5.7 -- 2022-11-16
- CVE-2022-41914: Fixed the verification of the SCIM account
management bearer tokens to use a constant-time comparator. Zulip
Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator
that did not run in constant time. For organizations with SCIM
account management enabled, this bug theoretically allowed an
attacker to steal the SCIM bearer token, and use it to read and
update the Zulip organization’s user accounts. In practice, this
vulnerability may not have been practical or exploitable. Zulip
Server installations which have not explicitly enabled SCIM are not
- Fixed an error with deactivating users with
- Fixed several subtle bugs that could lead to browsers reloading
repeatedly when the server was updated.
- Fixed a live-update bug when changing certain notifications
- Improved error logs when sending push notifications to the push
notifications service fails.
- Upgraded Python requirements.
Nov. 16, 2022, 3:52 p.m.
Zulip Server 5.7
Register or login to:
- 🔍View and search all Zulip releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!