Today we’re releasing Zulip Server 1.7.2. This is a security release, containing just a handful of cherry-picked changes since 1.7.1.
This release fixes several security issues:
- CVE-2018-9986: Fix XSS issues with frontend markdown processor.
- CVE-2018-9987: Fix XSS issue with muting notifications.
- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
- CVE-2018-9999: Fix XSS issue with user uploads and the (default)
CVE-2018-9987 was introduced in Zulip 1.5.0; the other three issues were present in the first public release of Zulip. None of these issues were publicly known before today.
Thanks to Suhas Sunil Gaikwad for reporting CVE-2018-9987 and w9w for reporting CVE-2018-9986 and CVE-2018-9990.
All users should upgrade promptly to secure their systems. See the upgrade instructions in the Zulip documentation.
If you’re upgrading from 1.7.1, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low.
If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org, the Zulip community Zulip server. Several streams are especially for user feedback and discussion.
- Follow us on Twitter, or join our announcement mailing list.
Thanks to Rohitt Vashishtha for help in preparing this release.