HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
CRITICAL: Vanilla 2.1.8 released
This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2
UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.
Upgrade Steps
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.8 directly from 2.0.x, add this step:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Critical Security Patches in 2.1.8
- Fixes a SQL injection vulnerability.
- Fixes a user registration vulnerability.
Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.
Changes in 2.1.8
- Hardens the UserModel against potential abuse.
- Stub content being re-created on utility/update on private communities.
- Increase permissions required for massing banning (from
Moderation.ManagetoSettings.Manage). - Collect additional information about mass-banning changes.
- Removes super-admin permissions from secondary accounts on utility update.
- Fixes an issue changing primary keys during utility update
15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.
If you have difficulty upgrading, please start a new discussion for assistance.
17
Comments
/utility/update fails:
@Nyr Thank you, I will have it corrected shortly. The update as been amended.
We accidentally included a call to
array_columnwhich was not added to PHP until 5.5. I substitutedConsolidateArrayValuesByKey, incremented to 2.1.8p1, and updated the first post in this discussion.I can confirm it's working now
Hi i would like to update my forum but can't reason.
set_time_limit() has been disabled for security reasons
Is there a way arround?
@deex Yes, comment out this line:
https://github.com/vanilla/vanilla/blob/2.1/applications/dashboard/controllers/class.utilitycontroller.php#L16
As long as your server is fast enough to do it in the standard time limit, you should be fine.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
How can i update from vanilla 2.1.6?
I just tried updating from 2.1.6. The utility/update says simply 'update failed'. Enabling debugging only gives me a couple of errors about my theme cache. Site seems to be working, but going to utility/structure says there are a couple of google-related updates required; clicking the 'run scripts' button reports success but when I re-scan, they're back.
The instructions are above.
Can you post the update it's requesting repeatedly? Did you try disabling third-party addons?
updating from 2.1.6 give error to me saying simply "update failed".
More troubleshooting steps: http://docs.vanillaforums.com/developers/troubleshooting/
I recommend starting a discussion with the full error message.
the first thing i followed
Set $Configuration['Debug'] = TRUE; in your conf/config.php to reveal full error messages. Remember to remove it when you are done.the whole forum gives a blank page, without any errors
@AaronWebstey
I think you are talking about
update GDN_UserAuthenticationProvider UserAuthenticationProvider set AuthenticationSchemeAlias = 'GooglePlus' where AuthenticationSchemeAlias = 'Google+';this is a known issue, if not in Github I will add it. It's okay though, your site is fine. you can ignore it.
Thanks @Linc ; I'll try disabling plugins tomorrow. Here's the update it can't do. And now that I think of it, I may have fudged around with the google plugin code (I just made a post about that tonight).
Yes @Adrian; sorry, looks like I posted while you were posting
No worries. I had noticed it before, my bad for not adding an issue in Github
Doing it now.
https://github.com/vanilla/vanilla/issues/2407
My version number says "Version 2.1.8p1"
Is the p1 bit weird?
@Simeon_Griggs it's fine, linc had to make a small change
Failure
The update was not successful. i have gone to the link to read on the troubleshooting techniques but still. but at the footer of the dashboard i see Version 2.1.8p1
@martin2008 Do you, also, have Google+ enabled?
Nm