Mattermost security updates 11.7.1 (ESR), 11.6.3, 11.5.6, and 10.11.18 (ESR) released

We’re informing you about a Mattermost security update, which addresses Low to Medium severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 11.7.1 (Extended Support Release), 11.6.3, 11.5.6, and 10.11.18 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here. You can follow the standard upgrade instructions to apply the updates.

The 11.7.1 version also includes the following fixes: 

• Tightened session invalidation on the global session revocation path.
• POST /api/v4/users/{user_id}/demote now returns 400 when user_id is a bot account; bot accounts cannot be converted to guests.
• Improved memory usage and performance when processing images (resizing, thumbnails, and orientation correction).
• Plugins using the Shared Channels APIs can now register multiple remote connections by calling RegisterPluginForSharedChannels with different SiteURL values, enabling use cases like multiple outbound transports or bridging to multiple external servers. A new UnregisterPluginRemoteForSharedChannels method allows removing a single remote without affecting others. Existing single-remote plugins continue to work without changes.
• Fixed an issue where file attachments synced over a shared channel through a plugin (using the OnSharedChannelsAttachmentSyncMsg / ReceiveSharedChannelAttachmentSyncMsg plugin API pair) were stored on the receiving server but did not appear in the corresponding post, because the saved FileInfo was given a new ID instead of preserving the sender’s file ID referenced by the post.
• Plugin API’s for Shared Channel sync (ReceiveSharedChannelSyncMsg and ReceiveSharedChannelAttachmentSyncMsg) are now order-tolerant and idempotent: plugin remotes can now deliver a post and its file attachments in either order or concurrently, and at-least-once redeliveries no longer produce duplicate FileInfo rows.
• Pre-packaged GitLab plugin version v1.12.2.
• Pre-packaged Jira plugin version v4.7.0.

The 11.6.3 and 11.5.6 versions also include the following fixes: 

• Tightened session invalidation on the global session revocation path.
• Pre-packaged GitLab plugin version v1.12.2.
• Pre-packaged Jira plugin version v4.7.0.
• Fixed a regression with saving various masked fields from the System Console.

The 10.11.18 version also includes the following fixes: 

• Tightened session invalidation on the global session revocation path.
• POST /api/v4/users/{user_id}/demote now returns 400 when user_id is a bot account; bot accounts cannot be converted to guests.
• Pre-packaged GitLab plugin version v1.12.2.
• Pre-packaged Jira plugin version v4.7.0.
• Fixed a regression with saving various masked fields from the System Console.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.