# Version history This page the release history for the Zulip server. See also the [Zulip release lifecycle](../overview/release-lifecycle.md). ## Zulip 7.x series ### 7.0 -- unreleased This section is an incomplete draft of the release notes for the next major release, and is only updated occasionally. See the [commit log][commit-log] for an up-to-date list of all changes. #### Highlights - Many significant visual changes as part of Zulip's ongoing redesign project, including message feed headers, mention colors, dates and times, compose box banners, icons, and tooltips. Many further improvements are planned for future releases. - Added support for unmuting a topic in a muted stream, previously the 4th most upvoted GitHub issue. - Redesigned the permissions settings for message editing, topic editing, and moving topics to have a cleaner model. - New compose box features: Scheduling a message to be sent later, a nicer stream picker, and the ability to switch between stream and private messages. - Numerous improvements to the Help Center, including documentation for how to complete many common tasks in the Zulip mobile apps. - Redesigned the interface and permissions model for moving topics to be independent from message content editing, providing a cleaner experience and better configurability. - Renamed "Private messages" to "Direct messages" across the user interface, including search operators. We expect further API changes to be integrated gradually over coming releases due to backwards compatibility considerations. - Added a new personal privacy setting for to what extent the user's email address should be shared with other users in the organization; previously this was solely controlled by organization administrators. This is presented to the user during account creation. #### Full feature changelog - Added full support for using JWT authentication to integrate Zulip with another application. - Added new stream setting controlling which users can remove other subscribers from the stream. - Added new setting to control when messages are marked as read when scrolling. - Added notification bot messages when another user adds you to or removes you from a user group. - Added additional confirmation dialogs for actions deserving caution, including marking all messages as read, removing the last user from a private stream, and disabling all notifications for direct messages. - Added support for deployment hooks to be run whenever the Zulip server is upgraded. - Added new `z` keyboard shortcut to view a message in context. - Added new `=` keyboard shortcut to upvote an existing emoji reaction. - Changed the `s` keyboard shortcut to be a toggle, replacing the previous model that required both `s` and `S` keyboard shortcuts. - Clarified automated notifications when moving and resolving topics. - New webhook integrations: Rundeck. - Reworked linkifiers to use URL templates for the URL patterns. - Improved left sidebar to show more topics within the current stream, and more private message converations, especially when many are unread. - Improved many interaction details in the settings subsystem, including how files are uploaded, hover behaviors, etc. - Improved the logged out experience to suggest logging in to see more streams in the left sidebar. - Improved many subtle details of compose box autocomplete, file uploads, and error handling. Browser undo now works more consistently in the compose box. - Improved subscriber management in stream settings to support sorting users and seeing their user cards after a click. - Improved previously unspecified behavior when multiple overlapping linkifiers applied to syntax within a message. - Improved subject lines for email notifications in topics that have been resolved so that email clients will thread them with the pre-resolution topic. - Improved the Slack incoming integration's handling of fancier Slack syntax. - Improved notification format for most Git integrations. - Improved onboarding emails with better content and links to guides. - Improved how uploaded files are served with the S3 file uploads backend to better support browser caching. - Improved the instructions for data imports from third-party tools to be much more detailed. - Improved the web application's main loading indicator. - Improved the visuals of todo and poll widgets. - Improved the content of onboarding emails. - Improved default for whether to include the Zulip realm name in the subject line of email notifications. - Improved rendering format for emoji inside headings. - Improved performance of rendering message views. - Improved capabilities of compliance exports, including new CSV format. - Fixed missing localization for dates/times in the message feed. - Fixed a subtle issue causing files uploaded via the incoming email gateway to not be viewable. - Fixed a subtle compose box issue that could cause a message to be sent twice. - Fixed several subtle bugs involving messages that failed to send. - Fixed an issue where newly created users could get email notifications for messages from Welcome Bot. - Fixed an issue the management command to garbage-collect uploaded files that are no longer used in a message was not running in cron. - Fixed noticeable lag when marking messages as unread in the web app. - Fixed a bug that could cause duplicate mobile push notifications. - Added support for configurable hooks to be run when upgrading the Zulip server. - Added support for using TLS to secure the RabbitMQ connection. - The Zulip API now includes a `ignored_parameters_unsupported` field to help client developers debug when they are attempting to use a parameter that the Zulip server does not support. - Migrated web application error reporting to use Sentry. - Significant portions of the original Bootstrap CSS framework have been deleted. This is an ongoing project. - Converted many JavaScript modules to TypeScript. - Reorganized the codebase, with new web/, help/, and api_docs/ top-level directories. - Upgraded many third-party dependencies, including to Django 4.2 LTS. #### Upgrade notes for 7.0 - When the [S3 storage backend](../production/upload-backends.md) is used for storing file uploads, those contents are now fetched by nginx, cached locally on the server, and served to clients; this lets clients cache the contents, and saves them a redirect. However, it may require administrators adjust the size of the server's cache if they have a large deploy; see the [documentation](../production/upload-backends.md#s3-local-caching). - Removed the `application_server.no_serve_uploads` setting in `/etc/zulip/zulip.conf`, as all uploads requests go through Zulip now. - Installations using the previously undocumented [JWT authentication feature](../production/authentication-methods.md#jwt) will need to make minor adjustments in the format of JWT requests; see the documentation for details on the new format. - High volume log files like `server.log` are now by default retained for 14 days, configured via the `access_log_retention_days` [deployment option](../production/deployment.md#system-and-deployment-configuration). This replaces a harder to understand size-based algorithm that was not easily configurable. - The URL patterns for [linkifiers](https://zulip.com/help/add-a-custom-linkifier) have been migrated from a custom format string to RFC 6570 URL templates. A database migration will automatically migrate existing linkifiers correctly in the vast majority of cases, but some fancier linkfiers may require manual adjustment to generate correct URLs following this upgrade. - PostgreSQL 11 is no longer supported; if you are currently using it, you will need to [upgrade PostgreSQL](../production/upgrade.md#upgrading-postgresql) before upgrading Zulip. ## Zulip 6.x series ### 6.1 -- 2023-01-23 - Fixed a bug that caused the web app to not load on Safari 13 and lower; affected users would only see a blank page. - Recent conversations now displays the “Participants” column for private messages too. - Fixed minor bugs in “Recent conversations” focus and re-rendering. - Fixed bugs that caused some unicode emoji to be incorrectly unavailable. - Fixed subtle display bugs rendering the left sidebar. - Fixed a bug causing the message feed to briefly show a “no matching messages” notice while loading. - Fixed a double escaping display bug when displaying user names in an error notice. - Fixed an unhandled exception when displaying user cards if the current user has an invalid timezone configured. - Fixed a subtle interaction bug with the compose box preview widget. - Added a workaround for a bug in Chromium affecting older versions of the Zulip desktop app that would cause horizontal lines to appear between messages. - Stopped clipping the tops of tall characters in stream and topic names. - Use internationalized form of “at” in message timestamps. - Updated translations. - Fixed the “custom” value for the “[delay before sending message notification emails](https://zulip.com/help/email-notifications#delay-before-sending-emails)” setting. - Fixed an error which prevented users from changing [stream-specific notification settings](https://zulip.com/help/stream-notifications#set-notifications-for-a-single-stream). - Fixed the redirect from `/apps` to https://zulip.com/apps/. - Started preserving timezone information in [Rocket.Chat imports](https://zulip.com/help/import-from-rocketchat). - Updated the Intercom integration to return success on `HEAD` requests, which it uses to verify its configuration. - Documented how each [rate limit](../production/security-model.md#rate-limiting) category is used. - Documented the `reset_authentication_attempt_count` command for when users lock themselves out. - Documented the [full S3 bucket policy](../production/upload-backends.md#s3-bucket-policy) for avatar and uploads buckets. - Clarified what the `--email` value passed to the installer will be used for. - Hid harmless "non-existent database" warnings during initial installation. - Forced a known locale when upgrading PostgreSQL, which avoids errors when using some terminal applications. - Verified that PostgreSQL was running after upgrading it, in case a previous try at an upgrade left it stopped. - Updated custom emoji migration 0376 to be a single SQL statement, and no longer crash when no active owners were found. - Replaced `transifex-client` internationalization library with new `transifex-cli`. - Began respecting proxy settings when installing `shellcheck` and `shfmt` tools. - Fixed the invitation code to signal a user data validation error, and not a server error, if an invalid “invite as” value was given. - Renamed internal exceptions to end with `Error`. ### 6.0 -- 2022-11-17 #### Highlights - Users can now mark messages as unread. - Added support for viewing read receipts, along with settings allowing both organizations and individual users to disable them. - Added new compose box button to navigate to the conversation being composed to, when that is different from the current view. - Added a scroll-to-bottom button, analogous to the `End` shortcut, that appears only when scrolling using the mouse. - Added support for up to 2 custom profile fields being highlighted in a user's profile summary popover, and added support for a new Pronouns custom field type designed to take advantage of it. Redesigned the custom profile fields administrative UI. - Redesigned the left sidebar to better organize pinned and inactive streams, highlight topics where the user was mentioned, and better advertise streams that the current user can subscribe to. - Redesigned the private messages experience in the left sidebar to make browsing conversations more ergonomic, with a similar usage pattern to browsing the topics within a stream. - Improved "Recent topics" and renamed it to "Recent conversations" with the addition of including private messages in the view. The timestamp links now go to the latest message in the topic, arrow key navigation was improved, topics containing unread mentions are now highlighted, as well as many other bug fixes or subtle improvements. - Messages containing 3 or fewer emoji reactions now display the names of reacting users alongside the emoji. This eliminates the need to mouse over emoji reactions to find out who reacted in the vast majority of cases. - Replaced the previous "Unavailable" status with a "Go invisible" feature that is more useful and intuitive. - The right sidebar now displays user status messages by default, with an optional compact design available. - The [public access option][public-access-option] was enhanced to skip the login page by default, support switching themes and languages, and add many other UI improvements. - Incoming webhook integrations now support filtering which classes of events are sent into Zulip; this can be invaluable when the third-party service doesn't support configuring which events to send to Zulip. - Added support for Ubuntu 22.04. - Removed support for Debian 10 and PostgreSQL 10 due to their approaching end-of-life upstream. - New integrations: Azure DevOps, RhodeCode, wekan. [public-access-option]: https://blog.zulip.com/2022/05/05/public-access-option/ #### Full feature changelog - Redesigned the message actions popover to be better organized. - Redesigned moving messages to have a cleaner, more consistent UI that is no longer combined with the message editing UI. One can now choose to send automated notices when moving messages within a stream, not only between streams. - Redesigned full user profiles to have a cleaner look and also display user IDs, which can be important when using the API. Users can now administer bot stream subscriptions from the bot's full profile. - Redesigned the gear menu to display basic details about the Zulip organization, server, and its version. - Redesigned several organization settings pages to have more consistent design. - Redesigned the footer for self-hosted Zulip servers. The footer now has just a few key links, rather than being almost identical to the footer for the zulip.com website. - Redesigned the 500 error pages for self-hosted Zulip servers to be clearer and link to the Zulip server troubleshooting guide. - Redesigned the interface for configuring message editing and deletion permissions to be easier to understand. - Added support for emoji added in unicode versions since 2017, which had previously been unavailable in Zulip. Users using the deprecated "Google blobs" emoji set are