From f77204be1407e459ad6969e7a84cef94d4fe1a20 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 15 Mar 2022 14:23:42 -0700 Subject: [PATCH] version: Update version and changelog after 4.11 release. --- docs/overview/changelog.md | 13 +++++++++++++ version.py | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/overview/changelog.md b/docs/overview/changelog.md index c78ff29a50..af119df0ef 100644 --- a/docs/overview/changelog.md +++ b/docs/overview/changelog.md @@ -121,6 +121,19 @@ log][commit-log] for an up-to-date list of raw changes. ## Zulip 4.x series +## Zulip 4.11 -- 2022-03-15 + +- CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a + race condition during user deactivation, where a simultaneous access + by the user being deactivated may, in rare cases, allow continued + access by the deactivated user. This access could theoretically + continue until one of the following events happens: + - The session expires from memcached; this defaults to two weeks, and + is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py + - The session cache is evicted from memcached by other cached data. + - The server is upgraded, which clears the cache. +- Updated translations. + ## Zulip 4.10 -- 2022-02-25 - CVE-2022-21706: Reusable invitation links could be improperly used diff --git a/version.py b/version.py index 1621c00c83..ba2aa49330 100644 --- a/version.py +++ b/version.py @@ -14,7 +14,7 @@ ZULIP_VERSION = lines.pop(0).strip() ZULIP_MERGE_BASE = lines.pop(0).strip() LATEST_MAJOR_VERSION = "4.0" -LATEST_RELEASE_VERSION = "4.10" +LATEST_RELEASE_VERSION = "4.11" LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.com/2021/05/13/zulip-4-0-released/" # Versions of the desktop app below DESKTOP_MINIMUM_VERSION will be