I’m fairly late - sorry about that. Zammad 3.3 is out and mainly focusses on security fixes.
We strongly encourage users to update their existing installations.
Some of these security issues are rated high and thus may be very crucial for your installation!
For the records, here’s a list of the advisories:
- Persistent Cross-Site Scripting XSS (toolbar) Zammad Security Advisory ZAA-2020-01
- Persistent Cross-Site Scripting XSS (File Uploads) Zammad Security Advisory ZAA-2020-02
- Persistent Cross-Site Scripting CSS (Email) Zammad Security Advisory ZAA-2020-03
- Return of hashed passwords in own sessions Zammad Security Advisory ZAA-2020-04
- Authorization issues Zammad Security Advisory ZAA-2020-05
- Websocket Server DoS Zammad Security Advisory ZAA-2020-06
- Determaining of existing accounts Zammad Security Advisory ZAA-2020-07
- Default configuration provides used server versions Zammad Security Advisory ZAA-2020-08
- Source code disclosure Zammad Security Advisory ZAA-2020-09
- information disclosure via error messages Zammad Security Advisory ZAA-2020-10
- Caching of sensitive information (Browser) Zammad Security Advisory ZAA-2020-11
1. technical remarks / changes
1.1 Elasticsearch search index
Please note that with updating to Zamamd 3.3, just like Zammad 3.2 a reindex (zammad run rake searchindex:rebuild
) of your Zammad installation is required.
Attention docker-compose users:
Please note that Zammad 3.3.0-12 upgrades the elasticsearch being used - this requires you to remove the existing indicies. More information on this topic can be found here: GitHub - zammad/zammad-docker-compose: Zammad Docker images for docker-compose
1.2 Possible need to update your vhost configuration
Our default configuration files we suggest earlier provided the webserver version being used. This is potentially a bad idea.
nginx users
Nginx users simply add the following directive to your configuration:
server_tokens off;
You can also set this globally within your nginx.conf if needed
apache2 users
Apache2 users just have to add ServerTokens Prod
or (even you want to be even sneakier) ServerSignature Of
to your vhost or webserver configuration.
Just like nginx you can set this globally if needed.
1.3 performance improvements
With Zammad 3.3 we’re happy to announce that we could further tweak Zammads performance. Searchindex updates are now much faster and priotize less important than communication tasks with your users.
This should also help greatly during performance issues, as on earlier versions raising counts of delayed jobs (mainly for searchindexes) were also holding back communication tasks.
Amazing news, right?!
2. Feature addition to triggers and schedulers
We’re happy to announce that you now can also use calendars within triggers and schedulers. This allows you to only fire e.g. during or outside of your business hours.
This allows you to e.g. send very specific mails to your users. We hope that this helps you and your users to be even more flexible.
That’s it for now - happy hacking as we at Zammad would say!