All Versions
Latest Version
Avg Release Cycle
33 days
Latest Release
1432 days ago

Changelog History
Page 2

  • v2.1.6 Changes

    June 17, 2020

    2.1.6 -- 2020-06-17

    • ๐Ÿ›  Fixed use of Python 3.6+ syntax in 2.1.5 release that prevented
      installation on Ubuntu Xenial.
  • v2.1.5 Changes

    June 17, 2020

    2.1.5 -- 2020-06-16

    • CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.
    • CVE-2020-14194: Prevent reverse tabnapping via topic header links.
    • ๐Ÿ›  CVE-2020-14215: Fixed use of invitation role data from expired
      invitations on signup via external authentication methods.
    • CVE-2020-14215: Fixed buggy 0198_preregistrationuser_invited_as
      ๐Ÿš€ database migration from the 2.0.0-rc1 release, which incorrectly added
      the administrator role to invitations.
    • CVE-2020-14215: Added migration to clear the administrator role from
      any invitation objects already corrupted by the buggy version of the
      0198_preregistrationuser_invited_as migration.
    • ๐Ÿ›  Fixed missing quoting of certain attributes in HTML templates.
    • ๐Ÿ‘ Allow /etc/zulip to be a symlink (for docker-zulip).
    • ๐Ÿš€ Disabled access from insecure Zulip Desktop releases below version 5.2.0.
    • ๐Ÿ“š Adjusted Slack import documentation to help administrators avoid OOM
      kills when doing Slack import on low-RAM systems.
    • ๐Ÿ›  Fixed a race condition fetching users' personal API keys.
    • ๐Ÿ›  Fixed a few bugs with Slack data import.
  • v2.1.4 Changes

    April 16, 2020
    • ๐Ÿ›  Fixed a regression in 2.1.3 that impacted creating the very first
      organization via our data import tools.
    • โœ‚ Remove the old tsearch_extras postgres extension, which was causing
      ๐Ÿ‘ป an exception restoring backups on fresh Zulip servers that had been
      ๐Ÿš€ generated on systems that had been upgraded from older Zulip releases.
    • โœ‚ Removed fetching GitHub contributor data from static asset build
      โฌ†๏ธ process. This makes upgrade-zulip-from-git much more reliable.
    • โšก๏ธ Updated translation data from Transifex.
    • ๐Ÿ‘Œ Support for Ubuntu 16.04 Xenial and Debian 9 Stretch is now deprecated.
  • v2.1.3 Changes

    April 01, 2020

    2.1.3 -- 2020-04-01

    • CVE-2020-9444: Prevent reverse tabnapping attacks.
    • ๐Ÿšš CVE-2020-9445: Remove unused and insecure modal_link feature.
    • CVE-2020-10935: Fix XSS vulnerability in local link rewriting.
    • Blocked access from Zulip Desktop versions below 5.0.0. This
      behavior can be adjusted by editing DESKTOP_*_VERSION
      ๐Ÿš€ in /home/zulip/deployments/current/
    • Restructured server initialization to simplify initialization of
      ๐Ÿณ Docker containers (eliminating common classes of user error).
    • โœ‚ Removed buggy feedback bot (ENABLE_FEEDBACK).
    • Migrated GitHub authentication to use the current encoding.
    • ๐Ÿ›  Fixed support for restoring a backup on a different minor release
      (in the common case they have the same database schema).
    • ๐Ÿ›  Fixed restoring backups with memcached authentication enabled.
    • ๐Ÿ›  Fixed preview content (preheaders) for many emails.
    • ๐Ÿ›  Fixed buggy text in missed-message emails with PM content disabled.
    • ๐Ÿ›  Fixed buggy loading spinner in "emoji format" widget.
    • ๐Ÿ›  Fixed sorting and filtering users in organization settings.
    • ๐Ÿ›  Fixed handling of links to deleted streams.
    • ๐Ÿ›  Fixed check-rabbitmq-consumers monitoring.
    • ๐Ÿ›  Fixed copy-to-clipboard button for outgoing webhook bots.
    • ๐Ÿ›  Fixed logging spam from soft_deactivation cron job.
    • ๐Ÿ›  Fixed email integration handling of emails with nested MIME structure.
    • ๐Ÿ›  Fixed unicode bugs in incoming email integration.
    • ๐Ÿ›  Fixed error handling for Slack data import.
    • ๐Ÿ›  Fixed incoming webhook support for AWX 9.x.y.
    • ๐Ÿ›  Fixed a couple missing translation tags.
    • ๐Ÿ›  Fixed "User groups" settings UI bug for administrators.
    • ๐Ÿ›  Fixed data import tool to reset resource limits after importing
      ๐Ÿ†“ data from a free plan organization on
    • ๐Ÿ”„ Changed the SAML default signature algorithm to SHA-256, overriding
      0๏ธโƒฃ the SHA-1 default used by python3-saml.
  • v2.1.2 Changes

