HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.5.1 now available - security update

LincLinc Admin
edited February 2018 in Releases

Vanilla 2.5.1 contains multiple security and bug fixes. Please upgrade immediately.

If you are upgrading from a release prior to 2.5, read the 2.5 notes first and follow those steps to upgrade.

This is a drop-in replacement for 2.5. Run utility/update twice after uploading.

Release notes follow. Please start a new discussion for assistance with problems upgrading.

Security:

  • Fix profile controller permission checks to block user content from guests.
  • Fix XSS issue in Flagging addon.

Additionally, we wish to belatedly thank psych0tr1a for reporting an XSS vulnerability in our HTMLawed implementation that was previously patched in the 2.5 release.

Bugs:

  • Fix category permission check when using the comments API endpoint (overly aggressive, not leaking data).
  • Fix .htaccess to work correctly with subdirectories.
  • Fix broken link text in posts when using "Warn When Leaving" security setting with Wysiwyg formatting.
  • Disable FloodControl checks when saving the activity notification queue to fix blocked notifications.
  • Fix analytics tick redirecting to sign-in when Private Community is enabled.
  • Fix missing Vanilla logo on install screen.

Enhancements:

  • Add support for rel attribute to YouTube embeds.
  • Add profile extender fields into controller data for use by addons.
  • Add a note about MySQL strict mode to the README.
  • Update the dashboard version check to seek PHP 7.0.

We anticipate more security fixes in the coming months as we increase exposure of our security bounty program. Please keep a careful eye on your dashboard and this forum for more updates regularly.

Comments

  • Everything is fine except .htaccess still doesn't work on my server so I need to use the old one from previous version.

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]
    
  • calvinbcalvinb New
    edited March 2018

    If you're using nginx, it's even simpler, really:

            location / {
                    try_files $uri @site;
            }
    
            location @site {
            rewrite ^ /index.php?p=$uri&$args last;
            }
    
  • We anticipate more security fixes in the coming months as we increase exposure of our security bounty program. Please keep a careful eye on your dashboard and this forum for more updates regularly.

    We expect to release 2.5.2 next week.

  • And how to understand that it was updated?
    Run-> success!
    but in the admin panel -> version 2.5

  • @vanillacat said:
    And how to understand that it was updated?
    Run-> success!
    but in the admin panel -> version 2.5

    you should start a new discussion, and also verify you copied all the files over correctly. if you copied all the files the dashboard should reflect proper version. You may have skipped more than the environment.php or some form of caching is preventing update.

    https://github.com/vanilla/vanilla/blob/Vanilla_2.5.1/environment.php#L19

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • LincLinc Admin
    edited April 2018

    Due to a clerical error, a bug remains in 2.5.1 that makes it impossible to install Vanilla while MySQL Strict Mode is enabled. The error will reference a problem with "DateExpires" in the database.

    We do have a patch for this issue, and it will be in 2.5.2. In the meantime, you can work around the issue by disabling MySQL Strict Mode.

  • AvantimeAvantime New
    edited December 2022

    Is it possible to upgrade directly from version 2.5.1 (2018) to the current version (2021.009) ? or will I need to do this in stages?

    Due to all sorts of work and family commitments, my forum has been neglected by me but running happily in the background without any apparent issues (another reason why I have left well alone). My account here appears to have been closed so I have re-registered now with the intent of upgrading to make things a lot more secure for one.

    I'm very much an amateur so any help or guidance would be very much appreciated.

Sign In or Register to comment.