You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVE-2023-28623: Fixed a vulnerability that would allow users to sign up for a Zulip Server account with an unauthorized email address, despite the server being configured to require that email addresses be in LDAP. Specifically, if the organization permissions don't require invitations to join, and the only configured authentication backends were ZulipLDAPAuthBackend and some other external authentication backend (any aside from ZulipLDAPAuthBackend and EmailAuthBackend), then an unprivileged remote attacker could have created a new account in the organization with an arbitrary email address in their control that was not in the organization's LDAP directory.
CVE-2023-32677: Fixed a vulnerability which allowed users to invite new users to streams when inviting them to the server, even if they did not have permission to invite existing users to streams. This did not allow users to invite others to streams that they themselves were not a member of, and only affected deployments with the rare configuration of a permissive realm invitation policy and a strict stream invitation policy.
Fixed a bug that could cause duplicate push notifications when using the mobile push notifications service.
Fixed several bugs in the Zulip server and PostgreSQL version upgrade processes.
Fixed multiple Recent conversations display bugs for private message conversations.
Fixed the left sidebar stream list exiting “more topics” during background re-rendering, and a related rendering bug.
Fixed a bug where uploaded files sent via the email gateway were not correctly associated with the message’s sender.
Improved error handling for certain puppet failures.
Silenced a distracting caniuse browserlist warning in install/upgrade output.
Simplified UI for inviting new users to make it easy to select the default streams.
Fixed GPG check error handling for PGroonga apt repository.
Documented how to use SMTP without authentication.
Documented that the Zulip mobile/desktop apps now only support Zulip Server 4.0 and newer (released 22 months ago), following our 18-month support policy.