    January 16, 2020

    2.1.2 -- 2020-01-16

    • Corrected fix for CVE-2019-19775 (the original fix was affected by
      ๐Ÿ”’ an unfixed security bug in Python's urllib, CVE-2015-2104).
    • Migrated data for handling replies to missed-message emails from
      semi-persistent redis to the fully persistent database.
    • โž• Added authentication for redis and memcached even in configurations
      where these are running on localhost, for add hardening against
      attacks from malicious processes running on the Zulip server.
    • ๐Ÿ‘Œ Improved logging for misconfigurations of LDAP authentication.
    • ๐Ÿ‘Œ Improved error handling for invalid LDAP configurations.
    • ๐Ÿ‘Œ Improved error tracebacks for invalid memcached keys.
    • ๐Ÿ›  Fixed support for using LDAP with email address visibility
      limited to administrators.
    • ๐Ÿ›  Fixed styling of complex markup within /me messages.
    • ๐Ÿ›  Fixed left sidebar duplicating some group private message threads.
    • ๐Ÿ›  Fixed the "Mentions" narrow being unable to mark messages as read.
    • ๐Ÿ›  Fixed error handling bug preventing rerunning the installer.
    • ๐Ÿ›  Fixed a few minor issues with migrations for upgrading from 2.0.x.
  • v2.1.1 Changes

    December 14, 2019

    2.1.1 -- 2019-12-13

    • ๐Ÿ›  Fixed upgrading to 2.1.x with the LDAP integration enabled in a
      configuration where AUTH_LDAP_REVERSE_EMAIL_SEARCH is newly
      required, but is not yet set.
    • Reimplemented --postgres-missing-dictionaries installer option,
      ๐Ÿ‘‰ used with our new support for a DBaaS managed database.
    • Improved documentation for AUTH_LDAP_REVERSE_EMAIL_SEARCH.
  • v2.1.0 Changes

    December 13, 2019

    2.1.0 -- 2019-12-12


    • โž• Added support for Debian buster. Removed support for EOL Ubuntu Trusty.
    • โž• Added support for SAML authentication.
    • โœ‚ Removed our dependency on tsearch_extras, making it possible to
      โš™ run a production Zulip server against any postgres database
      (including those where one cannot install extensions, like Amazon RDS).
    • Significantly improved the email->Zulip gateway, and added nice
      ๐Ÿ“š setup documentation
      . It now should be possible to subscribe a
      Zulip stream to an email list and have a good experience.
    • โž• Added an option for hiding access to user email addresses from
      other users. While counterproductive for most corporate
      communities, for open source projects and other volunteer
      ๐Ÿš‘ organizations, this can be a critical anti-spam feature.
    • โž• Added a new setting controlling which unread messages are counted in
      the favicon, title, and desktop app.
    • ๐Ÿ‘Œ Support for showing inline previews of linked webpages has moved
      โฌ†๏ธ from alpha to beta. See the upgrade notes below for some changes in
      ๐Ÿ”ง how it is configured.
    • โž• Added support for importing an organization from Mattermost (similar
      to existing Slack/HipChat/Gitter import tools). Slack import now
      ๐Ÿ‘Œ supports importing data only included in corporate exports,
      including private messages and shared channels.
    • โž• Added markdown support and typeahead for mentioning topics.
    • Email notifications have been completely redesigned with a minimal,
      ๐Ÿ’… readable style inspired by GitHub's email notifications.
    • ๐Ÿ”€ We merged significant preparatory work for supporting RHEL/CentOS in
      โœ… production. We're now interested in beta testers for this feature.
    • ๐Ÿ“š Reorganized Zulip's documentation for sysadmins, and added
      ๐Ÿ“š new documentation on maintaining a fork of Zulip.
    • โž• Added new streams:public search operator that searches the public
      history of all streams in the organization (even before you joined).
    • โž• Added support for sending email and mobile push notifications for
      wildcard mentions (@ALL and @everyone). Previously, they only
      ๐Ÿ”ง triggered desktop notifications; now, that's configurable.

    โฌ†๏ธ Upgrade notes:

    0๏ธโƒฃ The defaults for Zulip's now beta inline URL preview setting have changed.
    Previously, the server-level INLINE_URL_EMBED_PREVIEW setting was
    disabled, and organization-level setting was enabled. Now, the
    0๏ธโƒฃ server-level setting is enabled by default, and the organization-level
    setting is disabled. As a result, organization administrators can
    ๐Ÿ”ง configure this feature entirely in the UI. However, servers that had
    previously enabled previews of linked websites will lose the setting and
    need to re-enable it.

    We rewrote the Google Authentication backend to use the
    python-social-auth system we use for other third-party
    ๐Ÿš€ authentication systems. For this release, the old variable names
    โšก๏ธ still work, but users should update the following setting names in
    ๐Ÿ”ง their configuration as we will desupport the old names in a future
    ๐Ÿš€ release:

    • In /etc/zulip/zulip-secrets.conf, google_oauth2_client_secret
      is now called with social_auth_google_secret.
    • In /etc/zulip/, GOOGLE_OAUTH2_CLIENT_ID should be
      replaced with SOCIAL_AUTH_GOOGLE_KEY.
    • In /etc/zulip/, GoogleMobileOauth2Backend should
      be replaced with called GoogleAuthBackend.

    Installations using Zulip's LDAP integration without
    LDAP_APPEND_DOMAIN will need to configure two new settings telling
    Zulip how to look up a user in LDAP given their email address:
    ๐Ÿ”ง the LDAP configuration instructions
    for details. You can use the usual query_ldap method to
    ๐Ÿ‘Œ verify whether your configuration is working correctly.

    ๐ŸŒ The Zulip web and desktop apps have been converted to directly count
    all unread messages, replacing an old system that just counted the
    (recent) messages fully fetched by the webapp. This one-time
    transition may cause some users to notice old messages that were
    sent months or years ago "just became unread". What actually
    happened is the user never read these messages, and the Zulip webapp
    was not displaying that. Generally, the fix is for users to simply
    mark those messages as read as usual.

    Previous versions of Zulip's installer would generate the secrets
    local_database_password and initial_password_salt. These
    secrets don't do anything, as they only modify behavior of a Zulip
    development environment. We recommend deleting those lines from
    โฌ†๏ธ /etc/zulip/zulip-secrets.conf when you upgrade to avoid confusion.

    ๐Ÿš€ This release has a particularly expensive database migration,
    changing the field from an int to a bigint to
    ๐Ÿ‘Œ support more than 2 billion message deliveries on a Zulip server.
    It runs in 2 phases: A first migration that doesn't require the
    server to be down (which took about 4 hours to process the 250M rows
    on, and a second migration that does require downtime
    (which took about 60 seconds for You can check the
    number of rows for your server with UserMessage.objects.count().

    We expect that most Zulip servers can happily just use the normal
    โฌ†๏ธ upgrade process with a few minutes of downtime. Zulip servers with
    โฌ†๏ธ over 1M messages may want to first upgrade to this commit
    โฌ†๏ธ using upgrade-zulip-from-git, following the instructions to avoid
    ๐Ÿš€ downtime, and then upgrade to the new release.

    Full feature changelog:

