Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released

We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition. They are available for download here.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

9.1.1 and 9.0.2 versions also include the following changes:

• Pre-packaged Focalboard plugin v7.11.4.
• Added a new configuration setting MaxFieldSize to add the ability to size-limit log fields during logging.
• Added a restriction to the mobile Oauth / SAML redirection to match the NativeAppSettings.AppCustomURLSchemes configuration setting.

8.1.4 version also includes the following changes:

• Pre-packaged Focalboard plugin v7.11.4.
• Fixed an issue where plugin developers were unable to create a textarea in interactive dialogs.
• Fixed an issue where copy-pasting images from Chrome failed.
• Added a new configuration setting MaxFieldSize to add the ability to size-limit log fields during logging.
• Added a restriction to the mobile Oauth / SAML redirection to match the NativeAppSettings.AppCustomURLSchemes configuration setting.
• When ServiceSettings.ExperimentalEnableHardenedMode is enabled, standard users authenticated via username and password will not be able to use post props reserved for integrations, such as override_username or override_icon_url.

7.8.13 version also resolves the following bugs:

• Pre-packaged Focalboard plugin v7.8.9.
• Added a new configuration setting MaxFieldSize to add the ability to size-limit log fields during logging.
• Added a restriction to the mobile Oauth / SAML redirection to match the NativeAppSettings.AppCustomURLSchemes configuration setting.
• When ServiceSettings.ExperimentalEnableHardenedMode is enabled, standard users authenticated via username and password will not be able to use post props reserved for integrations, such as override_username or override_icon_url.

You can follow the standard upgrade instructions to apply the updates.