Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.13 - security updates

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited November 2015 in Releases

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.13p1

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.13 directly from 2.0.x, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.13

  • Fix issues with fetchPageInfo() implementation.
  • Implement public stashes.
  • Protect transient key from JSONP.
  • Protect transient key on profile pages.
  • Don’t allow SSO with empty secrets.
  • Remove htmlEntityDecode() endpoint.
  • Improve addon testing / enabling / disabling security.
  • Add validation to .org feed pulling.
  • Protect discussions from unauthorized split/merge.
  • Add output filtering to a few places.

Our sincere thanks once again to @mtschirs, whom Vanilla Forums recently worked with on a formal security audit. This update addresses the issues identified during that audit that we prioritized for backport.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.

hgtonightjackmaessenunixheroAaronWebstey

Comments

  • kopnakopna Coimbra Portugal ☯
    edited October 2015

    Hi, I'm testing vanilla ( 2.1.11 ) on the virtual server. How to update without error. Or is the whole step by step instructions applicable to the use of a virtual server?

  • LincLinc Director of Development Detroit Vanilla Staff

    @kopna said:
    Hi, I'm testing vanilla ( 2.1.11 ) on the virtual server. How to update without error. Or is the whole step by step instructions applicable to the use of a virtual server?

    Using a virtual server should make no difference.

  • Failure
    The update was not successful.

    How Can i Update ? What's The Wrong

  • kopnakopna Coimbra Portugal ☯

    Excuse me, I incorrectly expressed. Tested on a virtual machine, Denwer. Thanks again :-)

  • Hi,
    I updated and after running "myforum.com/vanilla/index.php?p=/utility/update" I got the attached error massage.
    Pls help ;-)
    thx in advance.

  • LincLinc Director of Development Detroit Vanilla Staff

    If you have trouble upgrading, please follow the instructions in the first post.

    1. Do this: http://docs.vanillaforums.com/developers/troubleshooting/
    2. Start a new discussion for help, detailing what you've done so far.
  • LincLinc Director of Development Detroit Vanilla Staff

    There was a minor regression bug in the Split/Merge plugin. We've released 2.1.13p1 to correct it. Thanks to Graham Mills for reporting the issue via GitHub.

  • kopnakopna Coimbra Portugal ☯

    Hello,
    go back again to the question: I am not on tests vanylla eral hosting. I downloaded the update Vanilla 2.1.13, passed by reference yourforum.com/index.php?p=/utility/update

    - nothing has changed. Has. I did not understand :-(

    Is there a guide how to update vanilla in a virtual machine? You may need to do the update manually? Thank you.

  • LincLinc Director of Development Detroit Vanilla Staff

    I have no idea what you're asking, and this is not the appropriate discussion for it.

  • jackmaessenjackmaessen ✭✭✭
    edited November 2015

    This is yet another security update. I can remember that was said when it was version 2.1.10: this is probably the last update for the 2.1 version. Now we have 2.1.13p1. Ofcourse, security has the highest priority, but so many updates is a little bit confusing for the people who run Vanilla forum.
    For every update, you have to overwrite the complete core files, even if only 1 line in a file has changed.
    As you can see in the discussions, there a lot of problems people encounter when doing an update.
    I think, many people think when they get aware of an update: " No, please not again. I can regain problems with it!".
    This is really i am a little bit concerned about.
    I advocate for an easy way of updating in which people encounter less difficulties

  • Thanks to work on Vanilla forum for us. Working great :)

  • HillfootHillfoot Stockton-on-Tees New

    I have downloaded 2.1.13 and installed it and the site runs OK. But at the foot (when in "Dashboard") it shows v. 2.1.8 !!

  • LincLinc Director of Development Detroit Vanilla Staff

    @Hillfoot Sounds like the version is being pulled from the config, which is no longer updated by the code. I'd just remove it from the foot, or change the version number in the conf/config.php file if it really bothers you. It isn't used for anything else.

  • LincLinc Director of Development Detroit Vanilla Staff

    @jackmaessen said:
    This is really i am a little bit concerned about.
    I advocate for an easy way of updating in which people encounter less difficulties

    A security update is, on the whole, unlikely to cause a problem when upgrading. The difficulties are more often someone waking up and trying to jump directly from a much older version, especially if they had a great number of plugins and database modifications.

    For every person who complains about needing to overwrite every core file, I believe there are two with broken, unsafe, hybrid versions of Vanilla from badly doing selective upgrades. It's easier to troubleshoot a known code version than a mishmash.

  • hello..

    are this really need updates ? is there main or major vulneralbility with vanilla forums ?

    thank you,

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    @whitefl0w said:
    hello..

    are this really need updates ? is there main or major vulneralbility with vanilla forums ?

    thank you,

    Good question! Let me use some words a wise man used long, long time before...

    @Linc said:
    This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

  • LincLinc Director of Development Detroit Vanilla Staff

    @whitefl0w said:
    is there main or major vulneralbility with vanilla forums ?

    We don't do security releases for fun.

  • Hi!

    After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin. Early appear windows with dropdown field with selected topics. But now windows appears without any fields. There is close button on that windows only.

  • Thanks, I updated here and is ok B)

  • LincLinc Director of Development Detroit Vanilla Staff

    @Ivan_Gurin said:
    After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin.

    Upgrade to 2.1.13p1, updated in the original post above. Sorry 'bout that.

  • @Linc said:

    @Ivan_Gurin said:
    After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin.

    Upgrade to 2.1.13p1, updated in the original post above. Sorry 'bout that.

    Thank you for quick answer and usefull update :)

  • ytadvisorsytadvisors Indiana
    edited November 2015

    Just did the upgrade. My first ever Vanilla upgrade process. It went well.

    Can't wait for 2.2!!!

  • peregrineperegrine MVP
    edited November 2015

    @Hillfoot said:
    I have downloaded 2.1.13 and installed it and the site runs OK. But at the foot (when in "Dashboard") it shows v. 2.1.8 !!

    linc said: @Hillfoot Sounds like the version is being pulled from the config, which is no longer updated by the code. I'd just remove it from the foot, or change the version number in the conf/config.php file if it really bothers you. It isn't used for anything else.

    An alternative thought on your situation Hillfoot.

    if you don't have some plugin or theme modifying the version in dashboard. The version number in your dashboard at the bottom should be the same version number reflected in your index.php

    make sure that you have copied the index.php file over correctly from the new version. Is it possible you overlooked copying this file.

    it should state 2.1.13p1 if the index.php is correct.

    since the dashboard uses admin.master.php which uses the constant APPLICATION_VERSION which is set in your index.php.

    i.e.
    echo '<div class="Version">Version ', APPLICATION_VERSION, '</div>';

    http://vanillaforums.org/discussion/26943/tutorial-how-to-determine-the-version-number-of-vanilla-that-you-are-using-for-your-own-forum

    It could be helpful to you and the people debugging your forum to see the correct version, therefore if the index.php is incorrect, then info in firebug and debuggers is also incorrect and may throw people off and they might think you have a different version of software then you actually do.

    e.g.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Dear Developers: Thank you for the great work!

    However, I think I've found another regression bug:
    Call to undefined method ProxyRequest::status() in library/core/functions.general.php on line 759
    This call is inside the function FetchPageInfo, which is used for Vanilla Comments. Consequently, in 2.1.13p1 it is not possible to write the first comment to an article using Vanilla Comments (the user gets the error message "There was an error performing your request. Please try again.").

    It is possible, that the bug was already introduced in an earlier version. However, 2.1.10 worked well.

Sign In or Register to comment.