    • โž• Added sortable columns to all tables in settings pages.
    • โž• Added webapp support for self-service public data exports.
    • โž• Added 'e' keyboard shortcut for editing currently selected message.
    • โž• Added support for unstarring all starred messages.
    • โž• Added support for using | as an OR operator in sidebar search features.
    • โž• Added direct download links for Android APKs to our /apps page.
    • โž• Added a responsive design for our /integrations/ pages.
    • โž• Added typeahead for slash commands.
    • โž• Added more expansive moderation settings for who can create streams,
      edit user groups, or invite other users to join streams.
    • โž• Added new Bitbucket Server, Buildbot, Harbor, Gitea and Redmine integrations.
    • โž• Added proper open graph tags for linking to a Zulip organization.
    • โž• Added organization setting to disable users uploading new avatars
      ๐Ÿ”€ (for use with LDAP synchronization).
    • โž• Added support for completely disabling the file upload feature.
    • โž• Added a new "external account" custom profile field type, making it
      convenient to link to profiles on GitHub, Twitter, and other tools.
    • โž• Added support for choosing which email address to use in GitHub auth.
    • โž• Added a new setting to control whether inactive streams are demoted.
    • โž• Added webapp support for new desktop app features: inline reply
      from notifications, and detecting user presence from OS APIs.
    • โž• Added markdown support for headings, implemented using # heading,
      ๐Ÿšš and removed several other unnecessary differences from CommonMark.
    • โž• Added local echo when editing messages for a more responsive experience.
    • ๐Ÿ”„ Changes to global notification settings for stream messages now
      affect existing subscriptions where the user had not explicitly
      ๐Ÿ”„ changed the notification settings, as expected.
    • 0๏ธโƒฃ The default setting value is now to send mobile push notifications
      if the user was recently online.
    • ๐Ÿ›  Fixed issues with positioning and marking messages as read when
      doing a search where some results are unread messages.
    • The private messages widget shows much deeper history of private
      message conversations in a scrollable widget (1K PMs of history).
    • When there are dozens of unread topics, topic lists in the left
      sidebar now show at most 8 topics, with the rest behind "more topics".
    • ๐Ÿ†• New users now see their most recent 20 messages as unread, to
      ๐Ÿ‘ provide a better onboarding experience.
    • Redesigned the in-app "keyboard shortcuts" popover to be more usable.
    • Redesigned the interactions on several settings pages.
    • Significantly improved the visual spacing around bulleted lists,
      blockquotes, and code blocks in Zulip's message feed.
    • Extended buttons to visit links in topics to all URLs, not just
      URLs added by a linkifier.
    • Extended several integrations to cover more events and fix bugs, and
      rewrote formatting for dozens of integraitons for cleaner punctuation.
    • The beta "weekly digest emails" feature is again available as an
      ๐Ÿ”ง organization-level configuration option, after several improvements.
    • ๐Ÿ’ป The administrative UI for managing bots now nicely links to the
      bot's owner.
    • Restructured "private messages" widget to have a cleaner design.
    • ๐ŸŽ Significantly improved performance of the backend markdown processor.
    • ๐Ÿ“š Significantly improved Help Center documentation of dozens of features.
    • Simplified and internationalized some notification bot messages.
    • The compose box placeholder now shows users active status.
    • Clicking the "EDITED" text on a message now pops message edit history.
    • 0๏ธโƒฃ Adjusted the default streams in new realms to be easier to
      understand for new users.
    • ๐Ÿ‘Œ Improved default nginx TLS settings for stronger security.
    • ๐Ÿ‘Œ Improved UI of administrative user management UI.
    • ๐Ÿ‘Œ Improved error messages for various classes of invalid searches.
    • ๐Ÿ‘Œ Improved styling of both markdown unordered and numbered lists.
    • Compose typeahead now autofills stream field if only subscribed to
      one stream.
    • Bot users can now post to announcement-only streams if their owners
      ๐Ÿ”’ can (this preserves the pre-existing security model).
    • ๐Ÿ‘‰ User full names now must use characters valid in an email from line.
    • 0๏ธโƒฃ Settings pages that normal users cannot modify are now hidden by default.
    • The has:link, has:attachment, and has:image search keywords
      have been redesigned to correctly handle corner cases like links in
