Go to file
Alex Vandiver a46f6df91e CVE-2021-43799: Write rabbitmq configuration before starting.
Zulip writes a `rabbitmq.config` configuration file which locks down
RabbitMQ to listen only on localhost:5672, as well as the RabbitMQ
distribution port, on localhost:25672.

The "distribution port" is part of Erlang's clustering configuration;
while it is documented that the protocol is fundamentally
insecure ([1], [2]) and can result in remote arbitrary execution of
code, by default the RabbitMQ configuration on Debian and Ubuntu
leaves it publicly accessible, with weak credentials.

The configuration file that Zulip writes, while effective, is only
written _after_ the package has been installed and the service
started, which leaves the port exposed until RabbitMQ or system
restart.

Ensure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written
before rabbitmq is installed or starts, and that changes to that file
trigger a restart of the service, such that the ports are only ever
bound to localhost.  This does not mitigate existing installs, since
it does not force a rabbitmq restart.

[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html
[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system
2022-01-25 01:48:05 +00:00
.github ci: Cache with the OS name, not the job name. 2022-01-24 14:29:49 -08:00
.tx cleanup: Delete trailing newlines. 2019-08-06 23:29:11 -07:00
.vscode vscode: Recommend remote development extension. 2021-11-03 16:03:46 -07:00
analytics python: Replace deprecated jinja2.utils.Markup with markupsafe.Markup. 2022-01-13 14:22:48 -08:00
confirmation lint: Enforce consistent style of using transaction.atomic decorator. 2021-12-12 11:15:33 -08:00
corporate mypy: Add types-stripe. 2022-01-23 22:47:30 -08:00
docs CVE-2021-43799: Write rabbitmq configuration before starting. 2022-01-25 01:48:05 +00:00
frontend_tests js: Convert _.without to filter or other logic. 2022-01-24 15:54:21 -08:00
locale i18n: Update translation data from Transifex. 2021-12-03 16:04:23 -08:00
pgroonga pgroonga: Remove unnecessary code from first migration. 2021-05-28 09:42:33 -07:00
puppet CVE-2021-43799: Write rabbitmq configuration before starting. 2022-01-25 01:48:05 +00:00
requirements mypy: Add types-beautifulsoup4. 2022-01-23 23:39:40 -08:00
scripts puppet: Always set the RabbitMQ nodename to zulip@localhost. 2022-01-25 01:48:02 +00:00
static compose: Fix bug where stream color didn't update on mouse selection. 2022-01-24 17:14:47 -08:00
stubs/taint mypy: Add types-stripe. 2022-01-23 22:47:30 -08:00
templates portico: Update contributor count from 700 to 1000. 2022-01-24 12:41:49 -08:00
tools install-shfmt: Upgrade shfmt from 3.4.1 to 3.4.2. 2022-01-24 15:55:38 -08:00
var/puppeteer puppeteer_tests: Port to TypeScript. 2021-02-22 16:03:10 -08:00
zerver api_docs: Add line break before return value description text. 2022-01-24 10:02:02 -08:00
zilencer zilencer: Add endpoint for deactivating remote server registration. 2022-01-21 14:57:04 -08:00
zproject computed_settings: Remove deprecated Jinja2 autoescape extension. 2022-01-13 21:03:00 -08:00
.browserslistrc browserslist: Drop 0.2% usage threshold to 0.15%. 2020-09-28 10:57:49 -07:00
.codecov.yml
.codespellignore CI: Add Codespell linter. 2021-10-27 16:49:30 -07:00
.editorconfig editorconfig: Restore indent_size = 2 for Markdown. 2021-08-20 23:14:37 -07:00
.eslintignore requirements: Remove Thumbor. 2021-05-06 20:07:32 -07:00
.eslintrc.json dependencies: Upgrade JavaScript dependencies. 2021-12-03 14:33:53 -08:00
.gitattributes git: Suppress diffs by default on giant Stripe API fixtures 2021-12-06 11:36:49 -08:00
.gitignore editor: Add `.vscode/extensions.json` file. 2021-10-29 15:47:44 -07:00
.gitlint lint: Re-enable imperative-mood checking. 2021-02-23 14:54:07 -08:00
.mailmap mailmap: Add mailmap entry for Yash RE. 2022-01-11 09:15:49 -08:00
.npmignore
.prettierignore prettier: Exclude backend-processed Markdown files. 2021-08-20 23:14:37 -07:00
.pyre_configuration pysa: Update .pyre_configuration to point to typeshed. 2020-09-22 15:44:47 -07:00
.sonarcloud.properties tools: Configure Zulip to be scannable by SonarCloud. 2020-06-24 12:41:17 -07:00
.yarnrc .yarnrc: Set ignore-scripts true. 2019-08-28 16:15:54 -07:00
CODE_OF_CONDUCT.md docs: Apply bullet style changes from Prettier. 2021-09-08 12:06:24 -07:00
CONTRIBUTING.md CONTRIBUTING: Update GSoC guide link. 2022-01-19 11:39:51 -08:00
Dockerfile-postgresql docs: Standardize on PostgreSQL, not Postgres. 2020-10-28 11:55:16 -07:00
LICENSE license: Move copyright notice from LICENSE to NOTICE. 2021-02-05 09:28:12 -08:00
NOTICE docs: Bump copyright year. 2021-02-05 09:28:15 -08:00
README.md portico: Update contributor count from 700 to 1000. 2022-01-24 12:41:49 -08:00
SECURITY.md SECURITY.md: Reorder and make clearer how to subscribe to announcements. 2022-01-07 15:56:26 -08:00
Vagrantfile Remove Ubuntu 18.04 support. 2022-01-21 17:26:14 -08:00
babel.config.js dependencies: Upgrade JavaScript dependencies. 2022-01-24 15:55:38 -08:00
manage.py manage: Restore `changepassword` back to documented_commands. 2021-06-18 09:11:01 -07:00
package.json dependencies: Upgrade JavaScript dependencies. 2022-01-24 15:55:38 -08:00
postcss.config.js css: Replace "night-mode-block" with "dark-theme-block". 2021-11-26 22:03:29 -08:00
prettier.config.js prettier: Disable embedded language formatting for Markdown. 2021-08-20 23:14:37 -07:00
pyproject.toml mypy: Add types-beautifulsoup4. 2022-01-23 23:39:40 -08:00
setup.cfg pycodestyle: Improve comments documenting excludes. 2021-02-12 13:11:25 -08:00
stylelint.config.js yarn: Add package which allows creating css mixins. 2021-12-09 18:15:18 -08:00
tsconfig.json tsconfig: Enable noImplicitOverride. 2021-09-13 10:10:34 -07:00
version.py install-shfmt: Upgrade shfmt from 3.4.1 to 3.4.2. 2022-01-24 15:55:38 -08:00
webpack.config.ts webpack: Remove LoaderOptionsPlugin. 2021-10-17 07:13:57 -07:00
yarn.lock dependencies: Upgrade JavaScript dependencies. 2022-01-24 15:55:38 -08:00

README.md

Zulip overview

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. Fortune 500 companies, leading open source projects, and thousands of other organizations use Zulip every day. Zulip is the only modern team chat app that is designed for both live and asynchronous conversations.

Zulip is built by a distributed community of developers from all around the world, with 74+ people who have each contributed 100+ commits. With over 1000 contributors merging over 500 commits a month, Zulip is the largest and fastest growing open source team chat project.

GitHub Actions build status coverage status Mypy coverage code style: black code style: prettier GitHub release docs Zulip chat Twitter GitHub Sponsors

Getting started

Click on the appropriate link below. If nothing seems to apply, join us on the Zulip community server and tell us what's up!

You might be interested in:

You may also be interested in reading our blog or following us on Twitter. Zulip is distributed under the Apache 2.0 license.