# Version history This page contains the release history for the Zulip 8.x stable release series. See the [current Zulip changelog][latest-changelog] for newer release series, or the [commit log][commit-log] for an up-to-date list of all changes. ## Zulip Server 8.x series ### Zulip Server 8.2 _Released 2024-02-16_ - Fixed an error reporting bug that caused an email to be sent to the server administrator each time that the server had a failed attempt to send a mobile push notification. This bug could cause a lot of error emails on servers that are registered with the [Mobile Push Notification Service][mobile-push], but are not signed up for a plan that includes access to this service, or not [uploading basic metadata][mobile-push-metadata] required to verify eligibility for free access to the service. - Fixed several scroll position bugs encountered when entering a conversation view, most importantly when opening a direct message conversation. - Fixed a minor bug in the organization settings UI. - Improved rate-limiting logic to avoid errors when loading the app for some users. - Adjusted memory usage configuration to reduce memory usage to avoid OOM kills on systems with close to 4GiB of RAM, and require less tuning for larger systems. - Upgraded dependencies. - Updated translations. ### Zulip Server 8.1 _Released 2024-01-24_ - CVE-2024-21630: Zulip version 8.0 and its betas had a bug affecting an unlikely permissions configuration where some user roles had permission to create reusable invitation links to join the organization, but lacked the permission to subscribe other users to streams. A user with such a role could incorrectly create an invitation link that subscribes new users to streams. This vulnerability is similar to CVE-2023-32677, but applies to multi-use invitations, not single-user invites. - Fixed a fault-tolerance bug, where failing outgoing email authentication could cause other queue workers to not progress properly on low-memory Zulip servers. - Added support for using PostgreSQL 16 as the database. See the PostgreSQL upgrade documentation if you’re interested in upgrading an existing server to newer Postgres. - Added support for explicitly deactivating a mobile push notifications registration. - Added support for a new class of custom authentication hook. - Improved the workflow for sending password reset emails to users imported from another chat app. - Improved the file uploads integration to be compatible with S3 alternatives that use a different URL addressing style. - Improved the Terms of Service/Privacy Policy settings if no policies sidebar is configured. - Fixed a bug preventing the incoming email integration from mentioning groups that everyone is allowed to mention. - Fixed the data import tool crashing when processing delivered scheduled messages. - Fixed buggy tooltips in the push notifications column of notification settings. - Fixed minor UI bugs with the user group settings panel. - Fixed minor UI bugs with the new compose box buttons. - Fixed minor UI bugs with limiting guest user access to other users. - Fixed incorrect alert words color in the dark theme. - Fixed a few subtle bugs with the Zulip plan management login flow. - Fixed a live-update bug involving user statuses enabled via the API. - Fixed a configuration problem preventing the logrotate service from starting. - Fixed a layout bug for the mobile help center navbar area affecting some servers. - Fixed Slack data import tool corner cases involving shared users. - Fixed mentions being incorrectly converted to silent mentions in DMs with bot users. - Fixed an unexploitable HTML injection bug in the typeahead for configuring custom code playgrounds. - Improved in-app documentation for following topics. - Backported several documentation improvements. ### Zulip Server 8.0 _Released 2023-12-15_ #### Highlights - New Inbox view shows all unread messages in a conveniently browsable experience, similar to the mobile home screen. It is an option for the user's home view. - Added support for following a topic, with configurable notification settings for followed topics and flexible configuration options to automatically follow topics when sending a message or otherwise interacting with it, or when mentioned. New `Shift + N` keyboard shortcut navigates to the next unread followed topic. - Added support for limiting user list access for guests. - New @topic mentions support mentioning only users who have participated in a topic by sending a message or emoji reaction. - Typing notifications now support streams with 100 or fewer subscribers. - Clicking on a message in search views now directly takes the user to the target message, instead of starting a reply, since it's rare one wants to reply without full context. - The left sidebar now allows collapsing the global views for users who want more space for streams and conversations. - Added new unread count display style setting, controlling in which streams to display a numeric unread count or a simple dot unread indicator. Defaults to numeric counts in normal streams, but a dot indicator in muted streams. - Added support for creating voice calls. - Major visual design improvements in the message feed, search area/navbar, and left sidebar. The gear menu was replaced with three new redesigned menus: A help menu, a personal/avatar menu, and a more focused gear menu. - Added thumbnails and lightbox player support for video links and video files uploaded directly in Zulip. Previously, Zulip only supported this for videos hosted by third-party platforms that provide an embedded player, like YouTube and Vimeo. - The compose area was redesigned, with new formatting buttons for most message formatting features, including polls. Improved pasting URLs with text selected. Topic typeahead now indicates whether one would be creating a new topic, and user typeahead now shows pronouns if a pronoun custom profile field is configured. #### Full feature changelog - Redesigned the "invite users" modal to be more user-friendly. - Redesigned file upload, including a cancel button, better drag-and-drop support, better message-edit handling, and many bug fixes. - Redesigned managing groups to use a side-by-side panel UI similar to stream settings. This is an important step towards our upcoming support for groups-based permissions. - Redesigned how very tall messages are condensed. - Redesigned email confirmation page. - Redesigned various settings panels to remove clutter and simplify the user experience. - The LDAP integration now supports syncing user groups. - The SCIM integration now supports syncing user roles. - The recent view now indicates the date range it is displaying, and supports fetching more conversations and sorting by unread count. - Added support for printing a message feed as a lightweight conversation export experience. - Added support for muting bot users. - Added support for multi-character emoji sequences and other modern emoji; Twitter emojiset now backfills missing emoji from the Google emojiset just like the Google blobs emojiset does. - Added user profile tab for administrators to edit the profile. - Added support for subscribing users in user profile streams tab. - Added new permissions setting for who can create reusable invitation links. - Added new setting for whether guest users should be displayed with "(guest)" appended to their name to highlight their status. - Added new setting to configure the Jitsi server URL to use. - Added new settings warnings for making a stream private that one is not subscribed to, and for archiving a stream used for automated notifications. - Added new wizard for creating incoming webhook integration URLs. - Added bulk-delete UI for drafts. - Added new API endpoint for sending a test push notification, to support an upcoming mobile feature. Realms now have a UUID sent to the push notifications service to simplify migrating via export/import into a different server. - Display settings was renamed to Preferences. - "Default view" was renamed to "home view". - The manage streams UI has a cleaner design for changing subscriptions, can now directly manage default streams, and has a cleaner UI for managing notification settings. - Linkifiers and code playgrounds now use RFC 6570 compliant URL templates to specify the target URL. - Linkifiers are now processed in a defined, editable order. - Scheduled messages are now displayed when viewing the conversation where they will be sent. - Message edit history has a Shift+H keyboard shortuct and is now accessed via the mouse exclusively by clicking on EDITED/MOVED notices, simplifying the main message actions popover. - Users can now delete messages sent by bots that they control as though they had sent the message themselves. - Simplified and clarified recipient bar inline topic editing. - The compose/edit interfaces now disable formatting buttons in preview mode. - The organization creation form now explicitly asks the user to choose a default language for the organization. - Improved design for /todo widgets. - Improved defaults for which portion of a topic to move when moving messages. - Improved semantics and explanations of reactivating previously deactivated bot users. - Improved over 100 help center articles, adding mobile documentation for many common workflows and a new indexing system for message formatting documentation. - Improved onboarding hints for steps one might want to take before inviting users. - Improved display for uploaded images that had been deleted. - Improved content and styling for many tooltips across the web application, including several new "Copied!" tooltips. - Improved configurability of outgoing email sender names. - Improved the ability of a self-hosted server to tell the mobile apps whether mobile push notifications are working. - Improved integrations: CircleCI, Gitea, GitHub, GitLab, Sentry. Regenerated integration screenshots to show the current visual design. - Webhook integrations now return a 200 success status code when processing requests that match the format for an integration but where the specific event type is not implemented. - New /health health check endpoint designed for reverse proxies in front of the Zulip server. - Rewrote all popovers, fixing many bugs involving positioning, mobile web UI, and keyboard navigation. - Rewrote message feed layout using CSS grid, fixing many subtle layout bugs. - Fixed dozens of rare exceptions in the web application. - Fixed