automatically migrated to the modern "Google" emoji set. The "Google blobs" emoji set remains available for users who prefer it, with any new emoji that were added to the Unicode standard since 2017 displayed in the modern "Google" style. - Added support for changing the role of bots in the UI; previously, this was only possible via the API. - Added confirmation modals for various destructive actions, such as deactivating bots. - Added new summary statistics on the organization analytics page. Fixed several bugs with the display of analytics graphs. - Added support for administrators sending a final email to a user as part of deactivating their Zulip account. - Added API endpoint to get a single stream by ID. - Added beta support for user groups to have subgroups, and for some permissions settings to be managed using user groups. Over the coming releases, we plan to migrate all Zulip permissions settings to be based on this more flexible groups-based system. We currently expect this migration to be fully backwards-compatible. - Added a new compliance export management command. - Zulip's automated emails use the `X-Auto-Response-Suppress` header to reduce auto-responder replies. - Changed various icons to be more intuitive. The bell-based icon for muted topics has been replaced by a more standard muted speaker icon. - Reworked how a new user's language is set to prefer their browser's configured language over the organization's configured language. This organization-level setting has been renamed to "Language for automated messages and invitation emails" to reflect what it actually does following this change. - Organized the Drafts panel to prioritize drafts matching the current view. - Added an automated notification to the "stream events" topic when changing a stream's privacy settings. - Added support for conveniently overriding the default rate-limiting rules. - Improved the search typeahead to show profile pictures for users. - Improved typeahead matching algorithm for stream/user/emoji names containing multiple spaces and other corner cases. - Improved the help center, including better display of keyboard shortcuts, mobile documentation for common workflows and many polish improvements. - Improved API documentation, including a new page on roles and permissions, an audit to correct missing **Changes** entries, and new documentation for several previously undocumented endpoints. - Improved Python static type-checking to make use of Django stubs for `mypy`, fixing many minor bugs in the process. - Improved RealmAuditLog to cover several previously unauditable changes. - Improved the experience for users who have not logged in for a long time, and receive an email or push notification about a private message or personal mention. These users are now automatically soft reactivated at the time of the notification, for a smoother experience when they log in. - Improved the Tornado server-to-client push system's sharding system to support realm regular expressions and experimental support for splitting a single realm across multiple push server processes. - Improved user deactivation modal to provide details about bots and invitations that will be disabled. - Improve matching algorithm for left sidebar stream filtering. - Improved several integrations, including CircleCI, Grafana, Harbor, NewRelic, and the Slack compatible incoming webhook. Git webhooks now use a consistent algorithm for choosing shortened commit IDs to display. - Improved mention typeahead and rendering for cases where mention syntax appears next to symbols. - Improved browser window titles used by the app to be clearer. - Improved the language in message notification emails explaining why the notification was sent. - Improved interface for accessing stream email addresses. - Reordered the organization settings panels to be more intuitive. - Increased timeout for processing slow requests from 20s to 60s. - Removed the "user list in left sidebar in narrow windows" setting. - Removed limits that prevented replying to Zulip email notifications multiple times or, several days after receiving them. - Fixed numerous bugs and performance issues with the Rocket.Chat data import tool. Improved importing emoji from Slack. - Fixed several bugs where drafts could fail to be saved. - Fixed a bug where copy-paste would incorrectly copy an entire message. - Fixed the app's main loading page to not suggest reloading until several seconds have passed. - Fixed multiple bugs that could cause the web app to flood the server with requests after the computer wakes up from suspend. - Fixed a bug where public streams imported from other chat systems could incorrectly be configured as public streams without shared history, a configuration not otherwise possible in Zulip. - Fixed several subtle bugs involving editing custom profile field configuration. - Fixed several bugs involving compose box keyboard shortcuts. - Fixed dozens of settings UI interaction design bugs. - Fixed subtle caching bugs in the URL preview system. - Fixed several rare race conditions in the server implementation. - Fixed many CSS corner cases issues involving content overflowing containers. - Fixed entering an emoji in the mobile web app using an emoji keyboard. - Fixed Enter being processed incorrectly when inputting a character into Zulip phonetically via an IME composing session. - Fixed several subtle bugs with confirmation links. - Fixed a subtle performance issue for full-text search for uncommon words. - Fixed the estimator for the size of public data exports. - Fixed "mark all as read" requiring a browser reload. - Major improvements to our documentation for setting up the development environment and for joining the project as a new contributor. - Extracted several JavaScript modules to share code with the mobile app. - Replaced several Python linters with Ruff, an incredibly fast Python linter written in Rust. - Upgraded many third-party dependencies including Django 4.1, and substantially modernized the Python codebase. #### Upgrade notes for 6.0 - Installations using [docker-zulip][docker-zulip] will need to [upgrade Postgres][docker-zulip-upgrade-database] before upgrading to Zulip 6.0, because the previous default of Postgres 10 is no longer supported by this release. - Installations using the AzureAD authentication backend will need to update `/etc/zulip/zulip-secrets.conf` after upgrading. The `azure_oauth2_secret` secret was renamed to `social_auth_azuread_oauth2_secret`, to match our other external authentication methods. - This release contains an expensive migration, `0419_backfill_message_realm`, which adds data to a new `realm` column in the message table. Expect it to run for 10-15 minutes per million messages in the database. The new column is not yet used in this release, so this migration can be run in the background for installations hoping to avoid extended downtime. - Custom profile fields with "Pronouns" in their name and the "short text" field type were converted to the new "Pronouns" field type. [docker-zulip-upgrade-database]: https://github.com/zulip/docker-zulip/#upgrading-zulipzulip-postgresql-to-14 ## Zulip 5.x series ### 5.7 -- 2022-11-16 - CVE-2022-41914: Fixed the verification of the SCIM account management bearer tokens to use a constant-time comparator. Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable. Zulip Server installations which have not explicitly enabled SCIM are not affected. - Fixed an error with deactivating users with `manage.py sync_ldap_user_data` when `LDAP_DEACTIVATE_NON_MATCHING_USERS` was enabled. - Fixed several subtle bugs that could lead to browsers reloading repeatedly when the server was updated. - Fixed a live-update bug when changing certain notifications settings. - Improved error logs when sending push notifications to the push notifications service fails. - Upgraded Python requirements. ### 5.6 -- 2022-08-24 - CVE-2022-36048: Change the Markdown renderer to only rewrite known local links as relative links, rather than rewriting all local links. This fix also protects against a vulnerability in the Zulip mobile app (CVE-2022-35962). - Added hardening against timing attacks to an internal authentication check. - Improved documentation for hosting multiple organizations on a server. - Updated dependencies. - Updated translations. ### 5.5 -- 2022-07-21 - CVE-2022-31168: Fix authorization check for changing bot roles. Due to an incorrect authorization check in Zulip Server 5.4 and all prior releases, a member of an organization could craft an API call that would grant organization administrator privileges to one of their bots. - Added new options to the `restore-backup` tool to simplify restoring backups on a system with a different configuration. - Updated translations, including major updates to the Mongolian and Serbian translations. ### 5.4 -- 2022-07-11 - CVE-2022-31134: Exclude private file uploads from [exports of public data](https://zulip.com/help/export-your-organization#export-of-public-data). We would like to thank Antoine Benoist for bringing this issue to our attention. - Upgraded python requirements. - Improved documentation for load balancers to mention CIDR address ranges. - Documented an explicit list of supported CPU architectures. - Switched `html2text` to run as a subprocess, rather than a Python module, as its GPL license is not compatible with Zulip’s. - Replaced `markdown-include` python module with a reimplementation, as its GPL license is not compatible with Zulip’s. - Relicensed as GPL the `tools/check-thirdparty` developer tool which verifies third-party licenses, due to a GPL dependency by way of `python-debian`. - Closed a potential race condition in the Tornado server, with events arriving at exactly the same time as request causing server errors. - Added a tool to help automate more of the release process. ### 5.3 -- 2022-06-21 - CVE-2022-31017: Fixed message edit event exposure in protected-history streams. Zulip allows a stream to be configured as [private with protected history](https://zulip.com/help/stream-permissions#stream-privacy-settings), which means that new subscribers should only see messages sent after they join. However, due to a logic bug in Zulip Server 2.1.0 through 5.2, when a message was edited, the server would incorrectly send an API event that included both the edited and old content of the message to all of the stream’s current subscribers, regardless of whether they could see the original message. The impact of this issue was reduced by the fact that this API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools. - Adjusted upgrade steps to cause servers using PostgreSQL 14 to upgrade to PostgreSQL 14.4, which fixes an important potential database corruption issue. - Upgraded the asynchronous request handling to use Tornado 6. - Fixed a crash when displaying the error message for a failed attempt to create a stream. - Optimized the steps during `upgrade-zulip`, to reduce the amount of server downtime. - Added a `--skip-restart` flag to `upgrade-zulip` which prepares the new version, but does not restart the server into it. - Stopped mirroring the entire remote Git repository directly into `/srv/zulip.git`. This mirroring removed local branches and confused the state of previous deployments. - Fixed a bug which could cause the `delete_old_unclaimed_attachments` command-line tool to remove attachments that were still referenced by deleted (but not yet permanently removed) messages. - Stopped enabling `USE_X_FORWARDED_HOST` by default, which was generally unneeded; the proxy documentation now clarifies when it is necessary. - Fixed the nginx configuration to include the default system-level nginx modules. - Only attempt to fix the `certbot` SSL renewal configuration if HTTPS is enabled; this addresses a regression in Zulip Server 5.2, where the upgrade would fail if an improperly configured certificate existed, but was both expired and not in use. - Improved proxy and database backup documentation. ### 5.2 -- 2022-05-03 - Fixed a performance regression in the UI, introduced in 5.0, when opening the compose box. - Fixed a bug which could intermittently cause URL previews to fail, if Zulip was being run in Docker or in low-memory environments. - Fixed an issue which would cause PostgreSQL 10 and PostgreSQL 11 to attempt to write each WAL log to S3, even if S3 WAL backups/replication were not configured. - Fixed an issue which prevented the SCIM integration from deactivating users. - Fixed a bug that resulted in an “You unsubscribed” notice incorrectly appearing when new messages arrived in a topic being viewed via a “near” link. - Fixed digest emails being incorrectly sent if a user was deactivated after the digest was enqueued but before it was processed. - Fixed warning about `EMAIL_HOST_PASSWORD` being unset when explicitly set to empty. - Fixed incomplete tracebacks when timeouts happen during Markdown rendering. - Fixed some older versions of Zulip Server not being considered when comparing for the likely original version of `settings.py`. - Stopped using the `database_password` if it is set but `database_user` is not. - Stopped trying to fix LetsEncrypt certificate configuration if they were not currently in use. - Sorted and prettified the output of the `check-database-compatibility` tool. - Split the large `zerver/lib/actions.py` file into many files under `zerver/actions/`. This non-functional change was backported to ensure it remains easy to backport other changes. - Updated documentation to reflect that current mobile apps are only guaranteed to be compatible with Zulip Server 3.0 and later; they may also work with earlier versions, with a degraded experience. ### 5.1 -- 2022-04-01 - Fixed upgrade bug where preexisting animated emoji would still always animate in statuses. - Improved check that prevents servers from accidentally downgrading, to not block upgrading servers that originally installed Zulip Server prior to mid-2017. - Fixed email address de-duplication in Slack imports. - Prevented an extraneous scrollbar when a notification banner was present across the top. - Fixed installation in LXC containers, which failed due to `chrony` not being runnable there. - Prevented a "push notifications not configured" warning from appearing in the new user default settings panel even when push notifications were configured. - Fixed a bug which, in uncommon configurations, would prevent Tornado from being restarted during