Security Release
Zammad 6.3.1
· This release note includes a very important security patch. All self-hosted instances should be updated immediately.
Please read on for details:
Security Patch 🔐
A Ruby gem bundled by Zammad was installed with world-writable file permissions. This allowed a local attacker to modify these files and inject arbitrary code into the Zammad processes running with the Zammad user's environment and permissions.
Find the Advisory here: ZAA-2024-04
In addition, the Ruby version in use has been updated from version 3.2.3 to 3.2.4 due to a security release.
Note:
🏠 If you're using Zammad on-premise please update to 6.3.1 as soon as possible. The Ruby 3.2.4 security update must also be carried out locally for source code installations.
☁️ Hosted instances will be updated automatically, so there is no action required from your side.
Technical Requirements
Please note that you must meet the following browser requirements to use this version:
- Chrome: 83
- Firefox: 78
- Explorer: 11
- Safari: 11
- Opera: 69
- Edge: 83
Advisory
Download Zammad 6.3.1
All improvements can be found in the Changelog.
Source code
- ftp.zammad.com/zammad-6.3.1.tar.bz2 (60322ce57d9e198fd45d81fc4861ab97)
- ftp.zammad.com/zammad-6.3.1.tar.gz (16524e29b35b029781253a5c71f7912f)
- ftp.zammad.com/zammad-6.3.1.zip (ca3194b847504a6beb01554e47d2b4a7)
Packages
Upgrade
Here you can find information on upgrading your Zammad installation: