Zulip - 6.2
6.2 -- 2023-05-19
- CVE-2023-28623: Fixed a vulnerability that would allow users to sign up for a Zulip Server account with an unauthorized email address, despite the server being configured to require that email addresses be in LDAP. Specifically, if the organization permissions don't require invitations to join, and the only configured authentication backends were
ZulipLDAPAuthBackendand some other external authentication backend (any aside from
EmailAuthBackend), then an unprivileged remote attacker could have created a new account in the organization with an arbitrary email address in their control that was not in the organization's LDAP directory.
- CVE-2023-32677: Fixed a vulnerability which allowed users to invite new users to streams when inviting them to the server, even if they did not have permission to invite existing users to streams. This did not allow users to invite others to streams that they themselves were not a member of, and only affected deployments with the rare configuration of a permissive realm invitation policy and a strict stream invitation policy.
- Fixed a bug that could cause duplicate push notifications when using the mobile push notifications service.
- Fixed several bugs in the Zulip server and PostgreSQL version upgrade processes.
- Fixed multiple Recent conversations display bugs for private message conversations.
- Fixed the left sidebar stream list exiting “more topics” during background re-rendering, and a related rendering bug.
- Fixed a bug where uploaded files sent via the email gateway were not correctly associated with the message’s sender.
- Improved error handling for certain puppet failures.
- Silenced a distracting
caniuse browserlistwarning in install/upgrade output.
- Simplified UI for inviting new users to make it easy to select the default streams.
- Fixed GPG check error handling for PGroonga apt repository.
- Documented how to manage email address changes when using the LDAP backend.
- Documented how to use SMTP without authentication.
- Documented that the Zulip mobile/desktop apps now only support Zulip Server 4.0 and newer (released 22 months ago), following our 18-month support policy.
- Extracted the documentation on modifying Zulip to a dedicated page.
- Added a new
send_welcome_bot_messagemanagement command, to allow the sysadmin to send Welcome Bot messages manually after a data import.
- Added new
RABBITMQ_PORTsettings for installations wanting to configure the RabbitMQ connection with a remote RabbitMQ host.
- Added a new
timesyncdeployment option to allow installations to override Zulip’s default of
chronyfor time synchronization.
- Upgraded dependencies for security and bug fixes.
May 19, 2023, 6:43 p.m.
Zulip Server 6.2
Register or login to:
- 🔍View and search all Zulip releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!