Zulip changelog

Changelog History

Page 2

• v2.1.6 Changes

  June 17, 2020

  2.1.6 -- 2020-06-17

  • 🛠 Fixed use of Python 3.6+ syntax in 2.1.5 release that prevented
    installation on Ubuntu Xenial.

• v2.1.5 Changes

  June 17, 2020

  2.1.5 -- 2020-06-16

  • CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.
  • CVE-2020-14194: Prevent reverse tabnapping via topic header links.
  • 🛠 CVE-2020-14215: Fixed use of invitation role data from expired
    invitations on signup via external authentication methods.
  • CVE-2020-14215: Fixed buggy 0198_preregistrationuser_invited_as
    🚀 database migration from the 2.0.0-rc1 release, which incorrectly added
    the administrator role to invitations.
  • CVE-2020-14215: Added migration to clear the administrator role from
    any invitation objects already corrupted by the buggy version of the
    0198_preregistrationuser_invited_as migration.
  • 🛠 Fixed missing quoting of certain attributes in HTML templates.
  • 👍 Allow /etc/zulip to be a symlink (for docker-zulip).
  • 🚀 Disabled access from insecure Zulip Desktop releases below version 5.2.0.
  • 📚 Adjusted Slack import documentation to help administrators avoid OOM
    kills when doing Slack import on low-RAM systems.
  • 🛠 Fixed a race condition fetching users' personal API keys.
  • 🛠 Fixed a few bugs with Slack data import.

• v2.1.4 Changes

  April 16, 2020

  • 🛠 Fixed a regression in 2.1.3 that impacted creating the very first
    organization via our data import tools.
  • ✂ Remove the old tsearch_extras postgres extension, which was causing
    👻 an exception restoring backups on fresh Zulip servers that had been
    🚀 generated on systems that had been upgraded from older Zulip releases.
  • ✂ Removed fetching GitHub contributor data from static asset build
    ⬆️ process. This makes upgrade-zulip-from-git much more reliable.
  • ⚡️ Updated translation data from Transifex.
  • 👌 Support for Ubuntu 16.04 Xenial and Debian 9 Stretch is now deprecated.

• v2.1.3 Changes

  April 01, 2020

  2.1.3 -- 2020-04-01

  • CVE-2020-9444: Prevent reverse tabnapping attacks.
  • 🚚 CVE-2020-9445: Remove unused and insecure modal_link feature.
  • CVE-2020-10935: Fix XSS vulnerability in local link rewriting.
  • Blocked access from Zulip Desktop versions below 5.0.0. This
    behavior can be adjusted by editing DESKTOP_*_VERSION
    🚀 in /home/zulip/deployments/current/version.py.
  • Restructured server initialization to simplify initialization of
    🐳 Docker containers (eliminating common classes of user error).
  • ✂ Removed buggy feedback bot (ENABLE_FEEDBACK).
  • Migrated GitHub authentication to use the current encoding.
  • 🛠 Fixed support for restoring a backup on a different minor release
    (in the common case they have the same database schema).
  • 🛠 Fixed restoring backups with memcached authentication enabled.
  • 🛠 Fixed preview content (preheaders) for many emails.
  • 🛠 Fixed buggy text in missed-message emails with PM content disabled.
  • 🛠 Fixed buggy loading spinner in "emoji format" widget.
  • 🛠 Fixed sorting and filtering users in organization settings.
  • 🛠 Fixed handling of links to deleted streams.
  • 🛠 Fixed check-rabbitmq-consumers monitoring.
  • 🛠 Fixed copy-to-clipboard button for outgoing webhook bots.
  • 🛠 Fixed logging spam from soft_deactivation cron job.
  • 🛠 Fixed email integration handling of emails with nested MIME structure.
  • 🛠 Fixed unicode bugs in incoming email integration.
  • 🛠 Fixed error handling for Slack data import.
  • 🛠 Fixed incoming webhook support for AWX 9.x.y.
  • 🛠 Fixed a couple missing translation tags.
  • 🛠 Fixed "User groups" settings UI bug for administrators.
  • 🛠 Fixed data import tool to reset resource limits after importing
    🆓 data from a free plan organization on zulipchat.com.
  • 🔄 Changed the SAML default signature algorithm to SHA-256, overriding
    0️⃣ the SHA-1 default used by python3-saml.

