Release announcements, Security

Zulip Server 2.0.5 security release

Tim Abbott 2 min read

We released Zulip Server 2.0.5 today. This is a security release, containing a handful of cherry-picked changes since Zulip 2.0.4.

What’s new

This releases fixes a few important bugs in previous versions of Zulip. It contains fixes for the following security issues:

  • CVE-2019-16215: Fix DoS vulnerability in Markdown LINK_RE.
  • CVE-2019-16216: Fix MIME type validation bug allowing XSS.

CVE-2019-16215 affects all past version of Zulip. CVE-2019-16216 affects common configurations of Zulip 1.8.0 and newer.

This release also contains some bug fixes for new installations:

  • Fixed email gateway postfix configuration for Ubuntu Bionic.
  • Fixed support for hidden_by_limit messages in Slack import.
  • Fixed confusing output from the knight management command.

We expect Zulip 2.1 to be released in the coming weeks, with hundreds of new features and other changes.

Upgrading

All users should upgrade promptly to secure their installations. See the upgrade instructions in the Zulip documentation.

If you’re upgrading from 2.0.x, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low. If you’re upgrading from an older version, we recommend upgrading directly to 2.0.5.

If you’re running a fork of master, you will need to rebase your fork to get these fixes.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: