Zulip v2.1.5 Release Notes
Release Date: 2020-06-17 // almost 4 years ago-
2.1.5 -- 2020-06-16
- CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.
- CVE-2020-14194: Prevent reverse tabnapping via topic header links.
- ๐ CVE-2020-14215: Fixed use of invitation role data from expired
invitations on signup via external authentication methods. - CVE-2020-14215: Fixed buggy
0198_preregistrationuser_invited_as
๐ database migration from the 2.0.0-rc1 release, which incorrectly added
the administrator role to invitations. - CVE-2020-14215: Added migration to clear the administrator role from
any invitation objects already corrupted by the buggy version of the
0198_preregistrationuser_invited_as
migration. - ๐ Fixed missing quoting of certain attributes in HTML templates.
- ๐ Allow /etc/zulip to be a symlink (for docker-zulip).
- ๐ Disabled access from insecure Zulip Desktop releases below version 5.2.0.
- ๐ Adjusted Slack import documentation to help administrators avoid OOM
kills when doing Slack import on low-RAM systems. - ๐ Fixed a race condition fetching users' personal API keys.
- ๐ Fixed a few bugs with Slack data import.