From 8c31437dd1ef9ce8ba92c123c8b04751ea89bac6 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 15 Mar 2022 20:51:10 +0000 Subject: [PATCH] Release Zulip Server 4.11. --- docs/overview/changelog.md | 13 +++++++++++++ version.py | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/overview/changelog.md b/docs/overview/changelog.md index da34582de7..9021ba036a 100644 --- a/docs/overview/changelog.md +++ b/docs/overview/changelog.md @@ -7,6 +7,19 @@ up-to-date list of raw changes. ## Zulip 4.x series +## Zulip 4.11 -- 2022-03-15 + +- CVE-2022-24751: Zulip Server 4.0 and above were susceptible to a + race condition during user deactivation, where a simultaneous access + by the user being deactivated may, in rare cases, allow continued + access by the deactivated user. This access could theoretically + continue until one of the following events happens: + - The session expires from memcached; this defaults to two weeks, and + is controlled by SESSION_COOKIE_AGE in /etc/zulip/settings.py + - The session cache is evicted from memcached by other cached data. + - The server is upgraded, which clears the cache. +- Updated translations. + ## Zulip 4.10 -- 2022-02-25 - CVE-2022-21706: Reusable invitation links could be improperly used diff --git a/version.py b/version.py index d191b134b9..e274ad4fa7 100644 --- a/version.py +++ b/version.py @@ -1,6 +1,6 @@ import os -ZULIP_VERSION = "4.10+git" +ZULIP_VERSION = "4.11" # Add information on number of commits and commit hash to version, if available zulip_git_version_file = os.path.join( @@ -14,7 +14,7 @@ ZULIP_VERSION = lines.pop(0).strip() ZULIP_MERGE_BASE = lines.pop(0).strip() LATEST_MAJOR_VERSION = "4.0" -LATEST_RELEASE_VERSION = "4.10" +LATEST_RELEASE_VERSION = "4.11" LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.com/2021/05/13/zulip-4-0-released/" # Versions of the desktop app below DESKTOP_MINIMUM_VERSION will be