Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released
We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update.
The security update is available for Mattermost dot releases 7.5.2, 7.4.1, and 7.1.5 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here.
Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.
Mattermost 7.5.2 version also resolves the following bugs:
- Fixed an issue where email notifications looked broken when email batching was enabled.
- Updated prepackaged Boards version to 7.5.4.
- Updated prepackaged NPS version to 1.3.1.
Mattermost 7.4.1 version also resolves the following bugs:
- Added a new schema migration to ensure
ParentId
column is dropped from thePosts
table. Depending on the table size, if the column is not dropped before, a significant spike in database CPU usage is expected on MySQL databases. Writes to the table will be limited during the migration. - Updated prepackaged Boards version to 7.4.3.
Mattermost 7.1.5 (ESR) version also resolves the following bugs:
- Added a new schema migration to ensure
ParentId
column is dropped from thePosts
table. Depending on the table size, if the column is not dropped before, a significant spike in database CPU usage is expected on MySQL databases. Writes to the table will be limited during the migration. - Fixed an issue where Renew Now option was not available in-product for self-serve eligible licenses.
- “getPostSince“ now properly returns deleted posts when Collapsed Reply Threads is enabled.
- Fixed an issue where the
Enterprise license is expired
banner was undismissable. - Fixed an issue where screen readers did not announce search results in the “Invite members to channel” modal.
- Fixed an issue where screen readers did not announce emojis in the autocomplete list.
- Fixed an issue where screen readers did not announce successful logins.
- Fixed an issue where screen readers incorrectly announced the Settings > Display > Language > Change interface language field.
- Fixed an issue where the search dropdown options did not allow focusing with a tab.
- Fixed an issue where screen readers failed to announce “no results found” in the Direct Message modal.
- Fixed an issue where the Test Connection button in System Console > Environment > Elasticsearch did not correctly take the right config settings specified in the page. Earlier, it would always take the previously saved config.
You can follow the standard upgrade instructions to apply the updates.