Release announcements, Security

Zulip Desktop 5.2.0 security release

Anders Kaseorg 2 min read

Today we released Zulip Desktop 5.2.0, fixing a critical security issue:

  • CVE-2020-12637: Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented ignoreCerts option available by manually editing the configuration file. However, the handler inadvertently disabled all certificate validation, whether or not ignoreCerts was enabled, except during initial association with the server.

The Zulip security team discovered this issue during internal auditing. All versions of Zulip Desktop from 0.5.10 through 5.1.0 are affected.

We have fixed the validation handler to correctly respect the ignoreCerts option, which safely defaults to false. We do not recommend enabling the ignoreCerts option, and we expect to remove it completely in a future release. (Administrators of self-hosted servers should install a valid certificate, as we have always recommended; see our documentation on using Certbot.)

This release also includes the following changes since 5.1.0:

  • Upstream dependencies have been upgraded to the latest releases, including Electron 8.2.5.
  • An issue where downloading a file caused the file chooser dialog to open twice has been fixed.
  • A helper has been added to enable an improved social login flow that runs in the default web browser rather than inside the app. The new flow is available now in Zulip Cloud and in self-hosted servers running from Git master, which will become the upcoming Zulip Server 2.2 release.

Upgrading

All installations should upgrade to this latest release as soon as possible. Installations with the default automatic upgrades enabled will be upgraded to the new release when next launched.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: