Zulip
Open-source team chat with unique topic-based threading
Alternative to: slack, microsoft teams, discord
About
Versions (100)
5.7
2022-11-165.7 — 2022-11-16
- CVE-2022-41914: Fixed the verification of the SCIM account management bearer tokens to use a constant-time comparator. Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable. Zulip Server installations which have not explicitly enabled SCIM are not affected.
- Fixed an error with deactivating users with
manage.py sync_ldap_user_datawhenLDAP_DEACTIVATE_NON_MATCHING_USERSwas enabled. - Fixed several subtle bugs that could lead to browsers reloading repeatedly when the server was updated.
- Fixed a live-update bug when changing certain notifications settings.
- Improved error logs when sending push notifications to the push notifications service fails.
- Upgraded Python requirements.