upgrades; users would be able to log in, but would immediately be logged out. - Updated translations. ### 5.0 -- 2022-03-29 #### Highlights - New [resolve topic](https://zulip.com/help/resolve-a-topic) feature allows marking topics as ✔ completed. It’s a lightweight way to manage a variety of workflows, including support interactions, answering questions, and investigating issues. - Administrators may enable the option to create [web-public streams](https://zulip.com/help/web-public-streams). Web-public streams can be viewed by anyone on the Internet without creating an account in your organization. - Users can now select a status emoji alongside their status message. Status emoji are shown next to the user's name in the sidebars, message feed, and compose box. Animated status emoji will only animate on hover. - Redesigned the compose box, adding formatting buttons for bold, italics and links as well as visual improvements. New button for inserting global times into your message. - Redesigned "Stream settings" to be much more usable, with separate tabs for personal settings, global settings, and membership, and more consistent style with the rest of Zulip's settings. - Stream creation was redesigned with a much cleaner interface, especially for selecting initial subscribers. - Redesigned "Full user profile" widget to show the user's stream and user group subscriptions. Administrators can unsubscribe a user from streams directly from their full profile. - Reorganized personal and organization settings to have clearer labels and make it easier to find privacy settings. - Organization administrators can now configure the default personal preference settings for new users joining the organization. - Most permissions settings now support choosing which roles have the permission, rather than just allowing administrators or everyone. - Permanent links to conversations now correctly redirect if the target message has been moved to a new stream or topic. - Added a data import tool for migrating from Rocket.Chat. Mattermost data import now supports importing uploaded files. - Improved handling of messages containing many images; now up to 20 images can be previewed in a single message (up from 5), and a new grid layout will be used. - OpenID Connect joins SAML, LDAP, Google, GitHub, Azure Active Directory, and more as a supported Single Sign-On provider. - SAML authentication now supports syncing custom profile fields. Additionally, SAML authentication now supports automatic account creation and IdP-initiated logout. - Added SCIM integration for synchronizing accounts with an external user database. - Added support for installation on ARM platforms (including Mac M1). - Removed support for Ubuntu 18.04, which no longer receives upstream security support for key Zulip dependencies. #### Upgrade notes for 5.0 - This release contains a migration, `0009_confirmation_expiry_date_backfill`, that can take several minutes to run on a server with millions of messages of history. - The `TERMS_OF_SERVICE` and `PRIVACY_POLICY` settings have been removed in favor of a system that supports additional policy documents, such as a code of conduct. See the [updated documentation](../production/settings.md) for the new system. #### Full feature changelog - Timestamps in Zulip messages are now permanent links to the message in its thread. - Added support for invitation links with configurable expiry, including links that never expire. Deactivating a user now disables all invitations that the user had sent. - Added support for expanding the compose box to be full-screen. - Added support for filtering events in webhooks. - Added support for overriding Zulip's defaults for new users in your organization. - Added support for referring to a user group with a silent mention. - Added new personal privacy setting controlling whether typing notifications are sent to other users. - Added new personal setting controlling whether `Esc` navigates the user to the default view. - Split stream creation policy into separate settings for private, public, and web-public streams. - New integrations: Freshstatus, Lidarr, Open Collective, Radarr, Sonarr, SonarQube. - Message edit notifications now indicate how many messages were moved, when only part of a topic was moved. - Muted topic records are now moved when an entire topic is moved. - Search views that don't mark messages as read now have an explanatory notice if any unread messages are present. - Added new "Scroll to bottom" widget hovering over the message feed. - Changed the default emoji set from Google Classic to Google Modern. - User groups mentions now correctly function as silent mentions when inside block quotes. - Messages that have been moved (but not otherwise edited) are now displayed as MOVED, not EDITED. - Reworked the UI for selecting a stream when moving topics. - Redesigned modals in the app to have more consistent and cleaner UX. - Added new topic filter widget in left sidebar zoomed view. - Redesigned Welcome Bot onboarding experience. - Redesigned hover behavior for timestamps and time mentions. - Messages sent by muted users can now be rehidden after being revealed. One can also now mute deactivated users. - Rewrote Help Center guides for new organizations and users, and made hundreds of other improvements to Help Center content and organization. - Reimplemented the image lightbox's pan/zoom functionality to be nicer, allowing us to enable it be default. - Added styled loading page for the web application. - Webhook integrations now support specifying the target stream by ID. - Notifications now differentiate user group mentions from personal mentions. - Added support for configuring how long the server should wait before sending email notifications after a mention or PM. - Improved integrations: BigBlueButton, GitHub, Grafana, PagerDuty, and many more. - Improved various interaction and performance details in "Recent topics". - Improved styling for poll and todo list widgets. - Zulip now supports configuring the database name and username when using a remote Postgres server. Previously, these were hardcoded to "zulip". - Migrated many tooltips to prettier tooltips powered by TippyJS. - Autocomplete is now available when editing topics. - Typeahead for choosing a topic now consistently fetches the full set of historical topics in the stream. - Changed "Quote and reply" to insert quoted content at the cursor when the compose box is not empty. - The compose box now has friendly UI for messages longer than 10K characters. - Compose typeahead now opens after typing only "@". - Improved the typeahead sorting for choosing code block languages. - Many additional subtle usability improvements to compose typeahead. - Adjusted permissions to only allow administrators to override unicode emoji with a custom emoji of the same name. - New "Manage this user" option in user profile popovers simplifies moderation. - New automated notifications when changing global stream settings like description and message retention policy. - Drafts are now advertised more prominently, in the left sidebar. - Drafts and message edit history now correctly render widgets like spoilers and global times. - Improved the tooltip formatting for global times. - LDAP userAccountControl logic now supports FreeIPA quirks. - Fixed a problem where self-hosted servers that permuted the IDs of their users by using the data export/import tools might send mobile push notifications to the wrong devices. - Fixed various bugs resulting in missing translations; most importantly in the in-application search/markdown/hotkeys help widgets. - Fixed several bugs that prevented browser undo from working in the compose box. - Fixed search typeahead not working once you've added a full-text keyword. - Fixed linkifier validation to prevent invalid linkifiers. - Fixed `Ctrl+.