Zulip - 5.7
Security
5.7 -- 2022-11-16
- CVE-2022-41914: Fixed the verification of the SCIM account
management bearer tokens to use a constant-time comparator. Zulip
Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator
that did not run in constant time. For organizations with SCIM
account management enabled, this bug theoretically allowed an
attacker to steal the SCIM bearer token, and use it to read and
update the Zulip organization’s user accounts. In practice, this
vulnerability may not have been practical or exploitable. Zulip
Server installations which have not explicitly enabled SCIM are not
affected. - Fixed an error with deactivating users with
manage.py sync_ldap_user_data
whenLDAP_DEACTIVATE_NON_MATCHING_USERS
was enabled. - Fixed several subtle bugs that could lead to browsers reloading
repeatedly when the server was updated. - Fixed a live-update bug when changing certain notifications
settings. - Improved error logs when sending push notifications to the push
notifications service fails. - Upgraded Python requirements.
Security
Details
date
Nov. 16, 2022, 3:52 p.m.
name
Zulip Server 5.7
type
Minor
official page
👇
Register or login to:
- 🔍View and search all Zulip releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!