Zulip - 5.7

Security

5.7 -- 2022-11-16

  • CVE-2022-41914: Fixed the verification of the SCIM account
    management bearer tokens to use a constant-time comparator. Zulip
    Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator
    that did not run in constant time. For organizations with SCIM
    account management enabled, this bug theoretically allowed an
    attacker to steal the SCIM bearer token, and use it to read and
    update the Zulip organization’s user accounts. In practice, this
    vulnerability may not have been practical or exploitable. Zulip
    Server installations which have not explicitly enabled SCIM are not
    affected.
  • Fixed an error with deactivating users with manage.py sync_ldap_user_data
    when LDAP_DEACTIVATE_NON_MATCHING_USERS was enabled.
  • Fixed several subtle bugs that could lead to browsers reloading
    repeatedly when the server was updated.
  • Fixed a live-update bug when changing certain notifications
    settings.
  • Improved error logs when sending push notifications to the push
    notifications service fails.
  • Upgraded Python requirements.

Details

date
Nov. 16, 2022, 3:52 p.m.
name
Zulip Server 5.7
type
Minor
official page
https://github.com/zulip/zulip/releases/tag/5.7
👇
Register or login to:
  • 🔍View and search all Zulip releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or