Mattermost security updates 6.7.1, 6.6.2, 6.5.2, 6.3.9 (ESR) released

We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 6.7.1, 6.6.2, 6.5.2 and 6.3.9 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

Mattermost 6.7.1 version also resolves the following bug:

• The value of ServiceSettings.TrustedProxyIPHeader defaults to empty from now on. A previous bug prevented this from happening in certain conditions. Customers are requested to check for these values in their config and set them to nil if necessary.

Mattermost 6.6.2 version also resolves the following bugs:

• The value of ServiceSettings.TrustedProxyIPHeader defaults to empty from now on. A previous bug prevented this from happening in certain conditions. Customers are requested to check for these values in their config and set them to nil if necessary.
• Fixed a bug that allowed to send test (empty) notifications even if the SendPushNotifications config was set to false.

Mattermost 6.5.2 version also resolves the following bugs:

• The value of ServiceSettings.TrustedProxyIPHeader defaults to empty from now on. A previous bug prevented this from happening in certain conditions. Customers are requested to check for these values in their config and set them to nil if necessary.
• Fixed a bug that allowed to send test (empty) notifications even if the SendPushNotifications config was set to false.
• The ping endpoint now can receive a device ID, which will report whether the device is able to receive push notifications.

Mattermost 6.3.9 version also resolves the following bug:

• The value of ServiceSettings.TrustedProxyIPHeader defaults to empty from now on. A previous bug prevented this from happening in certain conditions. Customers are requested to check for these values in their config and set them to nil if necessary.
• Fixed a bug that allowed to send test (empty) notifications even if the SendPushNotifications config was set to false.
• Pre-packaged Playbooks v1.23.2.

You can follow the standard upgrade instructions to apply the updates.