Mattermost security updates 9.9.1 / 9.8.2 / 9.7.6 / 9.5.7 (ESR) released

We’re informing you about a Mattermost security update, which addresses low to high level severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 9.9.1, 9.8.2, 9.7.6, and 9.5.7 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

The v9.9.1, 9.8.2, 9.7.6, and 9.5.7 versions also include the following fix:

• Fixed an issue where banners set by system administrators did not stack below system banners, and rather appeared underneath them. Existing system banners have remained unchanged.

The v9.9.1 version also includes the following fixes:

• Removed feature flag which prevented enabling MetricsSettings.EnableClientMetrics.
• Added a page load time to the client performance metrics.
• Fixed web app performance reports being marked as outdated after the user’s computer woke up from sleep.
• Increased range of LCP metrics and Load Event End metrics that can be measured.
• Fixed an error caused by performance telemetry when using Firefox with beacon.enabled set to false.

The v9.5.7 version also includes the following fixes:

• Added a new configuration setting CloudSettings.Disable (via config.json, or environment variable), default false. When set to true, all requests to the Mattermost Customer Portal from a workspace will be disabled.
• Fixed an issue where the user status would incorrectly be set to offline without checking for connections in other nodes in an High Availability cluster.
• Fixed an issue where users could not see the member count in the Browse Channels dialog on some servers.
• Increased the maximum length of the Value column of the Preferences table.

You can follow the standard upgrade instructions to apply the updates.