Release Zulip Server 4.11.

docs/overview/changelog.md

@@ -7,6 +7,19 @@ up-to-date list of raw changes.
 
 ## Zulip 4.x series
 
+## Zulip 4.11 -- 2022-03-15
+
+- CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a
+  race condition during user deactivation, where a simultaneous access
+  by the user being deactivated may, in rare cases, allow continued
+  access by the deactivated user. This access could theoretically
+  continue until one of the following events happens:
+  - The session expires from memcached; this defaults to two weeks, and
+    is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py
+  - The session cache is evicted from memcached by other cached data.
+  - The server is upgraded, which clears the cache.
+- Updated translations.
+
 ## Zulip 4.10 -- 2022-02-25
 
 - CVE-2022-21706: Reusable invitation links could be improperly used

version.py

@@ -1,6 +1,6 @@
 import os
 
-ZULIP_VERSION = "4.10+git"
+ZULIP_VERSION = "4.11"
 
 # Add information on number of commits and commit hash to version, if available
 zulip_git_version_file = os.path.join(
@@ -14,7 +14,7 @@ ZULIP_VERSION = lines.pop(0).strip()
 ZULIP_MERGE_BASE = lines.pop(0).strip()
 
 LATEST_MAJOR_VERSION = "4.0"
-LATEST_RELEASE_VERSION = "4.10"
+LATEST_RELEASE_VERSION = "4.11"
 LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.com/2021/05/13/zulip-4-0-released/"
 
 # Versions of the desktop app below DESKTOP_MINIMUM_VERSION will be