• v2.1.2 Changes

  January 16, 2020

  2.1.2 -- 2020-01-16

  • Corrected fix for CVE-2019-19775 (the original fix was affected by
    🔒 an unfixed security bug in Python's urllib, CVE-2015-2104).
  • Migrated data for handling replies to missed-message emails from
    semi-persistent redis to the fully persistent database.
  • ➕ Added authentication for redis and memcached even in configurations
    where these are running on localhost, for add hardening against
    attacks from malicious processes running on the Zulip server.
  • 👌 Improved logging for misconfigurations of LDAP authentication.
  • 👌 Improved error handling for invalid LDAP configurations.
  • 👌 Improved error tracebacks for invalid memcached keys.
  • 🛠 Fixed support for using LDAP with email address visibility
    limited to administrators.
  • 🛠 Fixed styling of complex markup within /me messages.
  • 🛠 Fixed left sidebar duplicating some group private message threads.
  • 🛠 Fixed the "Mentions" narrow being unable to mark messages as read.
  • 🛠 Fixed error handling bug preventing rerunning the installer.
  • 🛠 Fixed a few minor issues with migrations for upgrading from 2.0.x.

• v2.1.1 Changes

  December 14, 2019

  2.1.1 -- 2019-12-13

  • 🛠 Fixed upgrading to 2.1.x with the LDAP integration enabled in a
    configuration where AUTH_LDAP_REVERSE_EMAIL_SEARCH is newly
    required, but is not yet set.
  • Reimplemented --postgres-missing-dictionaries installer option,
    👉 used with our new support for a DBaaS managed database.
  • Improved documentation for AUTH_LDAP_REVERSE_EMAIL_SEARCH.

• v2.1.0 Changes

  December 13, 2019

  2.1.0 -- 2019-12-12

  Highlights:

  • ➕ Added support for Debian buster. Removed support for EOL Ubuntu Trusty.
  • ➕ Added support for SAML authentication.
  • ✂ Removed our dependency on tsearch_extras, making it possible to
    ⚙ run a production Zulip server against any postgres database
    (including those where one cannot install extensions, like Amazon RDS).
  • Significantly improved the email->Zulip gateway, and added nice
    📚 setup documentation. It now should be possible to subscribe a
    Zulip stream to an email list and have a good experience.
  • ➕ Added an option for hiding access to user email addresses from
    other users. While counterproductive for most corporate
    communities, for open source projects and other volunteer
    🚑 organizations, this can be a critical anti-spam feature.
  • ➕ Added a new setting controlling which unread messages are counted in
    the favicon, title, and desktop app.
  • 👌 Support for showing inline previews of linked webpages has moved
    ⬆️ from alpha to beta. See the upgrade notes below for some changes in
    🔧 how it is configured.
  • ➕ Added support for importing an organization from Mattermost (similar
    to existing Slack/HipChat/Gitter import tools). Slack import now
    👌 supports importing data only included in corporate exports,
    including private messages and shared channels.
  • ➕ Added markdown support and typeahead for mentioning topics.
  • Email notifications have been completely redesigned with a minimal,
    💅 readable style inspired by GitHub's email notifications.
  • 🔀 We merged significant preparatory work for supporting RHEL/CentOS in
    ✅ production. We're now interested in beta testers for this feature.
  • 📚 Reorganized Zulip's documentation for sysadmins, and added
    📚 new documentation on maintaining a fork of Zulip.
  • ➕ Added new streams:public search operator that searches the public
    history of all streams in the organization (even before you joined).
  • ➕ Added support for sending email and mobile push notifications for
    wildcard mentions (@ALL and @everyone). Previously, they only
    🔧 triggered desktop notifications; now, that's configurable.