email notifications incorrectly containing extra context messages when subscribed to email notifications for a stream. - Fixed several longstanding performance issues both in the web application and the server, and a small memory leak. - Fixed several subtle bugs in error reporting internals. - Fixed multiple subtle deadlocks in database locking code. - Fixed several subtle bugs in the compose box. - Fixed LaTeX being misrendered in desktop, email and push notifications. - Fixed several subtle internationalization bugs. - Fixed multiple subtle linkification bugs. - Fixed many subtle bugs in settings. - Fixed nginx configuration for HTTP/3. - Added explicit SAML configuration documentation for Authentik. - Clarified dozens of ambiguous details and minor errors in API documentation. - Reworked the main database indexes used to fetch messages. - Reimplemented the internals of the audit logging system. - Many structural improvements to the permission settings internals working towards permission settings being group-based. - Many structural improvements to the web app codebase. About 25% of the web codebase is now TypeScript, most of the legacy Bootstrap code has been deleted, and most import cycles have been cut. - Added new request parsing framework based on Pydantic 2. - Upgraded many dependencies. #### Upgrade notes for 8.0 - Installations using the [Mobile Push Notifications Service][mobile-push] now regularly upload [basic metadata][mobile-push-metadata] about the organizations hosted by the installation to the Mobile Push Notifications Service. Previously, basic metadata was uploaded only when uploading usage statistics was also enabled via the `SUBMIT_USAGE_STATISTICS` setting. - This release contains several expensive migrations, most notably `0472_add_message_realm_id_indexes.py`, `0485_alter_usermessage_flags_and_add_index.py`, and `0486_clear_old_data_for_unused_usermessage_flags.py`. Migration `0486`, in particular, cleans up stale that should only be present on Zulip servers that were originally installed with Zulip 1.3.x or older. If your server has millions of messages, plan for the migrations in this release to take 15 minutes or more to complete. - Minor: User group names starting with `@`, `role:`, `user:`, and various certain other special patterns are now forbidden. In the unlikely event that existing user groups have names matching these patterns, they will be automatically renamed on upgrade. - The behavior of the `AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL` has subtly changed. Previously, using this setting at all would block LDAP authentication in organizations that are configured to use LDAP authentication but not explicitly configured with advanced access controls. This behavior was removed to simplify hosting multiple organizations with different LDAP configuration preferences. [mobile-push-metadata]: ../production/mobile-push-notifications.md#uploading-usage-statistics ## Zulip Server 7.x series ### Zulip Server 7.5 _Released 2023-11-16_ - CVE-2023-47642: Invalid metadata access for formerly subscribed streams. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream’s metadata after they had lost access to the stream. This bug was present in all Zulip releases prior to Zulip Server 7.5. - Fixed a bug where [backups](../production/export-and-import.md#backups) might be written using `postgresql-client-16`, which could not be straightforwardly restored into a Zulip instance, as the format is not backwards-compatible, and Zulip does not yet support PostgreSQL 16. - Renamed the `reactivate_stream` management command to `unarchive_stream`, to match terminology in the app, and [documented it](https://zulip.com/help/archive-a-stream#unarchiving-archived-streams). - Fixed a regression, introduced in 6.0, where users created via the API or LDAP would have English set as their language, ignoring the configured realm default. - Improved [documentation on `AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL`](../production/authentication-methods.md#restricting-ldap-user-access-to-specific-organizations). - Improved error messages for subdomains being reserved versus being in use. - Upgraded Python dependencies. ### Zulip Server 7.4 _Released 2023-09-15_ - CVE-2023-4863: Upgrade vulnerable `libwebp` dependency. - Fixed a left sidebar layout bug affecting languages like Russian with very long translations of certain menu items. - Fixed a bug in the reverse proxy misconfiguration warnings introduced in 7.2. - Fixed a bug causing some exception report emails generated by the Zulip server to be unpleasantly verbose. - Fixed the compose area “Enter sends” configuration incorrectly advertising “Enter” instead of “Return” on macOS systems. - Fixed a CSS bug in the password reset form introduced in 7.3. - Improved troubleshooting guide discussion of restarting services. - Upgrade dependencies. ### Zulip Server 7.3 _Released 2023-08-25_ - CVE-2023-32678: Users who used to be subscribed to a private stream, and have since been removed from it, retained the ability to edit messages/topics and delete messages that they used to have access to, if other relevant organization permissions allowed these actions. For example, a user may have still been able to edit or delete their old messages they had posted in such a private stream. - Fixed a bug, introduced in Zulip Server 7.0, which would cause uploaded files attached to some messages to be mistakenly deleted after some, but not all, messages linking to the uploaded file were deleted by the user. See our [blog post](https://blog.zulip.com/2023/08/25/uploaded-file-data-loss-incident/) for more details. - Fixed a bug, introduced in Zulip Server 7.2 in the [operating system upgrade process](../production/upgrade.md#upgrading-the-operating-system), which would cause errors of the form `venv was not set up for this Python version`. - Fixed a bug, introduced in Zulip Server 7.2, when the [email gateway](../production/email-gateway.md) was used in conjunction with a [reverse proxy](../production/reverse-proxies.md). - Improved the performance of [resolving](https://zulip.com/help/resolve-a-topic) or [moving](https://zulip.com/help/move-content-to-another-topic) long topics. - Fixed bad rendering of stream links in [stream descriptions](https://zulip.com/help/change-the-stream-description). - Fixed broken and misaligned images in Zulip welcome emails. - Fixed YouTube video previews to be ordered in the order they are linked, not reverse order. - Upgraded Python requirements. - Updated puppet dependencies. - Improved the [Sentry integration](https://zulip.com/integrations/doc/sentry), including making the “Test plugin” button in Sentry work properly. - Reduced memory usage by replacing a custom error reporting handler with the default Django implementation. This will result in a slight change in the format of server exception emails. Such emails should be rare in most self-hosted systems; installations with a large amount of server exception volume should be using the [Sentry integration](../subsystems/logging.md#sentry-error-logging). - Updated the [data export tool](../production/export-and-import.md#data-export) to handle bots created in very early versions of Zulip Server. - Fixed a bug with the [data export tool](../production/export-and-import.md#data-export) and deleted users in group DMs. - Added a `./manage.py reactivate-stream` command to reactivate archived streams. - Fixed links in the documentation to [Modify Zulip](../production/modify.md) and [Upgrade Zulip](../production/upgrade.md) pages. - Linked the documentation on how to [host multiple Zulip](../production/multiple-organizations.md) organizations on one server. - Fixed missing images in documentation for the [“XKCD” bot](https://zulip.com/integrations/doc/xkcd). - Fixed “Back to login page” button alignment in the desktop app. - Added a reference to [PostgreSQL upgrades](../production/upgrade.md#upgrading-postgresql) in the [release upgrade](../production/upgrade.md#upgrading-to-a-release) section. - Clarified that PostgreSQL versions must match in "[Restoring backups](../production/export-and-import.md#restoring-backups)" section, and explain how to do that. - Reformatted Changelog. ### Zulip Server 7.2 _Released 2023-07-05_ - Started logging a more accurate, detailed, and actionable error messages when [common reverse proxy misconfigurations][proxies] are detected. - Improved [reverse proxy documentation][proxies] to clarify that trust of `X-Forwarded-Proto` is also necessary. - Removed [reverse proxy][proxies] nginx configuration files when the [`loadbalancer.ips`](../production/system-configuration.md#ips) setting has been unset. - Improved error-handling of scheduled emails, so they cannot attempt infinite deliveries of a message with no recipients. - Fixed a bug with the [PGroonga integration](../subsystems/full-text-search.md#multi-language-full-text-search) that would cause the PostgreSQL server to crash when a search was run. - Fixed a bug that would cause some messages not to be marked as read. - Fixed a bug that still showed file-upload banners after re-opening the compose box. - Fixed a bug that prevented file uploads with very unusual file names. - Adjusted the bot icon to make it more visible on the light theme. - Fixed minor rendering issues on the “press enter to send” indicator. - Fixed the scrollbar behavior on the stream settings page. - Improved error reporting when a Slack token fails to validate during [import](https://zulip.com/help/import-from-slack#export-your-slack-data), such as a token having too few permissions. - Added support for IPv6 [nameservers in the nginx configuration](../production/system-configuration.md#nameserver). - Updated translations. [proxies]: ../production/reverse-proxies.md#configuring-zulip-to-trust-proxies ### Zulip Server 7.1 _Released 2023-06-13_ - Added checks to check that Zulip is being installed on a [supported CPU and OS architecture](../production/requirements.md). - Improved error-handling around the [`upgrade-postgresql`](../production/upgrade.md#upgrading-postgresql) tool. - Fixed a couple bugs in database migrations as part of the upgrade that could cause the upgrade to fail to complete. - Fixed a bug where [scheduled messages](https://zulip.com/help/schedule-a-message) with `@all` would fail to send. - Fixed a bug which would sometimes cause the `j` and `k` keys to not be able to be typed in the compose box. - Fixed anonymous access