Vanilla 2.5.1 now available - security update
Vanilla 2.5.1 contains multiple security and bug fixes. Please upgrade immediately.
If you are upgrading from a release prior to 2.5, read the 2.5 notes first and follow those steps to upgrade.
This is a drop-in replacement for 2.5. Run
utility/update twice after uploading.
Release notes follow. Please start a new discussion for assistance with problems upgrading.
- Fix profile controller permission checks to block user content from guests.
- Fix XSS issue in Flagging addon.
Additionally, we wish to belatedly thank psych0tr1a for reporting an XSS vulnerability in our HTMLawed implementation that was previously patched in the 2.5 release.
- Fix category permission check when using the comments API endpoint (overly aggressive, not leaking data).
- Fix .htaccess to work correctly with subdirectories.
- Fix broken link text in posts when using "Warn When Leaving" security setting with Wysiwyg formatting.
- Disable FloodControl checks when saving the activity notification queue to fix blocked notifications.
- Fix analytics tick redirecting to sign-in when Private Community is enabled.
- Fix missing Vanilla logo on install screen.
- Add support for
relattribute to YouTube embeds.
- Add profile extender fields into controller data for use by addons.
- Add a note about MySQL strict mode to the README.
- Update the dashboard version check to seek PHP 7.0.
We anticipate more security fixes in the coming months as we increase exposure of our security bounty program. Please keep a careful eye on your dashboard and this forum for more updates regularly.