Security Release
Zammad 5.3.1
· This release note includes a really important security patch. All self-hosted instances are advised to update immediately.
Please read on for details:
Security Patch
An attacker could send a specially created message to the server, causing the message to be sent to all active front ends. While the front end responds to this payload, the attacker now can abuse the session and make malicious changes to the front end and the server.
Find the Advisory here: ZAA-2022-11
Non-Critical changes
Two other smaller vulnerabilities have been fixed that are not critical.
You can find the details in their Advisories
Note:
🏠 If you're using Zammad on-prem please update to 5.3.1 as soon as possible.
☁️ Hosted instances will be updated automatically, so there is no action required from your side.
Downloads
You will find all improvements in the Changelog.
Download Zammad 5.3.1
Source code
- ftp.zammad.com/zammad-5.3.1.tar.bz2 (75e0cc3a1df4d5c413457fb6eafd9be3)
- ftp.zammad.com/zammad-5.3.1.tar.gz (a62784ac952c7ff9d9634ed700e693d6)
- ftp.zammad.com/zammad-5.3.1.zip (8207ba695071d999b4b66323ea86b32d)
Packages
Upgrade
You can find information on an upgrade of your Zammad installation here:
Notes
Node.js dependency
Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.
Find out more in our documentation.