to the “download” link on images in [public-access streams](https://zulip.com/help/public-access-option). - Changed the default DNS resolver in nginx’s configuration to match the system’s; this fixes deployments which use the [S3 storage backend](../production/upload-backends.md) and did not run `systemd-resolved`, like Docker and some versions of Debian. - Updated several pieces of documentation. - Updated translations, including new translations for Luri (Bakhtiari), Brazilian Portuguese, and Tagalog. ### Zulip Server 7.0 _Released 2023-05-31_ #### Highlights - Many significant visual changes as part of Zulip's ongoing redesign project, including message feed headers, background color, mention colors, dates and times, compose box banners, icons, and tooltips. Many further improvements are planned for future releases. - Added support for unmuting a topic in a muted stream, previously the 4th most upvoted GitHub issue. - Redesigned the permissions settings for message editing, topic editing, and moving topics to have a cleaner model. - New compose box features: Scheduling a message to be sent later, a nicer stream picker, and the ability to switch between stream and private messages. - Numerous improvements to the Help Center, including documentation for how to complete many common tasks in the Zulip mobile apps. - Redesigned the interface and permissions model for moving topics to be independent from message content editing, providing a cleaner experience and better configurability. - Renamed "Private messages" to "Direct messages" across the user interface, including search operators. We expect further API changes to be integrated gradually over coming releases due to backwards compatibility considerations. - Added a new personal privacy setting for to what extent the user's email address should be shared with other users in the organization; previously this was solely controlled by organization administrators. This is presented to the user during account creation, including for users imported from other chat products. - Added support for the upcoming Debian 12 release. #### Full feature changelog - Added full support for using JWT authentication to integrate Zulip with another application. - Added support for SAML Single-Logout initiated by the Zulip server (SP-initiated Single Logout). - Added new stream setting controlling which users can remove other subscribers from the stream. - Added new setting to control when messages are marked as read when scrolling. - Added notification bot messages when another user adds you to or removes you from a user group. - Added additional confirmation dialogs for actions deserving caution, including marking all messages as read, removing the last user from a private stream, and disabling all notifications for direct messages. - Added support for Postgres 15, and removed support for Postgres 11. - Added new `z` keyboard shortcut to view a message in context. - Added new `=` keyboard shortcut to upvote an existing emoji reaction. - Changed the `s` keyboard shortcut to be a toggle, replacing the previous model that required both `s` and `S` keyboard shortcuts. - Clarified automated notifications when moving and resolving topics. - New webhook integrations: Rundeck. - Reworked linkifiers to use URL templates for the URL patterns. - Improved left sidebar to show more topics within the current stream, and more private message conversations, especially when many are unread. - Reworked the internals of the main message feed scrollbar, fixing several longstanding bugs. - Improved many interaction details in the settings subsystem, including how files are uploaded, hover behaviors, etc. - Improved the logged out experience to suggest logging in to see more streams in the left sidebar. - Improved many subtle details of compose box autocomplete, file uploads, and error handling. Browser undo now works more consistently in the compose box. - Improved subscriber management in stream settings to support sorting users and seeing their user cards after a click. - Improved previously unspecified behavior when multiple overlapping linkifiers applied to syntax within a message. - Improved subject lines for email notifications in topics that have been resolved so that email clients will thread them with the pre-resolution topic. - Improved how the Slack data import tool handles Slack threads. - Improved the Slack incoming integration's handling of fancier Slack syntax. - Improved notification format for most Git integrations. - Improved onboarding emails with better content and links to guides. - Improved how uploaded files are served with the S3 file uploads backend to better support browser caching. - Improved the instructions for data imports from third-party tools to be much more detailed. - Improved the web application's main loading indicator. - Improved the visuals of todo and poll widgets. - Improved the content of onboarding emails. - Improved default for whether to include the Zulip realm name in the subject line of email notifications. - Improved rendering format for emoji inside headings. - Improved performance of rendering message views. - Improved capabilities of compliance exports, including new CSV format. - Fixed missing localization for dates/times in the message feed. - Fixed a subtle issue causing files uploaded via the incoming email gateway to not be viewable. - Fixed a subtle compose box issue that could cause a message to be sent twice. - Fixed several subtle bugs involving messages that failed to send. - Fixed several subtle bugs in message feed loading and rendering. - Fixed several subtle live-update bugs involving moving messages. - Fixed several error handling bugs in the message edit UI. - Fixed an issue where newly created users could get email notifications for messages from Welcome Bot. - Fixed an issue the management command to garbage-collect uploaded files that are no longer used in a message was not running in cron. - Fixed noticeable lag when marking messages as unread in the web app. - Fixed a bug that could cause duplicate mobile push notifications. - Fixed several error handling issues with the data export process. - Fixed several subtle issues affecting certain container runtimes. - Added support for configurable hooks to be run when upgrading the Zulip server. - Added support for using TLS to secure the RabbitMQ connection. - The Zulip API now includes a `ignored_parameters_unsupported` field to help client developers debug when they are attempting to use a parameter that the Zulip server does not support. - Migrated web application error reporting to use Sentry. - Significant portions of the original Bootstrap CSS framework have been deleted. This is an ongoing project. - Converted many JavaScript modules to TypeScript. - Reorganized the codebase, with new web/, help/, and api_docs/ top-level directories. - Upgraded many third-party dependencies, including to Django 4.2 LTS. #### Upgrade notes for 7.0 - When the [S3 storage backend](../production/upload-backends.md) is used for storing file uploads, those contents are now fetched by nginx, cached locally on the server, and served to clients; this lets clients cache the contents, and saves them a redirect. However, it may require administrators adjust the size of the server's cache if they have a large deploy; see the [documentation](../production/upload-backends.md#s3-local-caching). - Removed the `application_server.no_serve_uploads` setting in `/etc/zulip/zulip.conf`, as all uploads requests go through Zulip now. - Installations using the previously undocumented [JWT authentication feature](../production/authentication-methods.md#jwt) will need to make minor adjustments in the format of JWT requests; see the documentation for details on the new format. - High volume log files like `server.log` are now by default retained for 14 days, configured via the `access_log_retention_days` [deployment option](../production/system-configuration.md). This replaces a harder to understand size-based algorithm that was not easily configurable. - The URL patterns for [linkifiers](https://zulip.com/help/add-a-custom-linkifier) have been migrated from a custom format string to RFC 6570 URL templates. A database migration will automatically migrate existing linkifiers correctly in the vast majority of cases, but some fancier linkfiers may require manual adjustment to generate correct URLs following this upgrade. - PostgreSQL 11 is no longer supported; if you are currently using it, you will need to [upgrade PostgreSQL](../production/upgrade.md#upgrading-postgresql) before upgrading Zulip. - Installations that deploy Zulip behind a [reverse proxy][reverse-proxy-docs] should make sure the proxy is configured to set the `X-Forwarded-Proto` HTTP header, and that [`loadbalancer.ips` is accurate][loadbalancer-ips] for the reverse proxy's IP; the documentation has updated its example configurations. - Zulip's Twitter preview integration has been disabled due to Twitter desupporting the API that it relied on. [reverse-proxy-docs]: ../production/reverse-proxies.md [loadbalancer-ips]: ../production/reverse-proxies.md#configuring-zulip-to-trust-proxies ## Zulip Server 6.x series ### Zulip Server 6.2 _Released 2023-05-19_ - CVE-2023-28623: Fixed a vulnerability that would allow users to sign up for a Zulip Server account with an unauthorized email address, despite the server being configured to require that email addresses be in LDAP. Specifically, if the organization permissions don't require invitations to join, and the only configured authentication backends were `ZulipLDAPAuthBackend` and some other external authentication backend (any aside from `ZulipLDAPAuthBackend` and `EmailAuthBackend`), then an unprivileged remote attacker could have created a new account in the organization with an arbitrary email address in their control that was not in the organization's LDAP directory. - CVE-2023-32677: Fixed a vulnerability which allowed users to invite new users to streams when inviting them to the server, even if they did not have [permission to invite existing users to streams](https://zulip.com/help/configure-who-can-invite-to-streams). This did not allow users to invite others to streams that they themselves were not a member of, and only affected deployments with the rare configuration of a permissive [realm invitation policy](https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations) and a strict [stream invitation