Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released

We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

Mattermost v6.3.3 also includes the following bug fixes and updates:

• The default for ThreadAutoFollow has been changed to false. This does not affect existing configurations where this value is already set to true.
• Prevented some instances where operations relating to Collapsed Reply Threads added load to the database server even when the ThreadAutoFollow and CollapsedThreads config settings were disabled.
• .pages content search is no longer available due to technical difficulties.
• Fixed an issue where the “New Replies” banner displayed in the right-hand side for threads that were entirely visible.

Mattermost v6.2.3 also includes the following bug fixes and updates:

• The default for ThreadAutoFollow has been changed to false. This does not affect existing configurations where this value is already set to true.
• Prevented some instances where operations relating to Collapsed Reply Threads added load to the database server even when the ThreadAutoFollow and CollapsedThreads config settings were disabled.
• .pages content search is no longer available due to technical difficulties.
• Fixed an issue where MySQL installations re-triggered the v6.0 migration on server restart.

Mattermost v6.1.3 also includes the following bug fixes and updates:

• The default for ThreadAutoFollow has been changed to false. This does not affect existing configurations where this value is already set to true.
• Prevented some instances where operations relating to Collapsed Reply Threads added load to the database server even when the ThreadAutoFollow and CollapsedThreads config settings were disabled.
• .pages content search is no longer available due to technical difficulties.
• Fixed an issue where MySQL installations re-triggered the v6.0 migration on server restart.

Mattermost v5.37.8 also includes the following bug fixes and updates:

• The default for ThreadAutoFollow has been changed to false. This does not affect existing configurations where this value is already set to true.
• Prevented some instances where operations relating to Collapsed Reply Threads added load to the database server even when the ThreadAutoFollow and CollapsedThreads config settings were disabled.
• .pages content search is no longer available due to technical difficulties.
• Fixed an issue where Actiance compliance jobs caused the Mattermost server process to crash with a panic.

You can follow the standard upgrade instructions to apply the updates.