Zulip - 5.3

Security

5.3 -- 2022-06-21

  • CVE-2022-31017: Fixed message edit event exposure in
    protected-history streams.
    Zulip allows a stream to be configured as private with protected
    history    ,
    which means that new subscribers should only see messages sent after
    they join. However, due to a logic bug in Zulip Server 2.1.0 through
    5.2, when a message was edited, the server would incorrectly send an
    API event that included both the edited and old content of the
    message to all of the stream’s current subscribers, regardless of
    whether they could see the original message. The impact of this
    issue was reduced by the fact that this API event is ignored by
    official clients, so it could only be observed by a user using a
    modified client or their browser’s developer tools.
  • Adjusted upgrade steps to cause servers using PostgreSQL 14 to
    upgrade to PostgreSQL 14.4, which fixes an important potential
    database corruption issue.
  • Upgraded the asynchronous request handling to use Tornado 6.
  • Fixed a crash when displaying the error message for a failed attempt
    to create a stream.
  • Optimized the steps during upgrade-zulip, to reduce the amount of
    server downtime.
  • Added a --skip-restart flag to upgrade-zulip which prepares the
    new version, but does not restart the server into it.
  • Stopped mirroring the entire remote Git repository directly into
    /srv/zulip.git. This mirroring removed local branches and confused
    the state of previous deployments.
  • Fixed a bug which could cause the delete_old_unclaimed_attachments
    command-line tool to remove attachments that were still referenced
    by deleted (but not yet permanently removed) messages.
  • Stopped enabling USE_X_FORWARDED_HOST by default, which was
    generally unneeded; the proxy documentation now clarifies when it is
    necessary.
  • Fixed the nginx configuration to include the default system-level
    nginx modules.
  • Only attempt to fix the certbot SSL renewal configuration if HTTPS
    is enabled; this addresses a regression in Zulip Server 5.2, where
    the upgrade would fail if an improperly configured certificate
    existed, but was both expired and not in use.
  • Improved proxy and database backup documentation.

Details

date
June 21, 2022, 8:33 p.m.
name
Zulip Server 5.3
type
Minor
official page
https://github.com/zulip/zulip/releases/tag/5.3
👇
Register or login to:
  • 🔍View and search all Zulip releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or