I’m fairly late - sorry about that. Zammad 3.3 is out and mainly focusses on security fixes.
We strongly encourage users to update their existing installations.
Some of these security issues are rated high and thus may be very crucial for your installation!
For the records, here’s a list of the advisories:
- Persistent Cross-Site Scripting XSS (toolbar) https://zammad.com/news/security-advisory-zaa-2020-01
- Persistent Cross-Site Scripting XSS (File Uploads) https://zammad.com/news/security-advisory-zaa-2020-02
- Persistent Cross-Site Scripting CSS (Email) https://zammad.com/news/security-advisory-zaa-2020-03
- Return of hashed passwords in own sessions https://zammad.com/news/security-advisory-zaa-2020-04
- Authorization issues https://zammad.com/news/security-advisory-zaa-2020-05
- Websocket Server DoS https://zammad.com/news/security-advisory-zaa-2020-06
- Determaining of existing accounts https://zammad.com/news/security-advisory-zaa-2020-07
- Default configuration provides used server versions https://zammad.com/news/security-advisory-zaa-2020-08
- Source code disclosure https://zammad.com/news/security-advisory-zaa-2020-09
- information disclosure via error messages https://zammad.com/news/security-advisory-zaa-2020-10
- Caching of sensitive information (Browser) https://zammad.com/news/security-advisory-zaa-2020-11
1. technical remarks / changes
1.1 Elasticsearch search index
Please note that with updating to Zamamd 3.3, just like Zammad 3.2 a reindex (zammad run rake searchindex:rebuild) of your Zammad installation is required.
Attention docker-compose users:
Please note that Zammad 3.3.0-12 upgrades the elasticsearch being used - this requires you to remove the existing indicies. More information on this topic can be found here: https://github.com/zammad/zammad-docker-compose#from--330-12
1.2 Possible need to update your vhost configuration
Our default configuration files we suggest earlier provided the webserver version being used. This is potentially a bad idea.
nginx users
Nginx users simply add the following directive to your configuration:
server_tokens off;
You can also set this globally within your nginx.conf if needed
apache2 users
Apache2 users just have to add ServerTokens Prod or (even you want to be even sneakier) ServerSignature Of to your vhost or webserver configuration.
Just like nginx you can set this globally if needed.
1.3 performance improvements
With Zammad 3.3 we’re happy to announce that we could further tweak Zammads performance. Searchindex updates are now much faster and priotize less important than communication tasks with your users.
This should also help greatly during performance issues, as on earlier versions raising counts of delayed jobs (mainly for searchindexes) were also holding back communication tasks.
Amazing news, right?!
2. Feature addition to triggers and schedulers
We’re happy to announce that you now can also use calendars within triggers and schedulers. This allows you to only fire e.g. during or outside of your business hours.
This allows you to e.g. send very specific mails to your users. We hope that this helps you and your users to be even more flexible.
That’s it for now - happy hacking as we at Zammad would say! 