policy](https://zulip.com/help/configure-who-can-invite-to-streams). - Fixed a bug that could cause duplicate push notifications when using the mobile push notifications service. - Fixed several bugs in the Zulip server and PostgreSQL version upgrade processes. - Fixed multiple Recent conversations display bugs for private message conversations. - Fixed the left sidebar stream list exiting “more topics” during background re-rendering, and a related rendering bug. - Fixed a bug where uploaded files sent via the email gateway were not correctly associated with the message’s sender. - Improved error handling for certain puppet failures. - Silenced a distracting `caniuse browserlist` warning in install/upgrade output. - Simplified UI for inviting new users to make it easy to select the default streams. - Fixed GPG check error handling for PGroonga apt repository. - Documented how to manage email address changes when using the LDAP backend. - Documented how to use SMTP without authentication. - Documented that the Zulip mobile/desktop apps now only support Zulip Server 4.0 and newer (released 22 months ago), following our 18-month support policy. - Extracted the documentation on modifying Zulip to a dedicated page. - Added a new `send_welcome_bot_message` management command, to allow the sysadmin to send Welcome Bot messages manually after a data import. - Added new `RABBITMQ_USE_TLS` and `RABBITMQ_PORT` settings for installations wanting to configure the RabbitMQ connection with a remote RabbitMQ host. - Added a new `timesync` deployment option to allow installations to override Zulip’s default of `chrony` for time synchronization. - Upgraded dependencies for security and bug fixes. ### Zulip Server 6.1 _Released 2023-01-23_ - Fixed a bug that caused the web app to not load on Safari 13 and lower; affected users would only see a blank page. - Recent conversations now displays the “Participants” column for private messages too. - Fixed minor bugs in “Recent conversations” focus and re-rendering. - Fixed bugs that caused some unicode emoji to be incorrectly unavailable. - Fixed subtle display bugs rendering the left sidebar. - Fixed a bug causing the message feed to briefly show a “no matching messages” notice while loading. - Fixed a double escaping display bug when displaying user names in an error notice. - Fixed an unhandled exception when displaying user cards if the current user has an invalid timezone configured. - Fixed a subtle interaction bug with the compose box preview widget. - Added a workaround for a bug in Chromium affecting older versions of the Zulip desktop app that would cause horizontal lines to appear between messages. - Stopped clipping the tops of tall characters in stream and topic names. - Use internationalized form of “at” in message timestamps. - Updated translations. - Fixed the “custom” value for the “[delay before sending message notification emails](https://zulip.com/help/email-notifications#delay-before-sending-emails)” setting. - Fixed an error which prevented users from changing [stream-specific notification settings](https://zulip.com/help/stream-notifications#set-notifications-for-a-single-stream). - Fixed the redirect from `/apps` to https://zulip.com/apps/. - Started preserving timezone information in [Rocket.Chat imports](https://zulip.com/help/import-from-rocketchat). - Updated the Intercom integration to return success on `HEAD` requests, which it uses to verify its configuration. - Documented how each [rate limit](../production/security-model.md#rate-limiting) category is used. - Documented the `reset_authentication_attempt_count` command for when users lock themselves out. - Documented the [full S3 bucket policy](../production/upload-backends.md#s3-bucket-policy) for avatar and uploads buckets. - Clarified what the `--email` value passed to the installer will be used for. - Hid harmless "non-existent database" warnings during initial installation. - Forced a known locale when upgrading PostgreSQL, which avoids errors when using some terminal applications. - Verified that PostgreSQL was running after upgrading it, in case a previous try at an upgrade left it stopped. - Updated custom emoji migration 0376 to be a single SQL statement, and no longer crash when no active owners were found. - Replaced `transifex-client` internationalization library with new `transifex-cli`. - Began respecting proxy settings when installing `shellcheck` and `shfmt` tools. - Fixed the invitation code to signal a user data validation error, and not a server error, if an invalid “invite as” value was given. - Renamed internal exceptions to end with `Error`. ### Zulip Server 6.0 _Released 2022-11-17_ #### Highlights - Users can now mark messages as unread. - Added support for viewing read receipts, along with settings allowing both organizations and individual users to disable them. - Added new compose box button to navigate to the conversation being composed to, when that is different from the current view. - Added a scroll-to-bottom button, analogous to the `End` shortcut, that appears only when scrolling using the mouse. - Added support for up to 2 custom profile fields being highlighted in a user's profile summary popover, and added support for a new Pronouns custom field type designed to take advantage of it. Redesigned the custom profile fields administrative UI. - Redesigned the left sidebar to better organize pinned and inactive streams, highlight topics where the user was mentioned, and better advertise streams that the current user can subscribe to. - Redesigned the private messages experience in the left sidebar to make browsing conversations more ergonomic, with a similar usage pattern to browsing the topics within a stream. - Improved "Recent topics" and renamed it to "Recent conversations" with the addition of including private messages in the view. The timestamp links now go to the latest message in the topic, arrow key navigation was improved, topics containing unread mentions are now highlighted, as well as many other bug fixes or subtle improvements. - Messages containing 3 or fewer emoji reactions now display the names of reacting users alongside the emoji. This eliminates the need to mouse over emoji reactions to find out who reacted in the vast majority of cases. - Replaced the previous "Unavailable" status with a "Go invisible" feature that is more useful and intuitive. - The right sidebar now displays user status messages by default, with an optional compact design available. - The [public access option][public-access-option] was enhanced to skip the login page by default, support switching themes and languages, and add many other UI improvements. - Incoming webhook integrations now support filtering which classes of events are sent into Zulip; this can be invaluable when the third-party service doesn't support configuring which events to send to Zulip. - Added support for Ubuntu 22.04. - Removed support for Debian 10 and PostgreSQL 10 due to their approaching end-of-life upstream. - New integrations: Azure DevOps, RhodeCode, wekan. [public-access-option]: https://blog.zulip.com/2022/05/05/public-access-option/ #### Full feature changelog - Redesigned the message actions popover to be better organized. - Redesigned moving messages to have a cleaner, more consistent UI that is no longer combined with the message editing UI. One can now choose to send automated notices when moving messages within a stream, not only between streams. - Redesigned full user profiles to have a cleaner look and also display user IDs, which can be important when using the API. Users can now administer bot stream subscriptions from the bot's full profile. - Redesigned the gear menu to display basic details about the Zulip organization, server, and its version. - Redesigned several organization settings pages to have more consistent design. - Redesigned the footer for self-hosted Zulip servers. The footer now has just a few key links, rather than being almost identical to the footer for the zulip.com website. - Redesigned the 500 error pages for self-hosted Zulip servers to be clearer and link to the Zulip server troubleshooting guide. - Redesigned the interface for configuring message editing and deletion permissions to be easier to understand. - Added support for emoji added in unicode versions since 2017, which had previously been unavailable in Zulip. Users using the deprecated "Google blobs" emoji set are automatically migrated to the modern "Google" emoji set. The "Google blobs" emoji set remains available for users who prefer it, with any new emoji that were added to the Unicode standard since 2017 displayed in the modern "Google" style. - Added support for changing the role of bots in the UI; previously, this was only possible via the API. - Added confirmation modals for various destructive actions, such as deactivating bots. - Added new summary statistics on the organization analytics page. Fixed several bugs with the display of analytics graphs. - Added support for administrators sending a final email to a user as part of deactivating their Zulip account. - Added API endpoint to get a single stream by ID. - Added beta support for user groups to have subgroups, and for some permissions settings to be managed using user groups. Over the coming releases, we plan to migrate all Zulip permissions settings to be based on this more flexible groups-based system. We currently expect this migration to be fully backwards-compatible. - Added a new compliance export management command. - Zulip's automated emails use the `X-Auto-Response-Suppress` header to reduce auto-responder replies. - Changed various icons to be more intuitive. The bell-based icon for muted topics has been replaced by a more standard muted speaker icon. - Reworked how a new user's language is set to prefer their browser's configured language over the organization's configured language. This organization-level setting has been renamed to "Language for automated messages and invitation emails" to reflect what it actually does following this change. - Organized the Drafts panel to prioritize drafts matching the current view. - Added an automated notification to the "stream events" topic when changing a stream's privacy settings. - Added support for conveniently overriding the default rate-limiting rules. - Improved the search typeahead to show profile pictures for users. - Improved typeahead matching algorithm for stream/user/emoji names containing multiple spaces