Security Release

Zammad 5.2.1

· This security patch includes an update to a previous fix as well as the resolution of three new issues that came along with the 5.2 release. 🛡️
Please read on for details:

Security Patch Level Release 🔐

There is an update for the issue from 5.1.1. After the missing limit of the forgotten password function was added, further manipulation of the rate limit was still possible. As of 5.2.1, these manipulations are detected even better and manipulation is no longer possible.

After update 5.2, customers who have secondary organizations assigned could select with which organization they would like to create tickets. In the selection they could not only see their organizations but all organizations of the system.

We also received reports that Zammad's built-in prevention of brute force password guessing attacks could be bypassed partially. This gap has now been closed as well.

Lastly, Zammad did not correctly perform authorization for certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.

Advisories

You can find the corresponding advisories here:

Downloads

You will find all improvements in the Changelog.

Download Zammad 5.2.1

Changelog

Source code

Packages

Upgrade

You can find information on an upgrade of your Zammad installation here:

Notes

Node.js dependency

Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.

Find out more in our documentation.

Signup
Together we turn your customers into fans.
Start free trial!