Release Zulip Server 6.2.

docs/overview/changelog.md

@@ -7,6 +7,55 @@ up-to-date list of all changes.
 
 ## Zulip 6.x series
 
+### 6.2 -- 2023-05-19
+
+- CVE-2023-28623: Fixed a vulnerability that would allow users to sign up for a
+  Zulip Server account with an unauthorized email address, despite the server
+  being configured to require that email addresses be in LDAP. Specifically, if
+  the organization permissions don't require invitations to join, and the only
+  configured authentication backends were `ZulipLDAPAuthBackend` and some other
+  external authentication backend (any aside from `ZulipLDAPAuthBackend` and
+  `EmailAuthBackend`), then an unprivileged remote attacker could have created a
+  new account in the organization with an arbitrary email address in their
+  control that was not in the organization's LDAP directory.
+- CVE-2023-32677: Fixed a vulnerability which allowed users to invite new users
+  to streams when inviting them to the server, even if they did not have
+  [permission to invite existing users to streams](https://zulip.com/help/configure-who-can-invite-to-streams).
+  This did not allow users to invite others to streams that they themselves were
+  not a member of, and only affected deployments with the rare configuration of
+  a permissive
+  [realm invitation policy](https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations)
+  and a strict
+  [stream invitation policy](https://zulip.com/help/configure-who-can-invite-to-streams).
+- Fixed a bug that could cause duplicate push notifications when using the
+  mobile push notifications service.
+- Fixed several bugs in the Zulip server and PostgreSQL version upgrade
+  processes.
+- Fixed multiple Recent conversations display bugs for private message
+  conversations.
+- Fixed the left sidebar stream list exiting “more topics” during background
+  re-rendering, and a related rendering bug.
+- Fixed a bug where uploaded files sent via the email gateway were not correctly
+  associated with the message’s sender.
+- Improved error handling for certain puppet failures.
+- Silenced a distracting `caniuse browserlist` warning in install/upgrade
+  output.
+- Simplified UI for inviting new users to make it easy to select the default
+  streams.
+- Fixed GPG check error handling for PGroonga apt repository.
+- Documented how to manage email address changes when using the LDAP backend.
+- Documented how to use SMTP without authentication.
+- Documented that the Zulip mobile/desktop apps now only support Zulip Server
+  4.0 and newer (released 22 months ago), following our 18-month support policy.
+- Extracted the documentation on modifying Zulip to a dedicated page.
+- Added a new `send_welcome_bot_message` management command, to allow the
+  sysadmin to send Welcome Bot messages manually after a data import.
+- Added new `RABBITMQ_USE_TLS` and `RABBITMQ_PORT` settings for installations
+  wanting to configure the RabbitMQ connection with a remote RabbitMQ host.
+- Added a new `timesync` deployment option to allow installations to override
+  Zulip’s default of `chrony` for time synchronization.
+- Upgraded dependencies for security and bug fixes.
+
 ### 6.1 -- 2023-01-23
 
 - Fixed a bug that caused the web app to not load on Safari 13 and lower;

version.py

@@ -1,6 +1,6 @@
 import os
 
-ZULIP_VERSION = "6.1+git"
+ZULIP_VERSION = "6.2"
 
 # Add information on number of commits and commit hash to version, if available
 zulip_git_version_file = os.path.join(
@@ -14,7 +14,7 @@
 ZULIP_MERGE_BASE = lines.pop(0).strip()
 
 LATEST_MAJOR_VERSION = "6.0"
-LATEST_RELEASE_VERSION = "6.1"
+LATEST_RELEASE_VERSION = "6.2"
 LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.com/2022/11/17/zulip-6-0-released/"
 
 # Versions of the desktop app below DESKTOP_MINIMUM_VERSION will be