· Just after delivering you our new major release, Zammad 5.0, we're adding a security release on top. 🚨 It fixes an issue that transpired in the last few days, ensuring that you can use the full scope of the new features without any bumps.
After upgrading to Zammad 5.0, a few users with special constellations noticed an unwelcome change: They suddenly saw tickets in the Overview that belonged to groups they were not a part of. While the tickets as such were not accessible to them (they could only see the metadata), it still represents a flaw from a privacy and security perspective. 🆘
We have already put a fix in place which is fully deployed. So what does that mean for you? Here's what actions (if any) you should take.
If you are self-hosting Zammad and you have already performed an upgrade to Zammad 5.0, please ensure to install the new security release as well. ☝️
If you have not yet upgraded to Zammad 5.0, you can jump right to 5.0.1 when you're ready.
Great - then you don't have to do anything! 😎 We're updating all hosted instances, which should be completed by end-of-day on Friday, October 8, 2021.
You can find the corresponding advisory here:
You will find all improvements in the Changelog.
Changelog (2021-10-08)
You can find information on an upgrade of your Zammad installation here:
Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.
Find out more in our documentation.