and other corner cases. - Improved the help center, including better display of keyboard shortcuts, mobile documentation for common workflows and many polish improvements. - Improved API documentation, including a new page on roles and permissions, an audit to correct missing **Changes** entries, and new documentation for several previously undocumented endpoints. - Improved Python static type-checking to make use of Django stubs for `mypy`, fixing many minor bugs in the process. - Improved RealmAuditLog to cover several previously unauditable changes. - Improved the experience for users who have not logged in for a long time, and receive an email or push notification about a private message or personal mention. These users are now automatically soft reactivated at the time of the notification, for a smoother experience when they log in. - Improved the Tornado server-to-client push system's sharding system to support realm regular expressions and experimental support for splitting a single realm across multiple push server processes. - Improved user deactivation modal to provide details about bots and invitations that will be disabled. - Improve matching algorithm for left sidebar stream filtering. - Improved several integrations, including CircleCI, Grafana, Harbor, NewRelic, and the Slack compatible incoming webhook. Git webhooks now use a consistent algorithm for choosing shortened commit IDs to display. - Improved mention typeahead and rendering for cases where mention syntax appears next to symbols. - Improved browser window titles used by the app to be clearer. - Improved the language in message notification emails explaining why the notification was sent. - Improved interface for accessing stream email addresses. - Reordered the organization settings panels to be more intuitive. - Increased timeout for processing slow requests from 20s to 60s. - Removed the "user list in left sidebar in narrow windows" setting. - Removed limits that prevented replying to Zulip email notifications multiple times or, several days after receiving them. - Fixed numerous bugs and performance issues with the Rocket.Chat data import tool. Improved importing emoji from Slack. - Fixed several bugs where drafts could fail to be saved. - Fixed a bug where copy-paste would incorrectly copy an entire message. - Fixed the app's main loading page to not suggest reloading until several seconds have passed. - Fixed multiple bugs that could cause the web app to flood the server with requests after the computer wakes up from suspend. - Fixed a bug where public streams imported from other chat systems could incorrectly be configured as public streams without shared history, a configuration not otherwise possible in Zulip. - Fixed several subtle bugs involving editing custom profile field configuration. - Fixed several bugs involving compose box keyboard shortcuts. - Fixed dozens of settings UI interaction design bugs. - Fixed subtle caching bugs in the URL preview system. - Fixed several rare race conditions in the server implementation. - Fixed many CSS corner cases issues involving content overflowing containers. - Fixed entering an emoji in the mobile web app using an emoji keyboard. - Fixed Enter being processed incorrectly when inputting a character into Zulip phonetically via an IME composing session. - Fixed several subtle bugs with confirmation links. - Fixed a subtle performance issue for full-text search for uncommon words. - Fixed the estimator for the size of public data exports. - Fixed "mark all as read" requiring a browser reload. - Major improvements to our documentation for setting up the development environment and for joining the project as a new contributor. - Extracted several JavaScript modules to share code with the mobile app. - Replaced several Python linters with Ruff, an incredibly fast Python linter written in Rust. - Upgraded many third-party dependencies including Django 4.1, and substantially modernized the Python codebase. #### Upgrade notes for 6.0 - Installations using [docker-zulip][docker-zulip] will need to [upgrade Postgres][docker-zulip-upgrade-database] before upgrading to Zulip 6.0, because the previous default of Postgres 10 is no longer supported by this release. - Installations using the AzureAD authentication backend will need to update `/etc/zulip/zulip-secrets.conf` after upgrading. The `azure_oauth2_secret` secret was renamed to `social_auth_azuread_oauth2_secret`, to match our other external authentication methods. - This release contains an expensive migration, `0419_backfill_message_realm`, which adds data to a new `realm` column in the message table. Expect it to run for 10-15 minutes per million messages in the database. The new column is not yet used in this release, so this migration can be run in the background for installations hoping to avoid extended downtime. - Custom profile fields with "Pronouns" in their name and the "short text" field type were converted to the new "Pronouns" field type. [docker-zulip-upgrade-database]: https://github.com/zulip/docker-zulip/#upgrading-zulipzulip-postgresql-to-14 ## Zulip Server 5.x series ### Zulip Server 5.7 _Released 2022-11-16_ - CVE-2022-41914: Fixed the verification of the SCIM account management bearer tokens to use a constant-time comparator. Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable. Zulip Server installations which have not explicitly enabled SCIM are not affected. - Fixed an error with deactivating users with `manage.py sync_ldap_user_data` when `LDAP_DEACTIVATE_NON_MATCHING_USERS` was enabled. - Fixed several subtle bugs that could lead to browsers reloading repeatedly when the server was updated. - Fixed a live-update bug when changing certain notifications settings. - Improved error logs when sending push notifications to the push notifications service fails. - Upgraded Python requirements. ### Zulip Server 5.6 _Released 2022-08-24_ - CVE-2022-36048: Change the Markdown renderer to only rewrite known local links as relative links, rather than rewriting all local links. This fix also protects against a vulnerability in the Zulip mobile app (CVE-2022-35962). - Added hardening against timing attacks to an internal authentication check. - Improved documentation for hosting multiple organizations on a server. - Updated dependencies. - Updated translations. ### Zulip Server 5.5 _Released 2022-07-21_ - CVE-2022-31168: Fix authorization check for changing bot roles. Due to an incorrect authorization check in Zulip Server 5.4 and all prior releases, a member of an organization could craft an API call that would grant organization administrator privileges to one of their bots. - Added new options to the `restore-backup` tool to simplify restoring backups on a system with a different configuration. - Updated translations, including major updates to the Mongolian and Serbian translations. ### Zulip Server 5.4 _Released 2022-07-11_ - CVE-2022-31134: Exclude private file uploads from [exports of public data](https://zulip.com/help/export-your-organization#export-of-public-data). We would like to thank Antoine Benoist for bringing this issue to our attention. - Upgraded python requirements. - Improved documentation for load balancers to mention CIDR address ranges. - Documented an explicit list of supported CPU architectures. - Switched `html2text` to run as a subprocess, rather than a Python module, as its GPL license is not compatible with Zulip’s. - Replaced `markdown-include` python module with a reimplementation, as its GPL license is not compatible with Zulip’s. - Relicensed as GPL the `tools/check-thirdparty` developer tool which verifies third-party licenses, due to a GPL dependency by way of `python-debian`. - Closed a potential race condition in the Tornado server, with events arriving at exactly the same time as request causing server errors. - Added a tool to help automate more of the release process. ### Zulip Server 5.3 _Released 2022-06-21_ - CVE-2022-31017: Fixed message edit event exposure in protected-history streams. Zulip allows a stream to be configured as [private with protected history](https://zulip.com/help/stream-permissions#stream-privacy-settings), which means that new subscribers should only see messages sent after they join. However, due to a logic bug in Zulip Server 2.1.0 through 5.2, when a message was edited, the server would incorrectly send an API event that included both the edited and old content of the message to all of the stream’s current subscribers, regardless of whether they could see the original message. The impact of this issue was reduced by the fact that this API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools. - Adjusted upgrade steps to cause servers using PostgreSQL 14 to upgrade to PostgreSQL 14.4, which fixes an important potential database corruption issue. - Upgraded the asynchronous request handling to use Tornado 6. - Fixed a crash when displaying the error message for a failed attempt to create a stream. - Optimized the steps during `upgrade-zulip`, to reduce the amount of server downtime. - Added a `--skip-restart` flag to `upgrade-zulip` which prepares the new version, but does not restart the server into it. - Stopped mirroring the entire remote Git repository directly into `/srv/zulip.git`. This mirroring removed local branches and confused the state of previous deployments. - Fixed a bug which could cause the `delete_old_unclaimed_attachments` command-line tool to remove attachments that were still referenced by deleted (but not yet permanently removed) messages. - Stopped enabling `USE_X_FORWARDED_HOST` by default, which was generally unneeded; the proxy documentation now clarifies when it is necessary. - Fixed the nginx configuration to include the default system-level nginx modules. - Only attempt to fix the `certbot` SSL renewal configuration if HTTPS is enabled; this addresses a regression in Zulip Server 5.2, where the upgrade would fail if an improperly configured certificate existed, but was both expired and not in use. - Improved proxy and database backup documentation. ### Zulip Server 5.2 _Released 2022-05-03_ - Fixed a performance regression in the UI, introduced in 5.0, when opening the compose box. - Fixed a bug which could intermittently cause URL previews to fail, if Zulip was being run in Docker or in low-memory environments. - Fixed an issue which would cause PostgreSQL 10 and PostgreSQL 11 to attempt to write each WAL log to S3, even if S3 WAL