Zulip Server 1.4.3 release (CVE-2017-0881)

[Tim Abbott]

Zulip Server 1.4.3 has been released, fixing an important issue in Zulip Server 1.4.2:

* CVE-2017-0881: A bug in Zulip's implementation of the "stream exists" endpoint allowed Zulip users to subscribe to invite-only streams, without needing to be invited, by using the "autosubscribe" argument to that endpoint and guessing the name of the stream.  Thanks to Rafid Aslam for discovering this issue and reporting it responsibly.

This release contains only this change and thus is a very low-risk upgrade.  We highly recommend that you upgrade as soon as possible if your organization uses invite-only streams.  

You can upgrade as usual by following the instructions here:

https://zulip.readthedocs.io/en/latest/prod-maintain-secure-upgrade.html#upgrading

        -Tim Abbott