` shortcut not working correctly with empty topics. - Fixed numerous corner case bugs with email and mobile push notifications. - Fixed a bug resulting in long LaTeX messages failing to render. - Fixed buggy logic displaying users' last active time. - Fixed confusing "delete stream" language for archiving streams. - Fixed exceptions in races involving messages being deleted while processing a request to add emoji reactions, mark messages as read, or sending notifications. - Fixed most remaining 500 errors seen in Zulip Cloud (these were already quite rare, so this process involved debugging several rare races, timeouts, and error handling bugs.). - Fixed subtle bugs involving composing messages to deactivated users. - Fixed subtle bugs with reloading the page while viewing settings with "Recent topics" as the default view. - Fixed bug where pending email notifications could be lost when restarting the Zulip server. - Fixed "require topics" setting not being enforced for API clients. - Fixed several subtle Markdown rendering bugs. - Fixed several bugs with message edit history and stream/topic moves. - Fixed multiple subtle bugs that could cause compose box content to not be properly saved as drafts in various situations. - Fixed several server bugs involving rare race conditions. - Fixed a bug where different messages in search results would be incorrectly shown with a shared recipient bar despite potentially not being temporally adjacent. - Fixed lightbox download button not working with the S3 upload backend. - Increased default retention period before permanently removing deleted messages from 7 days to 30 days. - Rate limiting now supports treating all Tor exit nodes as a single IP. - Changed "From" header in invitation emails to no longer include the name of the user who sent the invitation, to prevent anti-phishing software from flagging invitations. - Added support for uploading animated PNGs as custom emoji. - Renamed "Night mode" to "Dark theme". - Added the mobile app's notification sound to desktop sound options, as "Chime". - Reworked the `manage.py help` interface to hide Django commands that are useless or harmful to run on a production system. Also deleted several useless management commands. - Improved help and functionality of several management commands. New create_realm management command supports some automation workflows. - Added `RealmAuditLog` logging for most administrative actions that were previously not tracked. - Added automated testing of the upgrade process from previous releases, to reduce the likelihood of problems upgrading Zulip. - Attempting to "upgrade" to an older version now gives a clear error message. - Optimized critical parts of the message sending code path for large organizations. - Optimized creating streams in very large organizations. - Certain unprintable Unicode characters are no longer permitted in topic names. - Added IP-based rate limiting for unauthenticated requests. - Added documentation for Zulip's rate-limiting rules. - Merged the API endpoints for a user's personal settings into the /settings endpoint with a cleaner interface. - The server API now supports marking messages as unread, allowing this upcoming mobile app feature to work with Zulip 5.0. - Added to the API most page-load parameters used by the web app application that were missing from the `/register` API. - Simplified the infrastructure for rendering API documentation so that only a few pages require Markdown templates in addition to the OpenAPI specification file. - Corrected many minor issues with the API documentation. - Major improvements to both the infrastructure and content for Zulip's ReadTheDocs documentation for contributors and sysadmins. - Major improvements to the mypy type-checking, discovered via using the django-stubs project to get Django stubs. - Renamed main branch from `master` to `main`. ## Zulip 4.x series ### 4.11 -- 2022-03-15 - CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a race condition during user deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. This access could theoretically continue until one of the following events happens: - The session expires from memcached; this defaults to two weeks, and is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py - The session cache is evicted from memcached by other cached data. - The server is upgraded, which clears the cache. - Updated translations. ### 4.10 -- 2022-02-25 - CVE-2022-21706: Reusable invitation links could be improperly used for other organizations. - CVE-2021-3967: Enforce that regenerating an API key must be done with an API key, not a cookie. Thanks to nhiephon (twitter.com/\_nhiephon) for their responsible disclosure of this vulnerability. - Fixed a bug with the `reindex-textual-data` tool, where it would sometimes fail to find the libraries it needed. - Pin PostgreSQL to 10.19, 11.14, 12.9, 13.5 or 14.1 to avoid a regression which caused deploys with PGroonga enabled to unpredictably fail database queries with the error `variable not found in subplan target list`. - Fix ARM64 support; however, the wal-g binary is not yet supported on ARM64 (zulip/zulip#21070). ### 4.9 -- 2022-01-24 - CVE-2021-43799: Remote execution of code involving RabbitMQ. - Closed access to RabbitMQ port 25672; initial installs tried to close this port, but failed to restart RabbitMQ for the configuration. - Removed the `rabbitmq.nodename` configuration in `zulip.conf`; all RabbitMQ instances will be reconfigured to have a nodename of `zulip@localhost`. You can remove this setting from your `zulip.conf` configuration file, if it exists. - Added missing support for the Camo image proxy in the Docker image. This resolves a longstanding issue with image previews, if enabled, appearing as broken images for Docker-based installs. - Fixed a bug which allowed a user to edit a message to add a wildcard mention when they did not have permissions to send such messages originally. - Fixed a bug in the tool that corrects database corruption caused by updating the operating system hosting PostgreSQL, which previously omitted some indexes from its verification. If you updated the operating system of your Zulip instance from Ubuntu 18.04 to 20.04, or from Debian 9 to 10, you should run the tool, even if you did so previously; full details and instructions are available in the previous blog post. - Began routing requests from the Camo image proxy through a non-Smokescreen proxy, if one is configured; because Camo includes logic to deny access to private subnets, routing its requests through Smokescreen is generally not necessary. - Fixed a bug where changing the