Vanilla 2.6 is here
! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2
with security patches if you are still on PHP 5.6 to give you additional time to upgrade.
Vanilla 2.5.1 now available - security update
Vanilla 2.5.1 contains multiple security and bug fixes. Please upgrade immediately.
If you are upgrading from a release prior to 2.5, read the 2.5 notes first and follow those steps to upgrade.
This is a drop-in replacement for 2.5. Run
utility/update twice after uploading.
Release notes follow. Please start a new discussion for assistance with problems upgrading.
- Fix profile controller permission checks to block user content from guests.
- Fix XSS issue in Flagging addon.
Additionally, we wish to belatedly thank psych0tr1a for reporting an XSS vulnerability in our HTMLawed implementation that was previously patched in the 2.5 release.
- Fix category permission check when using the comments API endpoint (overly aggressive, not leaking data).
- Fix .htaccess to work correctly with subdirectories.
- Fix broken link text in posts when using "Warn When Leaving" security setting with Wysiwyg formatting.
- Disable FloodControl checks when saving the activity notification queue to fix blocked notifications.
- Fix analytics tick redirecting to sign-in when Private Community is enabled.
- Fix missing Vanilla logo on install screen.
- Add support for
rel attribute to YouTube embeds.
- Add profile extender fields into controller data for use by addons.
- Add a note about MySQL strict mode to the README.
- Update the dashboard version check to seek PHP 7.0.
We anticipate more security fixes in the coming months as we increase exposure of our security bounty program. Please keep a careful eye on your dashboard and this forum for more updates regularly.