      code blocks.
    • Replaced title attributes with nice tooltips in the message feed and
      buddy list.
    • ๐Ÿ›  Fixed incorrect caching settings for the Zulip API, which could result
      in browers appearing to display old content or remark messages unread.
    • ๐Ÿ›  Fixed a bug that prevented sending mobile push notifications when the
      ๐Ÿ‘‰ user was recently online via the mobile app.
    • ๐Ÿ›  Fixed buggy handling of LaTeX in quote-and-reply.
    • ๐Ÿ›  Fixed buggy rendering of bulleted lists inside blockquotes.
    • ๐Ÿ›  Fixed several bugs with CORS in the nginx configuration.
    • ๐Ÿ›  Fixed error message for GitHub login attempts with a deactivated account.
    • ๐Ÿ›  Fixed email gateway issues with non-latin characters in stream names.
    • ๐Ÿ›  Fixed endless re-synchronization of LDAP user avatars (which
      ๐ŸŽ could cause user-visible performance issues for desktop/web clients).
    • ๐Ÿ›  Fixed all known bugs with advanced LDAP data synchronization.
    • ๐Ÿ›  Fixed numbered list handling of blank lines between blocks.
    • ๐Ÿ›  Fixed performance issues that made users soft-deactivated for over a
      year unable to return to the app.
    • ๐Ÿ›  Fixed missing -X GET/POST parameters in API docs curl examples. The
      ๐Ÿ“š API documentation for curl examples is now automatically generated
      โœ… with automated tests for the examples to prevent future similar bugs.
    • ๐Ÿ›  Fixed multi-line /me messages only working for the sender.
    • ๐Ÿ›  Fixed password strength meter not updating on paste.
    • ๐Ÿ›  Fixed numerous errors and omissions in the API documentation. Added
      ๐Ÿ“š a test suite comparing the API documentation to the implementation.
    • ๐Ÿ›  Fixed copy/paste of blocks of messages in Firefox.
    • ๐Ÿ›  Fixed problems with exception reporting when memcached is down.
    • ๐Ÿ›  Fixed pinned streams being incorrectly displayed as inactive.
    • ๐Ÿ›  Fixed password reset page CSS for desktop app.
    • ๐Ÿ›  Fixed "more topics" appearing for new streams, where we can be
      ๐Ÿ’ป confident we already have all the topics cached in the browser.
    • ๐Ÿ›  Fixed some subtle bugs with event queues and message editing.
    • ๐Ÿ›  Fixed real-time sync for reactions and message edits on a message
      sent to a private stream with shared history before the current user
      joined that stream.
    • ๐Ÿ›  Fixed several subtle real-time sync issues with "stream settings".
    • ๐Ÿ›  Fixed a few subtle markdown processor bugs involving emoji.
    • ๐Ÿ›  Fixed several issues where Linkifiers validation was overly restrictive.
    • ๐Ÿ›  Fixed several rare/minor UI consistency issues in the left sidebar.
    • ๐Ÿ›  Fixed issues involving saving a message edit before file upload completes.
    • ๐Ÿ›  Fixed issues with pasting images into the compose box from Safari.
    • ๐Ÿ›  Fixed email gateway bot being created with incorrectly cached permissions.
    • ๐Ÿ›  Fixed guest users seeing UI widgets they can't use.
    • ๐Ÿ›  Fixed several issues with click handlers incorrectly closing compose.
    • ๐Ÿ›  Fixed buggy behavior of /me messages not ending with a paragraph.
    • ๐Ÿ›  Fixed several major UI issues with the mobile webapp.
    • ๐Ÿ›  Fixed HTML styling when copy-pasting content out of Zulip's night theme.
    • ๐Ÿ›  Fixed obscure traceback with Virtualenv 16.0.0 unexpectedly installed.
    • โž• Added a new visual tool for testing webhook integrations.
    • Rewrote the Google authentication backend to use python-social-auth,
      removing Zulip's original 2013-era SSO authentication backend.
    • ๐Ÿ‘ The /server_settings API now advertises supported authentication
      methods alongside details on how to render login/registration buttons.
    • Rewrote HTML/CSS markup for various core components to be more
      easily modified.
    • โœ‚ Removed the legacy static asset pipeline; everything now uses webpack.
    • ๐Ÿ“‡ Renamed the system bot Zulip realm to "zulipinternal" (was "zulip").
    • Switched our scrollbars to use simplebar, fixing many subtle
      scrollbar-related bugs in the process.
    • Enabled webpack code splitting and deduplication.
    • Started migrating our frontend codebase to TypeScript.
  • v2.1.0-rc1 Changes

    November 22, 2019

    ๐Ÿš€ Release Zulip server 2.1.0-rc1.

  • v2.0.8 Changes

    December 13, 2019

    2.0.8 -- 2019-12-12

    • CVE-2019-19775: Close open redirect in thumbnail view.
  • v2.0.7 Changes

    November 21, 2019

    2.0.7 -- 2019-11-21

    • CVE-2019-18933: Fix insecure account creation via social authentication.
    • โž• Added backend enforcement of zxcvbn password strength checks.