Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

Vanilla 2.8.4 is now available for download - Important security patches

charrondevcharrondev Developer Lead (PHP, JS)Montreal Vanilla Staff
edited June 2019 in Releases

Get it right here:

This release contains CRITICAL security patches.

  • Patched SSRF in HTTP client.
  • Updated release file system permissions to be less permissive.

It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.

Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).

Starting in this release file system permissions are essentially 755 for directories and 644 for files.

Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.8.3 are in this version.



  • Update done. Everything's ok! Good job! Thanks!

  • LincLinc Director of Development Detroit Vanilla Staff

    May I suggest 775 for folders in the future? On a default setup, this is still quite safe as the HTTP client is in its own group. On more creative setups (cough like mine cough), it provides great flexibility in permissions management without needing to modify it every update.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    I use 775 for /cache, /conf and /uploads and 755 for the rest.

Sign In or Register to comment.