  ⬆️ Upgrade notes:

  0️⃣ The defaults for Zulip's now beta inline URL preview setting have changed.
  Previously, the server-level INLINE_URL_EMBED_PREVIEW setting was
  disabled, and organization-level setting was enabled. Now, the
  0️⃣ server-level setting is enabled by default, and the organization-level
  setting is disabled. As a result, organization administrators can
  🔧 configure this feature entirely in the UI. However, servers that had
  previously enabled previews of linked websites will lose the setting and
  need to re-enable it.

  We rewrote the Google Authentication backend to use the
  python-social-auth system we use for other third-party
  🚀 authentication systems. For this release, the old variable names
  ⚡️ still work, but users should update the following setting names in
  🔧 their configuration as we will desupport the old names in a future
  🚀 release:

  • In /etc/zulip/zulip-secrets.conf, google_oauth2_client_secret
    is now called with social_auth_google_secret.
  • In /etc/zulip/settings.py, GOOGLE_OAUTH2_CLIENT_ID should be
    replaced with SOCIAL_AUTH_GOOGLE_KEY.
  • In /etc/zulip/settings.py, GoogleMobileOauth2Backend should
    be replaced with called GoogleAuthBackend.

  Installations using Zulip's LDAP integration without
  LDAP_APPEND_DOMAIN will need to configure two new settings telling
  Zulip how to look up a user in LDAP given their email address:
  AUTH_LDAP_REVERSE_EMAIL_SEARCH and AUTH_LDAP_USERNAME_ATTR. See
  🔧 the LDAP configuration instructions
  for details. You can use the usual manage.py query_ldap method to
  👌 verify whether your configuration is working correctly.

  🌐 The Zulip web and desktop apps have been converted to directly count
  all unread messages, replacing an old system that just counted the
  (recent) messages fully fetched by the webapp. This one-time
  transition may cause some users to notice old messages that were
  sent months or years ago "just became unread". What actually
  happened is the user never read these messages, and the Zulip webapp
  was not displaying that. Generally, the fix is for users to simply
  mark those messages as read as usual.

  Previous versions of Zulip's installer would generate the secrets
  local_database_password and initial_password_salt. These
  secrets don't do anything, as they only modify behavior of a Zulip
  development environment. We recommend deleting those lines from
  ⬆️ /etc/zulip/zulip-secrets.conf when you upgrade to avoid confusion.

  🚀 This release has a particularly expensive database migration,
  changing the UserMessage.id field from an int to a bigint to
  👌 support more than 2 billion message deliveries on a Zulip server.
  It runs in 2 phases: A first migration that doesn't require the
  server to be down (which took about 4 hours to process the 250M rows
  on chat.zulip.org, and a second migration that does require downtime
  (which took about 60 seconds for chat.zulip.org). You can check the
  number of rows for your server with UserMessage.objects.count().

  We expect that most Zulip servers can happily just use the normal
  ⬆️ upgrade process with a few minutes of downtime. Zulip servers with
  ⬆️ over 1M messages may want to first upgrade to this commit
  ⬆️ using upgrade-zulip-from-git, following the instructions to avoid
  🚀 downtime, and then upgrade to the new release.

  Full feature changelog:

  • ➕ Added sortable columns to all tables in settings pages.
  • ➕ Added webapp support for self-service public data exports.
  • ➕ Added 'e' keyboard shortcut for editing currently selected message.
  • ➕ Added support for unstarring all starred messages.
  • ➕ Added support for using | as an OR operator in sidebar search features.
  • ➕ Added direct download links for Android APKs to our /apps page.
  • ➕ Added a responsive design for our /integrations/ pages.
  • ➕ Added typeahead for slash commands.
  • ➕ Added more expansive moderation settings for who can create streams,
    edit user groups, or invite other users to join streams.
  • ➕ Added new Bitbucket Server, Buildbot, Harbor, Gitea and Redmine integrations.
  • ➕ Added proper open graph tags for linking to a Zulip organization.
  • ➕ Added organization setting to disable users uploading new avatars
    🔀 (for use with LDAP synchronization).
  • ➕ Added support for completely disabling the file upload feature.
  • ➕ Added a new "external account" custom profile field type, making it
    convenient to link to profiles on GitHub, Twitter, and other tools.
  • ➕ Added support for choosing which email address to use in GitHub auth.
  • ➕ Added a new setting to control whether inactive streams are demoted.
  • ➕ Added webapp support for new desktop app features: inline reply
    from notifications, and detecting user presence from OS APIs.
  • ➕ Added markdown support for headings, implemented using # heading,
    🚚 and removed several other unnecessary differences from CommonMark.
  • ➕ Added local echo when editing messages for a more responsive experience.
  • 🔄 Changes to global notification settings for stream messages now
    affect existing subscriptions where the user had not explicitly
    🔄 changed the notification settings, as expected.
  • 0️⃣ The default setting value is now to send mobile push notifications
    if the user was recently online.
  • 🛠 Fixed issues with positioning and marking messages as read when
    doing a search where some results are unread messages.
  • The private messages widget shows much deeper history of private
    message conversations in a scrollable widget (1K PMs of history).
  • When there are dozens of unread topics, topic lists in the left
    sidebar now show at most 8 topics, with the rest behind "more topics".
  • 🆕 New users now see their most recent 20 messages as unread, to
    👍 provide a better onboarding experience.
  • Redesigned the in-app "keyboard shortcuts" popover to be more usable.
  • Redesigned the interactions on several settings pages.
  • Significantly improved the visual spacing around bulleted lists,
    blockquotes, and code blocks in Zulip's message feed.
  • Extended buttons to visit links in topics to all URLs, not just
    URLs added by a linkifier.
  • Extended several integrations to cover more events and fix bugs, and
    rewrote formatting for dozens of integraitons for cleaner punctuation.
  • The beta "weekly digest emails" feature is again available as an
    🔧 organization-level configuration option, after several improvements.
  • 💻 The administrative UI for managing bots now nicely links to the
    bot's owner.
  • Restructured "private messages" widget to have a cleaner design.
  • 🐎 Significantly improved performance of the backend markdown processor.
  • 📚 Significantly improved Help Center documentation of dozens of features.
  • Simplified and internationalized some notification bot messages.
  • The compose box placeholder now shows users active status.
  • Clicking the "EDITED" text on a message now pops message edit history.
  • 0️⃣ Adjusted the default streams in new realms to be easier to
    understand for new users.
  • 👌 Improved default nginx TLS settings for stronger security.
  • 👌 Improved UI of administrative user management UI.
  • 👌 Improved error messages for various classes of invalid searches.
  • 👌 Improved styling of both markdown unordered and numbered lists.
  • Compose typeahead now autofills stream field if only subscribed to
    one stream.
  • Bot users can now post to announcement-only streams if their owners
    🔒 can (this preserves the pre-existing security model).
  • 👉 User full names now must use characters valid in an email from line.
  • 0️⃣ Settings pages that normal users cannot modify are now hidden by default.
  • The has:link, has:attachment, and has:image search keywords
    have been redesigned to correctly handle corner cases like links in