Camo secret required running `zulip-puppet-apply`. - Fixed `scripts/setup/compare-settings-to-template` to be able to run from any directory. - Switched Let's Encrypt renewal to use its own timer, rather than our custom cron job. This fixes a bug where occasionally `nginx` would not reload after getting an updated certificate. - Updated documentation and tooling to note that installs using `upgrade-zulip-from-git` require 3 GB of RAM, or 2 GB and at least 1 GB of swap. ### 4.8 -- 2021-12-01 - CVE-2021-43791: Zulip could fail to enforce expiration dates on confirmation keys, allowing users to potentially use expired invitations, self-registrations, or realm creation links. - Began installing Smokescreen to harden Zulip against SSRF attacks by default. Zulip has offered Smokescreen as an option since Zulip 4.0. Existing installs which configured an outgoing proxy which is not on `localhost:4750` will continue to use that; all other installations will begin having a Smokescreen installation listening on 127.0.0.1, which Zulip will proxy traffic through. The version of Smokescreen was also upgraded. - Replaced the camo image proxy with go-camo, a maintained reimplementation that also protects against SSRF attacks. This server now listens only on 127.0.0.1 when it is deployed as part of a standalone deployment. - Began using camo for images displayed in URL previews. This improves privacy and also resolves an issue where an image link to a third party server with an expired or otherwise invalid SSL certificate would trigger a confusing pop-up window for Zulip Desktop users. - Fixed a bug which could cause Tornado to shut down improperly (causing an immediate full-page reload for their clients) when restarting a heavily loaded Zulip server. - Updated Python dependencies. - Truncated large “remove” mobile notification events so that marking hundreds of private messages or other notifiable messages as read at once won’t exceed Apple’s 4 KB notification size limit. - Slack importer improvements: - Ensured that generated fake email addresses for Slack bots are unique. - Added support for importing Slack exports from a directory, not just a .zip file. - Provided better error messages with invalid Slack tokens. - Added support for non-ASCII Unicode folder names on Windows. - Add support for V3 Pagerduty webhook. - Updated documentation for Apache SSO, which now requires additional configuration now that Zulip uses a C extension (the `re2` module). - Fixed a bug where an empty name in a SAML response would raise an error. - Ensured that `deliver_scheduled_emails` and `deliver_scheduled_messages` did not double-deliver if run on multiple servers at once. - Extended Certbot troubleshooting documentation. - Fixed a bug in soft deactivation catch-up code, in cases where a race condition had created multiple subscription deactivation entries for a single user and single stream in the audit log. - Updated translations, including adding a Sinhala translation. ### 4.7 -- 2021-10-04 - CVE-2021-41115: Prevent organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier patterns. ### 4.6 -- 2021-09-23 - Documented official support for Debian 11 Bullseye, now that it is officially released by Debian upstream. - Fixed installation on Debian 10 Buster. Upstream infrastructure had broken the Python `virtualenv` tool on this platform, which we've worked around for this release. - Zulip releases are now distributed from https://download.zulip.com/server/, replacing the old `www.zulip.org` server. - Added support for LDAP synchronization of the `is_realm_owner` and `is_moderator` flags. - `upgrade-zulip-from-git` now uses `git fetch --prune`; this ensures `upgrade-zulip-from-git master` with return an error rather than using a stale cached version of the `master` branch, which was renamed to `main` this month. - Added a new `reset_authentication_attempt_count` management command to allow sysadmins to manually reset authentication rate limits. - Fixed a bug that caused the `upgrade-postgresql` tool to incorrectly remove `supervisord` configuration for `process-fts-updates`. - Fixed a rare migration bug when upgrading from Zulip versions 2.1 and older. - Fixed a subtle bug where the left sidebar would show both old and new names for some topics that had been renamed. - Fixed incoming email gateway support for configurations with the `http_only` setting enabled. - Fixed issues where Zulip's outgoing webhook, with the Slack-compatible interface, had a different format from Slack's documented interface. - The installation and upgrade documentations now show the latest release's version number. - Backported many improvements to the ReadTheDocs documentation. - Updated translation data from Transifex. ### 4.5 -- 2021-07-25 - Added a tool to fix potential database corruption caused by host OS upgrades (was listed in 4.4 release notes, but accidentally omitted). ### 4.4 -- 2021-07-22 - Fixed a possible denial-of-service attack in Markdown fenced code block parsing. - Smokescreen, if installed, now defaults to only listening on 127.0.0.1; this prevents it from being used as an open HTTP proxy if it did not have other firewalls protecting incoming port 4750. - Fixed a performance/scalability issue for installations using the S3 file uploads backend. - Fixed a bug where users could turn other users’ messages they could read into widgets (e.g. polls). - Fixed a bug where emoji and avatar image requests were sent through Camo; doing so does not add any security benefit, and broke custom emoji that had been imported from Slack in Zulip 1.8.1 or earlier. - Changed to log just a warning, instead of an exception, in the case that the `embed_links` worker cannot fetch previews for all links in a message within the 30-second timeout. Each preview request within a message already has a 15-second timeout. - Ensured `psycopg2` is installed before starting `process_fts_updates`; otherwise, it might fail to start several times before the package was installed. - Worked around a bug in supervisor where, when using SysV init, `/etc/init.d/supervisor restart` would only have stopped, not restarted, the process. - Modified upgrade scripts to better handle failure, and suggest next steps and point to logs. - Zulip now hides the “show password” eye icon that IE and Edge browsers place in password inputs; this duplicated the already-present JavaScript-based functionality. - Fixed “OR” glitch on login page if SAML authentication is enabled but not configured. - The `send_test_email` management command now shows the full SMTP conversation on failure. - Provided a `change_password` management command which takes a `--realm` option. - Fixed `upgrade-zulip-from-git` crashing in CSS source map generation on 1-CPU systems. - Added an `auto_signup` field in SAML configuration to auto-create accounts upon first login attempt by users which are authenticated by SAML. - Provided better error messages when `puppet_classes` in `zulip.conf` are mistakenly space-separated instead of comma-separated. - Updated translations for many languages. ### 4.3 -- 2021-06-02 - Fixed exception when upgrading older servers with the `JITSI_SERVER_URL` setting set to `None` to disable Jitsi. - Fixed GIPHY integration dropdown