Vanilla 2.1.13 - security updates
If you have difficulty upgrading, please start a new discussion for assistance.
This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.13p1
Upgrade Steps
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.13 directly from 2.0.x, add these steps:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Security Patches in 2.1.13
- Fix issues with
fetchPageInfo()implementation. - Implement public stashes.
- Protect transient key from JSONP.
- Protect transient key on profile pages.
- Don’t allow SSO with empty secrets.
- Remove
htmlEntityDecode()endpoint. - Improve addon testing / enabling / disabling security.
- Add validation to .org feed pulling.
- Protect discussions from unauthorized split/merge.
- Add output filtering to a few places.
Our sincere thanks once again to @mtschirs, whom Vanilla Forums recently worked with on a formal security audit. This update addresses the issues identified during that audit that we prioritized for backport.
We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.
The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.
Comments
Hi, I'm testing vanilla ( 2.1.11 ) on the virtual server. How to update without error. Or is the whole step by step instructions applicable to the use of a virtual server?
Using a virtual server should make no difference.
How Can i Update ? What's The Wrong
Excuse me, I incorrectly expressed. Tested on a virtual machine, Denwer. Thanks again :-)
Hi,
I updated and after running "myforum.com/vanilla/index.php?p=/utility/update" I got the attached error massage.
Pls help ;-)
thx in advance.
If you have trouble upgrading, please follow the instructions in the first post.
There was a minor regression bug in the Split/Merge plugin. We've released 2.1.13p1 to correct it. Thanks to Graham Mills for reporting the issue via GitHub.
Hello,
go back again to the question: I am not on tests vanylla eral hosting. I downloaded the update Vanilla 2.1.13, passed by reference yourforum.com/index.php?p=/utility/update
- nothing has changed. Has. I did not understand :-(
Is there a guide how to update vanilla in a virtual machine? You may need to do the update manually? Thank you.
I have no idea what you're asking, and this is not the appropriate discussion for it.
This is yet another security update. I can remember that was said when it was version 2.1.10: this is probably the last update for the 2.1 version. Now we have 2.1.13p1. Ofcourse, security has the highest priority, but so many updates is a little bit confusing for the people who run Vanilla forum.
For every update, you have to overwrite the complete core files, even if only 1 line in a file has changed.
As you can see in the discussions, there a lot of problems people encounter when doing an update.
I think, many people think when they get aware of an update: " No, please not again. I can regain problems with it!".
This is really i am a little bit concerned about.
I advocate for an easy way of updating in which people encounter less difficulties
Thanks to work on Vanilla forum for us. Working great
I have downloaded 2.1.13 and installed it and the site runs OK. But at the foot (when in "Dashboard") it shows v. 2.1.8 !!
@Hillfoot Sounds like the version is being pulled from the config, which is no longer updated by the code. I'd just remove it from the foot, or change the version number in the
conf/config.phpfile if it really bothers you. It isn't used for anything else.A security update is, on the whole, unlikely to cause a problem when upgrading. The difficulties are more often someone waking up and trying to jump directly from a much older version, especially if they had a great number of plugins and database modifications.
For every person who complains about needing to overwrite every core file, I believe there are two with broken, unsafe, hybrid versions of Vanilla from badly doing selective upgrades. It's easier to troubleshoot a known code version than a mishmash.
hello..
are this really need updates ? is there main or major vulneralbility with vanilla forums ?
thank you,
Good question! Let me use some words a wise man used long, long time before...
We don't do security releases for fun.
Hi!
After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin. Early appear windows with dropdown field with selected topics. But now windows appears without any fields. There is close button on that windows only.
Thanks, I updated here and is ok
Upgrade to 2.1.13p1, updated in the original post above. Sorry 'bout that.