Dec 2013 Security Update: 2.0.18.10 and 2.1b2

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited January 2014 in Releases

There is an in-the-wild exploit targeting the update checker in 2.0.18 and 2.1.

If you are running 2.0.18.x, please upgrade HERE.

if you are running a 2.1 beta, please manually update your install by deleting the lines in UtilityController and settings.js indicated here: https://github.com/vanillaforums/Garden/commit/91904fa108a8a5011f684a990fd117ea8ff3625c

That is also the only change made in 2.0.18.10 if you want to selectively apply it.

This release completely removes the update checker.

UnderDogAviramxValaky004AoleedensizphreakSrggamer

Comments

  • phreakphreak VanillaAPP - White label iOS and Android App MVP
    edited December 2013

    First, i was a bit irritated because the UtilityController doesn't hold the lines mentioned on GitHub under 2.0.18.9. I guess this were adds done in 2.1.

    Settings is clear.

    Just mentioning it, so others are not confused for this 2nd the same way i as.

    Thanx Lincoln!


    • Vanilla APP » Learn more «
    • iOS & Android App for Vanilla - White label app for your forum
  • LincLinc Director of Development Detroit Vanilla Staff
    edited December 2013

    @phreak The only thing different between the 2 versions is the line numbers. The same methods were removed from both.

    UnderDogphreakSrggamer
  • phreakphreak VanillaAPP - White label iOS and Android App MVP
    edited December 2013

    Uh, yes thanx. I was a bit tired when this came in. ;)


    • Vanilla APP » Learn more «
    • iOS & Android App for Vanilla - White label app for your forum
  • peregrineperegrine MVP
    edited December 2013

    if you selectively download or making changes in vanilla 2.0.18.x without downloading entire core, you should update your index.php on your forum as well so your dashboard reflects the proper version.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDoghgtonightR_JxVal
  • Is this update required if someone downloads the beta today?

  • @openletter said:
    Is this update required if someone downloads the beta today?

    Depends on whether you get it from Github or the Addons site. With Addons site look at the date of the file version

    [Deleted User]
  • LincLinc Director of Development Detroit Vanilla Staff

    @openletter Yes. We haven't released a new beta for the security fix.

    [Deleted User]CliveLauphreak
  • Is this update needed for 2.0.18.10 or is it that the fixed version?

  • @review That is the fixed version, as much as I know. Correct me if I'm wrong, please.

  • The code editing only prescribes to Beta versions of 2.1. I'm not sure if it's required on Alpha versions though.

  • @Lincoln Is this fixed in Vanilla 2.2.5?

  • LincLinc Director of Development Detroit Vanilla Staff

    Master branch always has any security fixes, yes.

    UnderDog
  • This was an extremely dangerous issue which enabled arbitrary code execution by any registered user. I really, really hope that everyone has this update and I'm worried that not enough was done to promote it.

  • LincLinc Director of Development Detroit Vanilla Staff

    @DaGrFr said:
    This was an extremely dangerous issue which enabled arbitrary code execution by any registered user. I really, really hope that everyone has this update and I'm worried that not enough was done to promote it.

    It was released on RSS, we emailed everyone who is subscribed, and we had it pinned to the top of the site until it was replaced by 2.0.18.11. What do you suggest we do beyond that?

Sign In or Register to comment.