ยท Just after delivering you our new major release, Zammad 5.0, we're adding a security release on top. ๐จ It fixes an issue that transpired in the last few days, ensuring that you can use the full scope of the new features without any bumps.
After upgrading to Zammad 5.0, a few users with special constellations noticed an unwelcome change: They suddenly saw tickets in the Overview that belonged to groups they were not a part of. While the tickets as such were not accessible to them (they could only see the metadata), it still represents a flaw from a privacy and security perspective. ๐
We have already put a fix in place which is fully deployed. So what does that mean for you? Here's what actions (if any) you should take.
If you are self-hosting Zammad and you have already performed an upgrade to Zammad 5.0, please ensure to install the new security release as well. โ๏ธ
If you have not yet upgraded to Zammad 5.0, you can jump right to 5.0.1 when you're ready.
Great - then you don't have to do anything! ๐ We're updating all hosted instances, which should be completed by end-of-day on Friday, October 8, 2021.
You can find the corresponding advisory here:
You will find all improvements in the Changelog.
Changelog (2021-10-08)
You can find information on an upgrade of your Zammad installation here:
Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.
Find out more in our documentation.