backups/replication were not configured. - Fixed an issue which prevented the SCIM integration from deactivating users. - Fixed a bug that resulted in an “You unsubscribed” notice incorrectly appearing when new messages arrived in a topic being viewed via a “near” link. - Fixed digest emails being incorrectly sent if a user was deactivated after the digest was enqueued but before it was processed. - Fixed warning about `EMAIL_HOST_PASSWORD` being unset when explicitly set to empty. - Fixed incomplete tracebacks when timeouts happen during Markdown rendering. - Fixed some older versions of Zulip Server not being considered when comparing for the likely original version of `settings.py`. - Stopped using the `database_password` if it is set but `database_user` is not. - Stopped trying to fix LetsEncrypt certificate configuration if they were not currently in use. - Sorted and prettified the output of the `check-database-compatibility` tool. - Split the large `zerver/lib/actions.py` file into many files under `zerver/actions/`. This non-functional change was backported to ensure it remains easy to backport other changes. - Updated documentation to reflect that current mobile apps are only guaranteed to be compatible with Zulip Server 3.0 and later; they may also work with earlier versions, with a degraded experience. ### Zulip Server 5.1 _Released 2022-04-01_ - Fixed upgrade bug where preexisting animated emoji would still always animate in statuses. - Improved check that prevents servers from accidentally downgrading, to not block upgrading servers that originally installed Zulip Server prior to mid-2017. - Fixed email address de-duplication in Slack imports. - Prevented an extraneous scrollbar when a notification banner was present across the top. - Fixed installation in LXC containers, which failed due to `chrony` not being runnable there. - Prevented a "push notifications not configured" warning from appearing in the new user default settings panel even when push notifications were configured. - Fixed a bug which, in uncommon configurations, would prevent Tornado from being restarted during upgrades; users would be able to log in, but would immediately be logged out. - Updated translations. ### Zulip Server 5.0 _Released 2022-03-29_ #### Highlights - New [resolve topic](https://zulip.com/help/resolve-a-topic) feature allows marking topics as ✔ completed. It’s a lightweight way to manage a variety of workflows, including support interactions, answering questions, and investigating issues. - Administrators may enable the option to create [web-public streams](https://zulip.com/help/web-public-streams). Web-public streams can be viewed by anyone on the Internet without creating an account in your organization. - Users can now select a status emoji alongside their status message. Status emoji are shown next to the user's name in the sidebars, message feed, and compose box. Animated status emoji will only animate on hover. - Redesigned the compose box, adding formatting buttons for bold, italics and links as well as visual improvements. New button for inserting global times into your message. - Redesigned "Stream settings" to be much more usable, with separate tabs for personal settings, global settings, and membership, and more consistent style with the rest of Zulip's settings. - Stream creation was redesigned with a much cleaner interface, especially for selecting initial subscribers. - Redesigned "Full user profile" widget to show the user's stream and user group subscriptions. Administrators can unsubscribe a user from streams directly from their full profile. - Reorganized personal and organization settings to have clearer labels and make it easier to find privacy settings. - Organization administrators can now configure the default personal preference settings for new users joining the organization. - Most permissions settings now support choosing which roles have the permission, rather than just allowing administrators or everyone. - Permanent links to conversations now correctly redirect if the target message has been moved to a new stream or topic. - Added a data import tool for migrating from Rocket.Chat. Mattermost data import now supports importing uploaded files. - Improved handling of messages containing many images; now up to 20 images can be previewed in a single message (up from 5), and a new grid layout will be used. - OpenID Connect joins SAML, LDAP, Google, GitHub, Azure Active Directory, and more as a supported Single Sign-On provider. - SAML authentication now supports syncing custom profile fields. Additionally, SAML authentication now supports automatic account creation and IdP-initiated logout. - Added SCIM integration for synchronizing accounts with an external user database. - Added support for installation on ARM platforms (including Mac M1). - Removed support for Ubuntu 18.04, which no longer receives upstream security support for key Zulip dependencies. #### Upgrade notes for 5.0 - This release contains a migration, `0009_confirmation_expiry_date_backfill`, that can take several minutes to run on a server with millions of messages of history. - The `TERMS_OF_SERVICE` and `PRIVACY_POLICY` settings have been removed in favor of a system that supports additional policy documents, such as a code of conduct. See the [updated documentation](../production/settings.md) for the new system. #### Full feature changelog - Timestamps in Zulip messages are now permanent links to the message in its thread. - Added support for invitation links with configurable expiry, including links that never expire. Deactivating a user now disables all invitations that the user had sent. - Added support for expanding the compose box to be full-screen. - Added support for filtering events in webhooks. - Added support for overriding Zulip's defaults for new users in your organization. - Added support for referring to a user group with a silent mention. - Added new personal privacy setting controlling whether typing notifications are sent to other users. - Added new personal setting controlling whether `Esc` navigates the user to the default view. - Split stream creation policy into separate settings for private, public, and web-public streams. - New integrations: Freshstatus, Lidarr, Open Collective, Radarr, Sonarr, SonarQube. - Message edit notifications now indicate how many messages were moved, when only part of a topic was moved. - Muted topic records are now moved when an entire topic is moved. - Search views that don't mark messages as read now have an explanatory notice if any unread messages are present. - Added new "Scroll to bottom" widget hovering over the message feed. - Changed the default emoji set from Google Classic to Google Modern. - User groups mentions now correctly function as silent mentions when inside block quotes. - Messages that have been moved (but not otherwise edited) are now displayed as MOVED, not EDITED. - Reworked the UI for selecting a stream when moving topics. - Redesigned modals in the app to have more consistent and cleaner UX. - Added new topic filter widget in left sidebar zoomed view. - Redesigned Welcome Bot onboarding experience. - Redesigned hover behavior for timestamps and time mentions. - Messages sent by muted users can now be rehidden after being revealed. One can also now mute deactivated users. - Rewrote Help Center guides for new organizations and users, and made hundreds of other improvements to Help Center content and organization. - Reimplemented the image lightbox's pan/zoom functionality to be nicer, allowing us to enable it be default. - Added styled loading page for the web application. - Webhook integrations now support specifying the target stream by ID. - Notifications now differentiate user group mentions from personal mentions. - Added support for configuring how long the server should wait before sending email notifications after a mention or PM. - Improved integrations: BigBlueButton, GitHub, Grafana, PagerDuty, and many more. - Improved various interaction and performance details in "Recent topics". - Improved styling for poll and todo list widgets. - Zulip now supports configuring the database name and username when using a remote Postgres server. Previously, these were hardcoded to "zulip". - Migrated many tooltips to prettier tooltips powered by TippyJS. - Autocomplete is now available when editing topics. - Typeahead for choosing a topic now consistently fetches the full set of historical topics in the stream. - Changed "Quote and reply" to insert quoted content at the cursor when the compose box is not empty. - The compose box now has friendly UI for messages longer than 10K characters. - Compose typeahead now opens after typing only "@". - Improved the typeahead sorting for choosing code block languages. - Many additional subtle usability improvements to compose typeahead. - Adjusted permissions to only allow administrators to override unicode emoji with a custom emoji of the same name. - New "Manage this user" option in user profile popovers simplifies moderation. - New automated notifications when changing global stream settings like description and message retention policy. - Drafts are now advertised more prominently, in the left sidebar. - Drafts and message edit history now correctly render widgets like spoilers and global times. - Improved the tooltip formatting for global times. - LDAP userAccountControl logic now supports FreeIPA quirks. - Fixed a problem where self-hosted servers that permuted the IDs of their users by using the data export/import tools might send mobile push notifications to the wrong devices. - Fixed various bugs resulting in missing translations; most importantly in the in-application search/markdown/hotkeys help widgets. - Fixed several bugs that prevented browser undo from working in the compose box. - Fixed search typeahead not working once you've added a full-text keyword. - Fixed linkifier validation to prevent invalid linkifiers. - Fixed `Ctrl+.