Security Release
Zammad 5.0.3
· This security release fixes unintended information disclosure during out-of-office replacements. Self-hosted users are urged to perform an update to 5.0.3 to eliminate this bug. 🛡️
Security Patch Level Release 👮
After upgrading to Zammad 5.0, some customers noticed a bug in the notification handling:
Zammad offers the option to define another user as a replacement during times of absence. The selected user will then receive the absent user's notifications and tickets. 🏖️
Some users reported that the replacements saw notifications from groups that they are not part of. Although they didn't have access to the corresponding tickets, the notifications alone could give away sensitive information that is not intended for them.
We take this issue seriously, which is why we have created a new security release at short notice, instead of waiting for the release of Zammad 5.1.
Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.
Earlier versions, prior to Zammad 5.0, are not affected by this vulnerability.
Advisory
You can find the corresponding advisory here:
Downloads
You will find all improvements in the Changelog.
Download Zammad 5.0.3
Source code
- ftp.zammad.com/zammad-5.0.3.tar.bz2 (md5:8e6c0ce3fa95ff803ad3fed3a280866c)
- ftp.zammad.com/zammad-5.0.3.tar.gz (md5:2f119ccb83d5a2800fc0723f1b4626f6)
- ftp.zammad.com/zammad-5.0.3.zip (md5:8bc8732d1a8fa73ad87c8947acb7c7d9)
Packages
Upgrade
You can find information on an upgrade of your Zammad installation here:
Notes
Node.js dependency
Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.
Find out more in our documentation.
Browser Deprecation List: Required for the upcoming Zammad version 5.1.0
- Chrome: 83
- Firefox: 78
- Explorer: 11
- Safari: 11
- Opera: 69
- Edge: 83