HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 2.1.1 - important security & bug release
Announcing the availability of 2.1.1, a security & bug fix release for 2.1.
It is imperative all 2.1 forums upgrade immediately.
- HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
- Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
- Fixed a Twitter SSL bug (thanks @Adrian for the patch).
- Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
- cleditor was patched to fix a crippling IE11 bug.
- Profile Extender was upgraded and a security flaw in it was fixed.
- Fixed a bug in Announcing while starting a discussion.
- Corrected the default theme README.
- Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
- Fixes a theme screenshot bug (thanks @hgtonight for the patch).
As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.
Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.)
2.0.18.11 has the same XSS issues and its patch will be released this weekend is available here as 2.0.18.12.
22
Comments
Thanks for the update @Linc. Looking forward to the patch for 2.0.x. I know it will be a pain, but I will need to do a
diffbefore updating, as I had to change a core model to fix some performance issues (which will probably be unaffected, but better safe than sorry).My shop | About Me
@businessdad The 2.0 patch will be much more limited since it will selectively be targetting the XSS.
Edited OP to link to 2.0 patch which is out now too.
How does one upgrade 2.1 already installed? Is there like an autoupdate feature or do you have to download the zip and upload via FTP?
@MichaelCS The upgrade instructions are in the README file. Yes, the upshot is: upload the new files, replacing the existing ones. We do not have an auto-update feature.
Fair enough I will do that sometime tonight after I'm done Rome II battles. My Vanilla Forums is on a sandbox server while we debate contracting you Vanilla people for a theme and plugin implementation LOL
Good to see the 2.0.18.12 update. Thanks.
Thanks
grep is your friend.
For those using Emotify plugin, if you have custom images/settings, make sure you back up before upgrading, as the files are over-written.
If it wasn't obvious, anyone using the master/2.2 branch needs to upgrade to 2.2.15.5 (current HEAD) as well.
Hello all,
I can't install the new archive (08.02.14 - 2.1.1) either on local or on distant server. On both, page does not open (it stays blank) and I can't start the setup process. Sorry if I didn't post in the right category.
Any thoughts?
@hmalaud Would be a good idea to start a new troubleshooting discussion.
Ok thanks Linc I'll do that.
Currently running Vanilla 2.0.18.4 - will it be possible to upgrade directly to this version?
Thanks
@blizeH It is, but please follow the 2.0 -> 2.1 upgrade instructions that has an extra step or two (including deleting an old file). You may need to run /utility/update more than once.
I recommend testing your theme & plugins on a separate 2.1 test install first to make sure it's compatible unless you've already verified they all work. There were a few backwards-compatibility breaks.
That's great, thank you Linc