Vanilla 2.1.5 released (and 2.0.18.14)
Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.
This is an urgent upgrade for all forums.
25 files changed in this version. GitHub code diff
Summary:
- Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
- Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
- Fixes issue where enabling cleditor would permanently allow
styleparameter in comments. - Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
- Fixes OpenID bug effecting Google Sign In.
- Multiple community-contributed bug fixes.
Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.
Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.
If you are still on the 2.0 series, please upgrade immediately to 2.0.18.14 which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.
Comments
What is the procedure for upgrading vanilla forums ?
From here: https://github.com/vanilla/vanilla
This release was fast-forwarded from 2.1.4 to 2.1.5 to fix a simple merge flaw in the settings controller.
Im using 2.1.3
What do i need to do to get on 2.1.5 ?
I may have changed some of the updated files in my 2.1.3 so its good to change the lines in thosr 2 files by hand?
Wanna do it now.
The upgrade instructions are in the README file.
We do not recommend directly modifying core files.
I immediately regret naming it 2.0.18.14 instead of 2.0.19. I'm so over 4-part names.
I did downloaded the vanilla core 2.1.5 and uploaded the 25 files that are changed,
go to yourforum.com/index.php?p=/utility/update
that said the update was succesfull.. but when i check in my conf/config.php the version says 2.1.3???
What it says in the config is irrelevant.
Then im happy to say im on 2.1.5 and its working magnific dude!
After installation, my forum returns a blank white page .
Link - http://gomilitary.in/Forum/
@onesoftindiana: please read those two links to find out more about “blank screen”:
http://vanillawiki.homebrewforums.net/index.php/Bonk_Errors
http://vanillaforums.org/docs/errors
Then please report about the actual error.
Thanks for the update, @Linc! Keep up the good work, everyone!
Add Pages to Vanilla with the Basic Pages app
also see
http://vanillaforums.org/discussion/26703/plugins-themes-that-work-and-don-t-work-in-vanilla-2-1/p1
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Very nice! Just copy over it and it is upgraded.
Thanks
Is it ok to clone directly from the git repo to production site and install?
The 2.1 branch on GitHub is identical to the zip file from here.
@gohunter The
masterbranch on GitHub is very different and not yet tested for distribution. Use at your own risk. You can clone the2.1branch safely.Are you suggesting that it is better to just use the zip file with 2.1.5?
if you don't know how to clone the 2.1 branch via github. just get the zip. both using zip or cloning proper branch work. just installing zip is easy, unless you have a reason to use github and plan to send in commits to vanilla. Whatever is easiest and does the job. just don't use the wrong branch.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
what is the last STABLE version?