    code blocks.
  • Replaced title attributes with nice tooltips in the message feed and
    buddy list.
  • 🛠 Fixed incorrect caching settings for the Zulip API, which could result
    in browers appearing to display old content or remark messages unread.
  • 🛠 Fixed a bug that prevented sending mobile push notifications when the
    👉 user was recently online via the mobile app.
  • 🛠 Fixed buggy handling of LaTeX in quote-and-reply.
  • 🛠 Fixed buggy rendering of bulleted lists inside blockquotes.
  • 🛠 Fixed several bugs with CORS in the nginx configuration.
  • 🛠 Fixed error message for GitHub login attempts with a deactivated account.
  • 🛠 Fixed email gateway issues with non-latin characters in stream names.
  • 🛠 Fixed endless re-synchronization of LDAP user avatars (which
    🐎 could cause user-visible performance issues for desktop/web clients).
  • 🛠 Fixed all known bugs with advanced LDAP data synchronization.
  • 🛠 Fixed numbered list handling of blank lines between blocks.
  • 🛠 Fixed performance issues that made users soft-deactivated for over a
    year unable to return to the app.
  • 🛠 Fixed missing -X GET/POST parameters in API docs curl examples. The
    📚 API documentation for curl examples is now automatically generated
    ✅ with automated tests for the examples to prevent future similar bugs.
  • 🛠 Fixed multi-line /me messages only working for the sender.
  • 🛠 Fixed password strength meter not updating on paste.
  • 🛠 Fixed numerous errors and omissions in the API documentation. Added
    📚 a test suite comparing the API documentation to the implementation.
  • 🛠 Fixed copy/paste of blocks of messages in Firefox.
  • 🛠 Fixed problems with exception reporting when memcached is down.
  • 🛠 Fixed pinned streams being incorrectly displayed as inactive.
  • 🛠 Fixed password reset page CSS for desktop app.
  • 🛠 Fixed "more topics" appearing for new streams, where we can be
    💻 confident we already have all the topics cached in the browser.
  • 🛠 Fixed some subtle bugs with event queues and message editing.
  • 🛠 Fixed real-time sync for reactions and message edits on a message
    sent to a private stream with shared history before the current user
    joined that stream.
  • 🛠 Fixed several subtle real-time sync issues with "stream settings".
  • 🛠 Fixed a few subtle markdown processor bugs involving emoji.
  • 🛠 Fixed several issues where Linkifiers validation was overly restrictive.
  • 🛠 Fixed several rare/minor UI consistency issues in the left sidebar.
  • 🛠 Fixed issues involving saving a message edit before file upload completes.
  • 🛠 Fixed issues with pasting images into the compose box from Safari.
  • 🛠 Fixed email gateway bot being created with incorrectly cached permissions.
  • 🛠 Fixed guest users seeing UI widgets they can't use.
  • 🛠 Fixed several issues with click handlers incorrectly closing compose.
  • 🛠 Fixed buggy behavior of /me messages not ending with a paragraph.
  • 🛠 Fixed several major UI issues with the mobile webapp.
  • 🛠 Fixed HTML styling when copy-pasting content out of Zulip's night theme.
  • 🛠 Fixed obscure traceback with Virtualenv 16.0.0 unexpectedly installed.
  • ➕ Added a new visual tool for testing webhook integrations.
  • Rewrote the Google authentication backend to use python-social-auth,
    removing Zulip's original 2013-era SSO authentication backend.
  • 👍 The /server_settings API now advertises supported authentication
    methods alongside details on how to render login/registration buttons.
  • Rewrote HTML/CSS markup for various core components to be more
    easily modified.
  • ✂ Removed the legacy static asset pipeline; everything now uses webpack.
  • 📇 Renamed the system bot Zulip realm to "zulipinternal" (was "zulip").
  • Switched our scrollbars to use simplebar, fixing many subtle
    scrollbar-related bugs in the process.
  • Enabled webpack code splitting and deduplication.
  • Started migrating our frontend codebase to TypeScript.

• v2.1.0-rc1 Changes

  November 22, 2019

  🚀 Release Zulip server 2.1.0-rc1.

• v2.0.8 Changes

  December 13, 2019

  2.0.8 -- 2019-12-12

  • CVE-2019-19775: Close open redirect in thumbnail view.

• v2.0.7 Changes

  November 21, 2019

  2.0.7 -- 2019-11-21

  • CVE-2019-18933: Fix insecure account creation via social authentication.
  • ➕ Added backend enforcement of zxcvbn password strength checks.

• « First
• ‹ Prev
• 1
• 2
• 3
• 4
• Next ›
• Last »