` shortcut not working correctly with empty topics. - Fixed numerous corner case bugs with email and mobile push notifications. - Fixed a bug resulting in long LaTeX messages failing to render. - Fixed buggy logic displaying users' last active time. - Fixed confusing "delete stream" language for archiving streams. - Fixed exceptions in races involving messages being deleted while processing a request to add emoji reactions, mark messages as read, or sending notifications. - Fixed most remaining 500 errors seen in Zulip Cloud (these were already quite rare, so this process involved debugging several rare races, timeouts, and error handling bugs.). - Fixed subtle bugs involving composing messages to deactivated users. - Fixed subtle bugs with reloading the page while viewing settings with "Recent topics" as the default view. - Fixed bug where pending email notifications could be lost when restarting the Zulip server. - Fixed "require topics" setting not being enforced for API clients. - Fixed several subtle Markdown rendering bugs. - Fixed several bugs with message edit history and stream/topic moves. - Fixed multiple subtle bugs that could cause compose box content to not be properly saved as drafts in various situations. - Fixed several server bugs involving rare race conditions. - Fixed a bug where different messages in search results would be incorrectly shown with a shared recipient bar despite potentially not being temporally adjacent. - Fixed lightbox download button not working with the S3 upload backend. - Increased default retention period before permanently removing deleted messages from 7 days to 30 days. - Rate limiting now supports treating all Tor exit nodes as a single IP. - Changed "From" header in invitation emails to no longer include the name of the user who sent the invitation, to prevent anti-phishing software from flagging invitations. - Added support for uploading animated PNGs as custom emoji. - Renamed "Night mode" to "Dark theme". - Added the mobile app's notification sound to desktop sound options, as "Chime". - Reworked the `manage.py help` interface to hide Django commands that are useless or harmful to run on a production system. Also deleted several useless management commands. - Improved help and functionality of several management commands. New create_realm management command supports some automation workflows. - Added `RealmAuditLog` logging for most administrative actions that were previously not tracked. - Added automated testing of the upgrade process from previous releases, to reduce the likelihood of problems upgrading Zulip. - Attempting to "upgrade" to an older version now gives a clear error message. - Optimized critical parts of the message sending code path for large organizations. - Optimized creating streams in very large organizations. - Certain unprintable Unicode characters are no longer permitted in topic names. - Added IP-based rate limiting for unauthenticated requests. - Added documentation for Zulip's rate-limiting rules. - Merged the API endpoints for a user's personal settings into the /settings endpoint with a cleaner interface. - The server API now supports marking messages as unread, allowing this upcoming mobile app feature to work with Zulip 5.0. - Added to the API most page-load parameters used by the web app application that were missing from the `/register` API. - Simplified the infrastructure for rendering API documentation so that only a few pages require Markdown templates in addition to the OpenAPI specification file. - Corrected many minor issues with the API documentation. - Major improvements to both the infrastructure and content for Zulip's ReadTheDocs documentation for contributors and sysadmins. - Major improvements to the mypy type-checking, discovered via using the django-stubs project to get Django stubs. - Renamed main branch from `master` to `main`. ## Zulip Server 4.x series ### Zulip Server 4.11 _Released 2022-03-15_ - CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a race condition during user deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. This access could theoretically continue until one of the following events happens: - The session expires from memcached; this defaults to two weeks, and is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py - The session cache is evicted from memcached by other cached data. - The server is upgraded, which clears the cache. - Updated translations. ### Zulip Server 4.10 _Released 2022-02-25_ - CVE-2022-21706: Reusable invitation links could be improperly used for other organizations. - CVE-2021-3967: Enforce that regenerating an API key must be done with an API key, not a cookie. Thanks to nhiephon (twitter.com/\_nhiephon) for their responsible disclosure of this vulnerability. - Fixed a bug with the `reindex-textual-data` tool, where it would sometimes fail to find the libraries it needed. - Pin PostgreSQL to 10.19, 11.14, 12.9, 13.5 or 14.1 to avoid a regression which caused deploys with PGroonga enabled to unpredictably fail database queries with the error `variable not found in subplan target list`. - Fix ARM64 support; however, the wal-g binary is not yet supported on ARM64 (zulip/zulip#21070). ### Zulip Server 4.9 _Released 2022-01-24_ - CVE-2021-43799: Remote execution of code involving RabbitMQ. - Closed access to RabbitMQ port 25672; initial installs tried to close this port, but failed to restart RabbitMQ for the configuration. - Removed the `rabbitmq.nodename` configuration in `zulip.conf`; all RabbitMQ instances will be reconfigured to have a nodename of `zulip@localhost`. You can remove this setting from your `zulip.conf` configuration file, if it exists. - Added missing support for the Camo image proxy in the Docker image. This resolves a longstanding issue with image previews, if enabled, appearing as broken images for Docker-based installs. - Fixed a bug which allowed a user to edit a message to add a wildcard mention when they did not have permissions to send such messages originally. - Fixed a bug in the tool that corrects database corruption caused by updating the operating system hosting PostgreSQL, which previously omitted some indexes from its verification. If you updated the operating system of your Zulip instance from Ubuntu 18.04 to 20.04, or from Debian 9 to 10, you should run the tool, even if you did so previously; full details and instructions are available in the previous blog post. - Began routing requests from the Camo image proxy through a non-Smokescreen proxy, if one is configured; because Camo includes logic to deny access to private subnets, routing its requests through Smokescreen is generally not necessary. - Fixed a bug where changing the Camo secret required running `zulip-puppet-apply`. - Fixed `scripts/setup/compare-settings-to-template` to be able to run from any directory. - Switched Let's Encrypt renewal to use its own timer, rather than our custom cron job. This fixes a bug where occasionally `nginx` would not reload after getting an updated certificate. - Updated documentation and tooling to note that installs using `upgrade-zulip-from-git` require 3 GB of RAM, or 2 GB and at least 1 GB of swap. ### Zulip Server 4.8 _Released 2021-12-01_ - CVE-2021-43791: Zulip could fail to enforce expiration dates on confirmation keys, allowing users to potentially use expired invitations, self-registrations, or realm creation links. - Began installing Smokescreen to harden Zulip against SSRF attacks by default. Zulip has offered Smokescreen as an option since Zulip 4.0. Existing installs which configured an outgoing proxy which is not on `localhost:4750` will continue to use that; all other installations will begin having a Smokescreen installation listening on 127.0.0.1, which Zulip will proxy traffic through. The version of Smokescreen was also upgraded. - Replaced the camo image proxy with go-camo, a maintained reimplementation that also protects against SSRF attacks. This server now listens only on 127.0.0.1 when it is deployed as part of a standalone deployment. - Began using camo for images displayed in URL previews. This improves privacy and also resolves an issue where an image link to a third party server with an expired or otherwise invalid SSL certificate would trigger a confusing pop-up window for Zulip Desktop users. - Fixed a bug which could cause Tornado to shut down improperly (causing an immediate full-page reload for their clients) when restarting a heavily loaded Zulip server. - Updated Python dependencies. - Truncated large “remove” mobile notification events so that marking hundreds of private messages or other notifiable messages as read at once won’t exceed Apple’s 4 KB notification size limit. - Slack importer improvements: - Ensured that generated fake email addresses for Slack bots are unique. - Added support for importing Slack exports from a directory, not just a .zip file. - Provided better error messages with invalid Slack tokens. - Added support for non-ASCII Unicode folder names on Windows. - Add support for V3 Pagerduty webhook. - Updated documentation for Apache SSO, which now requires additional configuration now that Zulip uses a C extension (the `re2` module). - Fixed a bug where an empty name in a SAML response would raise an error. - Ensured that `deliver_scheduled_emails` and `deliver_scheduled_messages` did not double-deliver if run on multiple servers at once. - Extended Certbot troubleshooting documentation. - Fixed a bug in soft deactivation catch-up code, in cases where a race condition had created multiple subscription deactivation entries for a single user and single stream in the audit log. - Updated translations, including adding a Sinhala translation. ### Zulip Server 4.7 _Released 2021-10-04_ - CVE-2021-41115: Prevent organization administrators from affecting the server with a regular expression denial-of-service attack through linkifier patterns. ### Zulip Server 4.6 _Released 2021-09-23_ - Documented official support for Debian 11 Bullseye, now that it is officially released by Debian upstream. - Fixed installation on Debian 10 Buster. Upstream infrastructure had broken the Python `virtualenv` tool on this platform, which we've worked around for this release. - Zulip releases are now distributed from https://download.zulip.com/server/, replacing the old `www.zulip.org` server. - Added support for LDAP synchronization of the `is_realm_owner` and `is_moderator` flags. - `upgrade-zulip-from-git` now uses `git fetch --prune`; this ensures `upgrade-zulip-from-git master` with return an error rather than using a stale cached version of the `master` branch, which was renamed to `main` this month. - Added a new `reset_authentication_attempt_count` management command to allow sysadmins to manually reset authentication rate limits. - Fixed a bug that caused the `upgrade-postgresql` tool to incorrectly remove `supervisord` configuration for `process-fts-updates`. - Fixed a rare migration bug when