Zulip Server 4.10 Security Release: CVE-2022-21706 Reusable Invitation Links Vulnerability

Zulip Server 4.10 Security Release Key Information: - Released , a security release, including important security fixes and bug fixes since Zulip Server 4.9. Upgrade Instructions: - Strongly recommended for all installations. Upgrade documentation available on the Zulip website. Support available on . Operating System Reminder: - Deprecated support for Ubuntu 18.04 Bionic due to lack of upstream security support for important Zulip dependencies. Recommended to upgrade Zulip servers running on Ubuntu 18.04. OS upgrade documentation provided. Notable Changes: - Fixed: - Reusable invitation links vulnerability ( ), could be misused for other organizations. - Enforced regeneration of API key using an API key, not a cookie ( ). - Bug with tool sometimes failing to find necessary libraries. - PostgreSQL pinned to specific versions to avoid regression with PGronga affecting database queries. - ARM64 support (wal-g binary not yet supported). CVE-2022-21706 Details: - Vulnerability identified with reusable invitation links, allowing users to join organizations without invitations and potentially bypass domain restrictions or gain elevated permissions. - Only affects installations hosting multiple Zulip organizations, like . - Investigation shows no evidence of active exploitation prior to disclosure. Customers with a Zulip support contract can request assistance.

Goal Reached Thanks to every supporter — we hit 100%!

Zulip Server 4.10 Security Release: CVE-2022-21706 Reusable Invitation Links Vulnerability