Security Release
Zammad 5.1.1
· This release fixes some minor issues regarding the password and forgot-password feature. Self-hosted users are urged to perform an update to 5.1.1 to eliminate this bug. 🛡️
Please read below for details:
Security Patch Level Release 🔐
Due to a missing length restriction, users could configure extremely long user passwords when setting up an account for Zammad. A password that is too long can cause server problems during encryption which eventually leads to a denial of service.
We now added the missing length restriction.
There was no limit for the forgot-password function, for how many times this procedure can be done in what time span. An attacker could send a mass of requests in a short time, spamming the victim as well as risking a server overload.
We have solved this by setting a time limit in which only a limited number of requests can be sent. If these are used up, a certain amount of time must pass before new requests can be sent.
Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.
Advisories
You can find the corresponding advisories here:
Downloads
You will find all improvements in the Changelog.
Download Zammad 5.1.1
Source code
- ftp.zammad.com/zammad-5.1.1.tar.bz2 (a5efd1099755d1761ccd461606601ffb)
- ftp.zammad.com/zammad-5.1.1.tar.gz (23a8b32fc0989ae7d3fd0ae13e72de42)
- ftp.zammad.com/zammad-5.1.1.zip (942187ed5addbc1fb42eb3f270270153)
Packages
Upgrade
You can find information on an upgrade of your Zammad installation here:
Notes
Node.js dependency
Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.
Find out more in our documentation.