Zammad 5.2.2

Security Patch Level Release 🔐

The Asset Handling Mechanism‘s logic in Zammad ensures that client users are not able to see other users' personal data. By using a web socket connection, a logged-in attacker could bypass this logic and retrieve the personal data of other users via the Zammad API. As of now, the logic is also effective when using the web socket connection.

Zammad has a fine-grained permission model that allows configuring read-only access to tickets. However, agents were still wrongly able to perform some operations on such tickets, like adding and removing links, tags, and related answers. As of now, this bug has been fixed.

Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.

Advisories

You can find the corresponding advisories here:

• https://zammad.com/en/advisories/zaa-2022-09
• https://zammad.com/en/advisories/zaa-2022-10

Downloads

You will find all improvements in the Changelog.

Download Zammad 5.2.2

Changelog

Source code

• ftp.zammad.com/zammad-5.2.2.tar.bz2 (0948153269493501ccec1551bbe53eda)
• ftp.zammad.com/zammad-5.2.2.tar.gz (333e715e74399cfde99af8f0cccb2677)
• ftp.zammad.com/zammad-5.2.2.zip (3e6ffecb178d41bce96dc697124f8023)

Packages

• CentOS
• Debian
• Ubuntu
• Docker-Compose

Upgrade

You can find information on an upgrade of your Zammad installation here:

• From source
• With RPM
• With DEB

Notes

Node.js dependency

Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.

Find out more in our documentation.