appearing when the server doesn't have a GIPHY API key configured. - The GIPHY API library is no longer loaded for users who are not actively using the GIPHY integration. - Improved formatting for Grafana integration. - Fixed previews of Dropbox image links. - Fixed support for storing avatars/emoji in non-S3 upload backends. - Fixed an overly strict database constraint for code playgrounds. - Tagged user status strings for translation. - Updated translation data from Transifex. ### 4.2 -- 2021-05-13 - Fixed exception in purge-old-deployments when upgrading on a system that has never upgraded using Git. - Fixed installation from a directory readable only by root. ### 4.1 -- 2021-05-13 - Fixed exception upgrading to the 4.x series from older releases. ### 4.0 -- 2021-05-13 #### Highlights - Code blocks now have a copy-to-clipboard button and can be integrated with external code playgrounds, making it convenient to work with code while discussing it in Zulip. - Added a new organization [Moderator role][roles-and-permissions]. Many permissions settings for sensitive features now support only allowing moderators and above to use the feature. - Added a native Giphy integration for sending animated GIFs. - Added support for muting another user. - "Recent topics" is no longer beta, no longer an overlay, supports composing messages, and is now the default view. The previous default view, "All messages", is still available, and the default view can now be configured via "Display settings". - Completed API documentation for Zulip's real-time events system. It is now possible to write a decent Zulip client with minimal interaction with the Zulip server development team. - Added new organization settings: wildcard mention policy. - Integrated [Smokescreen][smokescreen], an outgoing proxy designed to help protect against SSRF attacks; outgoing HTTP requests that can be triggered by end users are routed through this service. We recommend that self-hosted installations configure it. - This release contains more than 30 independent changes to the [Zulip API](https://zulip.com/api/changelog), largely to support new features or make the API (and thus its documentation) clearer and easier for clients to implement. Other new API features support better error handling for the mobile and terminal apps. - The frontend internationalization library was switched from i18next to FormatJS. - The button for replying was redesigned to show the reply recipient and be more obvious to users coming from other chat apps. - Added support for moving topics to private streams, and for configuring which roles can move topics between streams. [roles-and-permissions]: https://zulip.com/help/roles-and-permissions #### Upgrade notes for 4.0 - Changed the Tornado service to use 127.0.0.1:9800 instead of 127.0.0.1:9993 as its default network address, to simplify support for multiple Tornado processes. Since Tornado only listens on localhost, this change should have no visible effect unless another service is using port 9800. - Zulip's top-level puppet classes have been renamed, largely from `zulip::foo` to `zulip::profile::foo`. Configuration referencing these `/etc/zulip/zulip.conf` will be automatically updated during the upgrade process, but if you have a complex deployment or you maintain `zulip.conf` is another system (E.g. with the [manual configuration][docker-zulip-manual] option for [docker-zulip][docker-zulip]), you'll want to manually update the `puppet_classes` variable. - Zulip's supervisord configuration now lives in `/etc/supervisor/conf.d/zulip/` - Consider enabling [Smokescreen][smokescreen] - Private streams can no longer be default streams (i.e. the ones new users are automatically added to). - New `scripts/start-server` and `scripts/stop-server` mean that one no longer needs to use `supervisorctl` directly for these tasks. - As this is a major release, we recommend [carefully updating the inline documentation in your `/etc/zulip/settings.py`][update-settings-docs]. Notably, we rewrote the template to be better organized and more readable in this release. - The web app will now display a warning in the UI if the Zulip server has not been upgraded in more than 18 months. template to be better organized and more readable. - The next time users log in to Zulip with their password after upgrading to this release, they will be logged out of all active browser sessions (i.e. the web and desktop apps). This is a side effect of improved security settings (increasing the minimum entropy used when salting passwords from 71 bits to 128 bits). - We've removed the partial Thumbor integration from Zulip. The Thumbor project appears to be dead upstream, and we no longer feel comfortable including it in Zulip from a security perspective. We hope to introduce a fully supported thumbnailing integration in our next major release. [docker-zulip-manual]: https://github.com/zulip/docker-zulip#manual-configuration [smokescreen]: ../production/deployment.md#customizing-the-outgoing-http-proxy [update-settings-docs]: ../production/upgrade.md#updating-settingspy-inline-documentation #### Full feature changelog - Added new [release lifecycle documentation](release-lifecycle.md). - Added support for subscribing another stream's membership to a stream. - Added RealmAuditLog for most settings state changes in Zulip; this data will facilitate future features showing a log of activity by a given user or changes to an organization's settings. - Added support for using Sentry for processing backend exceptions. - Added documentation for using `wal-g` for continuous PostgreSQL backups. - Added loading spinners for message editing widgets. - Added live update of compose placeholder text when recipients change. - Added keyboard navigation for popover menus that were missing it. - Added documentation for all [zulip.conf settings][zulip-conf-settings]. - Added dozens of new notification sound options. - Added menu option to unstar all messages in a topic. - Added confirmation dialog before unsubscribing from a private stream. - Added confirmation dialog before deleting your profile picture. - Added types for all parameters in the API documentation. - Added API endpoint to fetch user details by email address. - Added API endpoint to fetch presence details by user ID. - Added new LDAP configuration options for servers hosting multiple organizations. - Added new `@**|user_id**` mention syntax intended for use in bots. - Added preliminary support for Zulip on Debian 11; this release is expected to support Debian 11 without any further changes. - Added several useful new management commands, including `change_realm_subdomain` and `delete_user`. - Added support for subscribing all members of a user group to a stream. - Added support for sms: and tel: links. - Community topic editing time limit increased to 3 days for members. - New integrations: Freshping, Jotform, UptimeRobot, and a JSON formatter (which is particularly useful when developing a new integration). - Updated integrations: Clubhouse, NewRelic, Bitbucket, Zabbix. - Improved formatting of GitHub and GitLab integrations. - Improved the user experience for multi-user invitations. - Improved several rendered-message styling details. - Improved design of `