@Wallphone:
"The security issue wasn't known for a year--it was known for a couple months."
Are you kidding me? "only known for a couple of months" - how long do you think a script kiddie needs to start hacking a server after a security holw is found? - RIGHT! He needs seconds ... not months! Even more if all the vulnerabilities are posted on the forums own bug tracker ^^
"...there was already a public release canidate avaliable when the issue became public knowledge."
Yes, sure, and thanks for it. BUT it is NOT our job to check every bugtracker or hackerforum or security webpage of the heavy amount of software we are all using! (or do you check the microsofot knowlegebase every 24 hours beacuse there are 5 more bugs and security hols found in M$ products? Dont think so. BUT OF COURSE IT IS our job to use the integrated upgrade/update feature to see if any update/fixes are avaialble - that's what we can do regularly.
"I've got more than one that are over a year old, each downloaded more than a thousand times--yet they've never been updated and don't have any comments indicating bugs."
Thats absolutly correct! No question - but on the other site there are 20 times more addons which are buggy, outdated and need to be dumped, deleted or updated/continued! Let's say 1 out of 5 addons will even work after 5 vanilla updates and will even work 2-3 years later after published. so what? where does this fact will fix the general problem?
"f you are using a buggy extension that has been abandoned and the author can't update it, ask them if they will contribute it to the Vanilla Friends project"
Sorry, but its not very usefull to OUTSOURCE everything ^^ Whats next? Vanilla Friends will develop vanilla instead of mark or vanilla itself? Any new Vanilla Addon Friends will keep outdated and buged addons alive? Any new sourceforge.net project will develop aqny new features or semi-vanillas? whats next???
Sorry again, this will kill vanilla over short or long time! This is the wrong progression as vanilla should stay in one and should be central.
WE CANT check 5 pages/projects daily to keep vanilla, vanilla addons and security bugfixes updated ... this kind of development will even smaller the vanilla community until only a few "freaks" who invest 4 h daily on vanilla will use vanilla at the end ... but i think 60-90% of the vanilla users are CASUAL forum users - wanna loose them all? that would be very sad :(
Sorry thats just my opinion and i think many of the vanilla fans think similar!
I dont wont to be rude or agressive with my words - sorry if its sounds like, english just is not my native language.
I LOVE VANILLA ANY EVERYONE WHO HELPS KEEPING IT ALIVE & UPDATED! /THANKS!!!!
but the actual splitting of development plus the additional fact of plenty of buged and outdated addons plus the fact that security updates of vanilla taking months ... thats the absolutly wrong direction we are going i think.
We need solutions! Not the beginning of the end :(
Why should someone use vanilla with longtime open security holes and fort years buged and outdated addons when there are plenty of bigger forums and communitys out there he could use without checking 5 pages and projects to be sure he is up to date and safe?
Eugen
@eugen: The security issues have all be reported in august and fixed quickly. Mark was on holiday at the time and couldn't release 1.1.5 (but a release candidate was available).
We delayed the release again at the start of September to try to fix an other security issue. Since it took 3 weeks we shouldn't have waited for it, but it did not seem it would take so long at the time.
About a 1.1.4a release, we do not maintain a branch for last minor release, but know that we are heading for Vanilla 1.2, we will probably soon open a 1.1.x branch.
Also, with Vanilla 1.1.5, one of the field in the Lum_User table need to be updated. Vanilla do it automatically but need to edit conf/settings.php. If you don't want Vanilla to alter the User table on each load, make sure that $Configuration['DATABASE_VERSION'] = '2'; has been added to conf/settings.php. Edit it manually after some few requests on your forum if for what ever reason Vanilla doesn't have write permission on your setting files.
they have the same update feature; if you have used one of them the field (the password field) has been changed and $Configuration['DATABASE_VERSION'] = '2'; has been added to conf/settings.php
Here is the list of files changed between rc4 and the final release:
appg/md5.csv
appg/settings.php
appg/version.php
setup/installer.php
library/Framework/Framework.Class.Email.php
library/Framework/Framework.Class.DirectoryScanner.php
library/Framework/Framework.Class.IntegrityChecker.php
@ Jun: Do you always get the message or just some time?
Some time is normal. Vanilla just want to be sure you want to log-out and that it is not a CSRF. If you always get it, try to re-upload themes/menu.php. If you are using a theme, it might need to be updated.
Dinoboff: I always get this error. If I revert back to 1.1.4, I do not see this message any more (had to restore the old database). The menu.php is uploaded. Note I do not see this error message when I log off this forum (it uses 1.1.5 as well). Anything else should I try? thanks.
Comments
appg/md5.csv appg/settings.php appg/version.php setup/installer.php library/Framework/Framework.Class.Email.php library/Framework/Framework.Class.DirectoryScanner.php library/Framework/Framework.Class.IntegrityChecker.phpSome problems were encountered
Can you please confirm your would like to sign out?
anyone else have this issue? How do I find out what is wrong? thanks in advance.
Some time is normal. Vanilla just want to be sure you want to log-out and that it is not a CSRF.
If you always get it, try to re-upload themes/menu.php. If you are using a theme, it might need to be updated.
Can you give me the address of the forum?