upgrading from Zulip versions 2.1 and older. - Fixed a subtle bug where the left sidebar would show both old and new names for some topics that had been renamed. - Fixed incoming email gateway support for configurations with the `http_only` setting enabled. - Fixed issues where Zulip's outgoing webhook, with the Slack-compatible interface, had a different format from Slack's documented interface. - The installation and upgrade documentations now show the latest release's version number. - Backported many improvements to the ReadTheDocs documentation. - Updated translation data from Transifex. ### Zulip Server 4.5 _Released 2021-07-25_ - Added a tool to fix potential database corruption caused by host OS upgrades (was listed in 4.4 release notes, but accidentally omitted). ### Zulip Server 4.4 _Released 2021-07-22_ - Fixed a possible denial-of-service attack in Markdown fenced code block parsing. - Smokescreen, if installed, now defaults to only listening on 127.0.0.1; this prevents it from being used as an open HTTP proxy if it did not have other firewalls protecting incoming port 4750. - Fixed a performance/scalability issue for installations using the S3 file uploads backend. - Fixed a bug where users could turn other users’ messages they could read into widgets (e.g. polls). - Fixed a bug where emoji and avatar image requests were sent through Camo; doing so does not add any security benefit, and broke custom emoji that had been imported from Slack in Zulip 1.8.1 or earlier. - Changed to log just a warning, instead of an exception, in the case that the `embed_links` worker cannot fetch previews for all links in a message within the 30-second timeout. Each preview request within a message already has a 15-second timeout. - Ensured `psycopg2` is installed before starting `process_fts_updates`; otherwise, it might fail to start several times before the package was installed. - Worked around a bug in supervisor where, when using SysV init, `/etc/init.d/supervisor restart` would only have stopped, not restarted, the process. - Modified upgrade scripts to better handle failure, and suggest next steps and point to logs. - Zulip now hides the “show password” eye icon that IE and Edge browsers place in password inputs; this duplicated the already-present JavaScript-based functionality. - Fixed “OR” glitch on login page if SAML authentication is enabled but not configured. - The `send_test_email` management command now shows the full SMTP conversation on failure. - Provided a `change_password` management command which takes a `--realm` option. - Fixed `upgrade-zulip-from-git` crashing in CSS source map generation on 1-CPU systems. - Added an `auto_signup` field in SAML configuration to auto-create accounts upon first login attempt by users which are authenticated by SAML. - Provided better error messages when `puppet_classes` in `zulip.conf` are mistakenly space-separated instead of comma-separated. - Updated translations for many languages. ### Zulip Server 4.3 _Released 2021-06-02_ - Fixed exception when upgrading older servers with the `JITSI_SERVER_URL` setting set to `None` to disable Jitsi. - Fixed GIPHY integration dropdown appearing when the server doesn't have a GIPHY API key configured. - The GIPHY API library is no longer loaded for users who are not actively using the GIPHY integration. - Improved formatting for Grafana integration. - Fixed previews of Dropbox image links. - Fixed support for storing avatars/emoji in non-S3 upload backends. - Fixed an overly strict database constraint for code playgrounds. - Tagged user status strings for translation. - Updated translation data from Transifex. ### Zulip Server 4.2 _Released 2021-05-13_ - Fixed exception in purge-old-deployments when upgrading on a system that has never upgraded using Git. - Fixed installation from a directory readable only by root. ### Zulip Server 4.1 _Released 2021-05-13_ - Fixed exception upgrading to the 4.x series from older releases. ### Zulip Server 4.0 _Released 2021-05-13_ #### Highlights - Code blocks now have a copy-to-clipboard button and can be integrated with external code playgrounds, making it convenient to work with code while discussing it in Zulip. - Added a new organization [Moderator role][roles-and-permissions]. Many permissions settings for sensitive features now support only allowing moderators and above to use the feature. - Added a native Giphy integration for sending animated GIFs. - Added support for muting another user. - "Recent topics" is no longer beta, no longer an overlay, supports composing messages, and is now the default view. The previous default view, "All messages", is still available, and the default view can now be configured via "Display settings". - Completed API documentation for Zulip's real-time events system. It is now possible to write a decent Zulip client with minimal interaction with the Zulip server development team. - Added new organization settings: wildcard mention policy. - Integrated [Smokescreen][smokescreen], an outgoing proxy designed to help protect against SSRF attacks; outgoing HTTP requests that can be triggered by end users are routed through this service. We recommend that self-hosted installations configure it. - This release contains more than 30 independent changes to the [Zulip API](https://zulip.com/api/changelog), largely to support new features or make the API (and thus its documentation) clearer and easier for clients to implement. Other new API features support better error handling for the mobile and terminal apps. - The frontend internationalization library was switched from i18next to FormatJS. - The button for replying was redesigned to show the reply recipient and be more obvious to users coming from other chat apps. - Added support for moving topics to private streams, and for configuring which roles can move topics between streams. [roles-and-permissions]: https://zulip.com/help/roles-and-permissions #### Upgrade notes for 4.0 - Changed the Tornado service to use 127.0.0.1:9800 instead of 127.0.0.1:9993 as its default network address, to simplify support for multiple Tornado processes. Since Tornado only listens on localhost, this change should have no visible effect unless another service is using port 9800. - Zulip's top-level puppet classes have been renamed, largely from `zulip::foo` to `zulip::profile::foo`. Configuration referencing these `/etc/zulip/zulip.conf` will be automatically updated during the upgrade process, but if you have a complex deployment or you maintain `zulip.conf` is another system (E.g. with the [manual configuration][docker-zulip-manual] option for [docker-zulip][docker-zulip]), you'll want to manually update the `puppet_classes` variable. - Zulip's supervisord configuration now lives in `/etc/supervisor/conf.d/zulip/` - Consider enabling [Smokescreen][smokescreen] - Private streams can no longer be default streams (i.e. the ones new users are automatically added to). - New `scripts/start-server` and `scripts/stop-server` mean that one no longer needs to use `supervisorctl` directly for these tasks. - As this is a major release, we recommend [carefully updating the inline documentation in your `/etc/zulip/settings.py`][update-settings-docs]. Notably, we rewrote the template to be better organized and more readable in this release. - The web app will now display a warning in the UI if the Zulip server has not been upgraded in more than 18 months. template to be better organized and more readable. - The next time users log in to Zulip with their password after upgrading to this release, they will be logged out of all active browser sessions (i.e. the web and desktop apps). This is a side effect of improved security settings (increasing the minimum entropy used when salting passwords from 71 bits to 128 bits). - We've removed the partial Thumbor integration from Zulip. The Thumbor project appears to be dead upstream, and we no longer feel comfortable including it in Zulip from a security perspective. We hope to introduce a fully supported thumbnailing integration in our next major release. [docker-zulip-manual]: https://github.com/zulip/docker-zulip#manual-configuration [smokescreen]: ../production/deployment.md#customizing-the-outgoing-http-proxy [update-settings-docs]: ../production/upgrade.md#updating-settingspy-inline-documentation #### Full feature changelog - Added new [release lifecycle documentation](release-lifecycle.md). - Added support for subscribing another stream's membership to a stream. - Added RealmAuditLog for most settings state changes in Zulip; this data will facilitate future features showing a log of activity by a given user or changes to an organization's settings. - Added support for using Sentry for processing backend exceptions. - Added documentation for using `wal-g` for continuous PostgreSQL backups. - Added loading spinners for message editing widgets. - Added live update of compose placeholder text when recipients change. - Added keyboard navigation for popover menus that were missing it. - Added documentation for all [zulip.conf settings][zulip-conf-settings]. - Added dozens of new notification sound options. - Added menu option to unstar all messages in a topic. - Added confirmation dialog before unsubscribing from a private stream. - Added confirmation dialog before deleting your profile picture. - Added types for all parameters in the API documentation. - Added API endpoint to fetch user details by email address. - Added API endpoint to fetch presence details by user ID. - Added new LDAP configuration options for servers hosting multiple organizations. - Added new `@**|user_id**` mention syntax intended for use in bots. - Added preliminary support for Zulip on Debian 11; this release is expected to support Debian 11 without any further changes. - Added several useful new management commands, including `change_realm_subdomain` and `delete_user`. - Added support for subscribing all members of a user group to a stream. - Added support for sms: and tel: links. - Community topic editing time limit increased to 3 days for members. - New integrations: Freshping, Jotform, UptimeRobot, and a JSON formatter (which is particularly useful when developing a new integration). - Updated integrations: Clubhouse, NewRelic, Bitbucket, Zabbix. - Improved formatting of GitHub and GitLab integrations. - Improved the user experience for multi-user invitations. - Improved several rendered-message styling details. - Improved design of `