentally omitted).

4.4 -- 2021-07-22

• Added a tool to fix potential database corruption caused by host OS upgrades.
• Fixed a possible denial-of-service attack in Markdown fenced code block parsing.
• Smokescreen, if installed, now defaults to only listening on 127.0.0.1; this prevents it from being used as an open HTTP proxy if it did not have other firewalls protecting incoming port 4750.
• Fixed a performance/scalability issue for installations using the S3 file uploads backend.
• Fixed a bug where users could turn other users’ messages they could read into widgets (e.g. polls).
• Fixed a bug where emoji and avatar image requests were sent through Camo; doing so does not add any security benefit, and broke custom emoji that had been imported from Slack in Zulip 1.8.1 or earlier.
• Changed to log just a warning, instead of an exception, in the case that the embed_links worker cannot fetch previews for all links in a message within the 30-second timeout. Each preview request within a message already has a 15-second timeout.
• Ensured psycopg2 is installed before starting process_fts_updates; otherwise, it might fail to start several times before the package was installed.
• Worked around a bug in supervisor where, when using SysV init, /etc/init.d/supervisor restart would only have stopped, not restarted, the process.
• Modified upgrade scripts to better handle failure, and suggest next steps and point to logs.
• Zulip now hides the “show password” eye icon that IE and Edge browsers place in password inputs; this duplicated the already-present JavaScript-based functionality.
• Fixed “OR” glitch on login page if SAML authentication is enabled but not configured.
• The send_test_email management command now shows the full SMTP conversation on failure.
• Provided a change_password management command which takes a --realm option.
• Fixed upgrade-zulip-from-git crashing in CSS source map generation on 1-CPU systems.
• Added an auto_signup field in SAML configuration to auto-create accounts upon first login attempt by users which are authenticated by SAML.
• Provided better error messages when puppet_classes in zulip.conf are mistakenly space-separated instead of comma-separated.
• Updated translations for many languages.