Critical security update: Vanilla 2.6.1 is here

Linc

All installations must be upgraded to Vanilla 2.6.1 immediately. Please follow the upgrade instructions in the README.

Full release notes will follow shortly. This release contains multiple security patches, including a critical exploit that was publicly disclosed today. There are no new features or backwards-incompatible changes.

A security-only update to the 2.5 branch of Vanilla will also follow, in this same discussion.

Linc

For those still running PHP 5.6, we've now released Vanilla 2.5.3 - now 2.5.4 with a patch for the disclosed vulnerability and a few other security patches.

If you are able to run PHP 7.0+ we strong recommend you do so immediately and upgrade to 2.6.1 (above).

FBI

Updating on our Million Posts Forum.... Done!
Thanks Devs..

Linc

I've released 2.5.4 and edited my post above. It contains a fix for a persistent but intermittent problem where a user would get a "Garden.Community.Manage" permission error while trying to post. It was introduced in a security patch back in 2.5.1 and I was able to track it down this evening.

Again, please use the 2.6 branch if you're on PHP 7.0+. This issue was not present in that release.

Linc

Release notes for 2.6.1

General fixes and improvements:

• Fix installing Vanilla on Apache before .htaccess is available.
• Fix cached announcements on Recent Discussions sometimes being filtered out.
• Fix discussion summaries not always including all visible categories.
• Fix "Please try again" error when attempting to re-signin while already signed in.
• Fix Advanced Editor uploads failing if unable to determine MIME type.
• Fix Users API v2 endpoint requiring an email address when site is configured to not use emails.
• Fix social sharing of discussions.
• Fix PromotedContent score type validation.
• Fix fatal error on /discussions/tagged pages.
• Fix error message "Unknown column" appearing when bookmarking a discussion.
• Fix writeDiscussionRow function and calls to be compatible with PHP 7.1.
• Fix inability to restore some discussions from the moderation queue.
• Fix reporting an activity.
• Editor: added some custom mimetypes requested by customers.
• Don’t show canonical links in the home controller (including error pages).
• Fix Category following filter displaying on QnA plugin.
• Add the AfterSaveCategory and AfterDeleteCategory events.
• Update README.

Security patches:

• Fix potential account takeover vector via SSO.
• Fix XSS exploit in profile quotes settings page.
• Require postback for requests made to /utility/maintenance.
• Improve fetchPageInfo call in DiscussionModel to be more secure.
• Fix XSS by encoding href attributes in linkDropDown.
• Revise form value defaults for new discussions.
• Stash token and redirect to prevent it from being leaked referrer.
• Fix permission check on private conversation members.
• Fix user email leaking in conversations.
• Prevent IDOR of media thumbnails.
• Fix XSS in connecterror.php.
• Fix identifier escaping in Gdn_SqlDriver. Redundantly fix related SQL injection vectors in /dba/fixurlcodes; /dba/fixinsertuserid; /profile/deleteInvitation; and /utility/sort.
• Fix XSS on Bans search page.
• Fix XSS in title of Fix URL Codes page.
• Fix lack of permission checking in getRecord.
• Escape display of user email address in Dashboard
• Fix permission column name escaping

As you can see, our HackerOne campaign has proven to be very effective and we appreciate the participation of its community in our bounty program. You can participate by visiting https://hackerone.com/vanilla

donovanb

Upgraded. All seems to work except Single Sign Off. I had to take out this:
$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=http://www.mydomain.org/wp-login.php?action=logout';

as it was causing an infinite loop.

Cleared cookies, tried re-entering the trusted domains.... I could not solve SSO logout tonight.

jamesinc

@FBI said:
Updating on our Million Posts Forum.... Done!
Thanks Devs..

Aw, my forum only has 150k posts it updated in like 2 seconds. I hardly need maintenance mode at all.

lokanath

Hello Linc,
Newbie here..i have posted some questions in the discussion but no response yet!!

I recently installed 2.6.1 what addons are safe to add? It doesn;’t seem that any addons listed are compatible with the new version of Vanilla.....

rishistmdocs

We have upgraded to 2.6.1. However we have noticed the category follow/unfollow is not working properly. I have selected "View" to "Following". Once it is done, I cannot go back to "All" mode. If try to select "All", it throws Error.

Not Found

The requested URL /discussions was not found on this server.

Linc

@rishistmdocs said:
The requested URL /discussions was not found on this server.

I believe you need to update your .htaccess file if you're using Apache.

Make a backup of your existing one, first.