Release
Zammad 3.3.0 & 3.2.1
· We are pleased to release Zammad 3.3. This is primarily a Security-Release.
Zammad 3.3.0 (minor) and 3.2.1 (patch)
1#: 👮 Focus Security
A lot has happened since Zammad 1.0 (November 2016). With the spread of Zammad, we have entered new spheres, especially in medium-sized companies, corporations and high security environments. As a result, Zammad has been subjected to several security audits (by various organizations) in the last few months.
The results of these carefully conducted audits will be bundled with Zammad version 3.3.0 (or 3.2.1). Thank you for your confidence and the improvements, from which all Zammad users will benefit.
Hosted Zammad: Your instance has already been updated in advance - no action on your part is necessary.
Self-hosted Zammad: We recommend you update your installations immediately.
Anbei eine Liste der betreffenden Security Advisories welche in diesem Release adressiert werden.
- ZAA-2020-01 Persistent Cross-Site Scripting - toolbar - XSS (CVE-2020-10099)
- ZAA-2020-02 Persistent Cross-Site Scripting - File Upload - XSS (CVE-2020-10103)
- ZAA-2020-03 Persistent Cross-Site Scripting - Email - XSS (CVE-2020-10098)
- ZAA-2020-04 Password Hashes Returned in Response of own session (CVE-2020-10104)
- ZAA-2020-05 Authorization Issues Allow for Users to View Data from Others (CVE-2020-10100)
- ZAA-2020-06 WebSocket Server DoS (CVE-2020-10101)
- ZAA-2020-07 Application Functionality Can Be Used to Determine Existing User Accounts (CVE-2020-10102)
- ZAA-2020-08 Information Disclosure in HTTP Headers of default config example (CVE pending)
- ZAA-2020-09 Source Code Disclosure (CVE-2020-10105)
- ZAA-2020-10 Information Disclosure via Verbose Error Messages (CVE-2020-10097)
- ZAA-2020-11 Application Allows for Sensitive Information Caching (CVE-2020-10096)
2#: 🤖 Triggers & automation depending on calendars
Have you always wanted to send different auto-responders within or outside your service hours? This is now possible. Simply add a stored calendar as a condition to the trigger, and the trigger will only be executed during or outside business hours.
PS: In addition, you can now also mark auto-responders as internal or external (previously only external).
Technical Notes (für self hosted):
- Performance improvements: CPU Utilization - Several improvements have again significantly reduced the CPU power required by the scheduler.
- Full text search: Elasticsearch has not yet indexed Knowledge Base attachments. This has been enhanced with Zammad 3.3. This requires re-indexing of Elasticsearch when updating to Zammad 3.3 (
zammad run rake searchindex:rebuild).
Downloads
All improvements can be found in the changelog.
Download Zammad 3.3.0
Changelog (2020-03-03)
Source code
- https://ftp.zammad.com/zammad-3.3.0.tar.bz2 (md5:45d55367c2247d52efab4dc38e9b93c7)
- https://ftp.zammad.com/zammad-3.3.0.tar.gz (md5:2119ee140a8abd0d48ef4033f4d939dd)
- https://ftp.zammad.com/zammad-3.3.0.zip (md5:4b81993958eb041234c0c357ba68ca01)
Download Zammad 3.2.1
Changelog (2020-03-03)
Source code
- https://ftp.zammad.com/zammad-3.2.1.tar.bz2 (md5:839c0852c65a8554119a26aa3438bbe1)
- https://ftp.zammad.com/zammad-3.2.1.tar.gz (md5:1e43ad19ec800dc8dc2eeab7997d266c)
- https://ftp.zammad.com/zammad-3.2.1.zip (md5:ebdb55b3665af0d6d67db23a8a3ce14f)
Packages
- CentOS: https://docs.zammad.org/en/latest/install-centos.html
- Debian: https://docs.zammad.org/en/latest/install-debian.html
- Ubuntu: https://docs.zammad.org/en/latest/install-ubuntu.html
- Docker-Compose: https://docs.zammad.org/en/latest/install-docker-compose.html
Upgrade
Information about upgrading a Zammad installation can be found here:
- From source: https://docs.zammad.org/en/latest/install-update.html#source-update
- With RPM: https://docs.zammad.org/en/latest/install-update.html#update-with-rpm
- With DEB: https://docs.zammad.org/en/latest/install-update.html#update-with-deb
Your Zammad team!