Mattermost security updates 10.1.2 / 10.0.2 / 9.11.4 (ESR) / 9.5.12 (ESR) released

We’re informing you about a Mattermost security update, which addresses a high-level severity vulnerability. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 10.1.2, 10.0.2, 9.11.4 (Extended Support Release), and 9.5.12 (Extended Support Release), for both Team Edition and Enterprise Edition. They are available for download here.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

The v10.1.2 version also includes the following fixes:

• Fixed an issue with message export file attachments with a dedicated filestore.
• Added a configuration setting NativeAppSettings > MobileExternalBrowser that tells the Mobile app to perform SSO Authentication using the external default browser MM-60332.

The v10.0.2 version also includes the following fix:

• Reverted a change enforcing usernames to start with alpha characters on the server MM-61143.
• Reverted a breaking change in registerSlashCommandWillBePostedHook that caused errors to surface in case an expected empty object was returned MM-61233.

The v9.11.4 version also includes the following fix:

• Fixed an issue where users would not see channels they were added to/messages from those channels in clustered environments.

The v9.5.12 version also includes the following fix:

• Fixed desyncing issues with unreads between the team sidebar and the title bar ​​MM-54021.

You can follow the standard upgrade instructions to apply the updates.