Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.3 - security release

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited September 2014 in Releases

Announcing the availability of 2.1.3, a security & bug fix release for the 2.1 branch.

This is an important security release for all users of 2.1.

DOWNLOAD HERE

  • 3 newly discovered XSS vectors were fixed.
  • The timezone bug introduced in 2.1.1 is fixed.
  • Fixes invalid DeliveryType in plugins management.

The diff is here. 6 files changed in total.

Thanks to Dingjie Yang of Qualys, Inc for 2 of the XSS reports, and Jason Barnabe for the third. We greatly appreciate responsible security reports, which can be directed to support [at] vanillaforums.com.

Hat tip to @bleistivt for making sure the timezone bug was properly filed on GitHub so it wasn't missed for this release.

CoinstockBleistivtperegrinephreakhgtonightShadowdareUnderDogSudoCatflukenakrab
«1

Comments

  • LincLinc Director of Development Detroit Vanilla Staff
    edited September 2014

    Where's 2.0.18.14?

    Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below. :neutral_face: I'll patch it soon, but it won't be this week; I've run out of time.

  • Will this update on its own in my Joomla in the back of my go daddy. Sorry Im a noob.

  • LincLinc Director of Development Detroit Vanilla Staff

    @dportis said:
    Will this update on its own in my Joomla in the back of my go daddy.

    I'm sorry, I don't understand the question.

  • @Linc I installed my theme and did everything from the backend of Go Daddy and Joomla. I says update from the back of Go Daddy just not sure how to do so.

  • LincLinc Director of Development Detroit Vanilla Staff

    @dportis I'm not familiar with GoDaddy's system. I suspect you may need to wait for them to update to the latest version. You should contact them directly with any questions.

  • Don't use installers that come in the some hosts panel. Install vanilla yourself using the installation instructions.

    grep is your friend.

  • Okay thank you. @x00 can you help me with my Facebook and Twitter log in?

  • This release seems to have introduced a bug in global.js

    In Safari I'm getting TypeError: 'undefined' is not a function (evaluating 'gdn.url('/utility/sethouroffset.json')') in global.js:313

  • @peregrine‌ thanks for taking the time to look into this... I'm currently not using vanilla in production, so I'll just revert to 2.1.1 until someone comes out with a proper fix.

  • the above zip can be extracted and copy it over the global.js in

    /js/golobal.js

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • I was not able to manage category in back-end. Impossible to select & drag categories orders.

    However, I solved it by editting '/js/global.js'
    As peregrine metioned above, I moved that code from line 309 into 1177.
    Now my category managing feature works well.

  • K17K17 Unlosk · Français / French ✭✭✭
    edited September 2014

    The MeBox not work correctly after update.
    EDIT:
    Dashbooard, MeModule, Inbox andmore not work correctly after update.
    I reuse Vanilla 2.1.1.

  • UnderDogUnderDog Moderator
    edited September 2014

    Can someone download 2.1.1 and 2.1.2 and do a comparison? We can't have people ignoring XSS bugs because javascript doesn't work, that's not smart.

    Since @peregrine is obsessed with global.js, I'm asking you, can you do it please? I always used WinMerge to compare those versions, long time ago.

  • Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
    I think it really hurts the software if the newest version people should download is in a somewhat broken state.

    My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations

  • peregrineperegrine MVP
    edited September 2014

    @Bleistivt said:
    Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
    I think it really hurts the software if the newest version people should download is in a somewhat broken state.

    True. but ....
    then 2.1.2 would be two versions. and that would lead to more complications.

    2.1.2a or 2.1.3 would be better but index.php should reflect that.

    someone should call Lincoln or Todd on the phone to alert them. they must have their e-mail turned off :) i sent the Admins in North America (Adrian, Todd and Linc) a pm last night, but expectations of them working on weekends is probably unreasonable.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • BleistivtBleistivt MVP
    edited September 2014

    Yes, a new version number would be better.

    Something should be done, because the situation right now encourages people not to update and people will be sceptical about updates in the future.

    Even worse, people have broken forums and they don't even notice it (but their users do).

    My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations

  • peregrineperegrine MVP
    edited September 2014

    True. Affected users on a particular forum may not be able to post or use buttonbar either to alert forum owner.

    i suspect it will be sorted out soon. sent kasper and tim a message too :)

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • phreakphreak VanillaAPP - White label iOS and Android App MVP
  • @Bleistivt said:
    Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
    I think it really hurts the software if the newest version people should download is in a somewhat broken state.

    I'm completely new to Vanilla forum and was wondering why nothing was working, spent ages trying to figure it out. Turns out there's a bug in the javascript and its been left broken for the weekend. It's not a good first impression.

  • man.. i should have scrolled down before messing with troubleshooting for an hour :D

    eh.. it happens.

  • peregrineperegrine MVP
    edited September 2014

    @jaymz said:
    man.. i should have scrolled down before messing with troubleshooting for an hour :D

    eh.. it happens.

    At least you read the announcement and came back to read the comments later. thats a plus, if it helped.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • ShadowdareShadowdare π Moderator

    @peregrine, thanks for the fix with the global.js file.

    Add Pages to Vanilla with the Basic Pages app | Publish articles with the Articles app

  • Nice thanks guys fixed my issues :)

  • LincLinc Director of Development Detroit Vanilla Staff

    What is driving me mad is this: No one can seem to explain why the previous call in 2.1 worked but the one in 2.1.2 doesn't. The fact of the fix doesn't interest me half as much as knowing why it happened so I can prevent another faulty release in the future.

  • peregrineperegrine MVP
    edited September 2014

    What is driving me mad is this: No one can seem to explain why the previous call in 2.1

    it didn't work in 2.1 - the hours were never updated. and the method of getting defintions changed. it just didn't crash.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited September 2014

    @Linc

    What is driving me mad is this: No one can seem to explain why the previous call in 2.1 worked but the one in 2.1.2 doesn't. The fact of the fix doesn't interest me half as much as knowing why it happened so I can prevent another faulty release in the future.

    the way i figure it....
    evaluation of expression was always false in 2.1

    if (hourOffset != $(this).val()) { // they were always equal in all cases

    thats why the houroffset never worked correctly

           // Ajax/Save the ClientHour if it is different from the value in the db.
           $('input:hidden[id$=SetHourOffset]').livequery(function() {
              if (hourOffset != $(this).val()) {
                 $.post(
                    gdn.url('/utility/sethouroffset.json'),
                    { HourOffset: hourOffset, TransientKey: gdn.definition('TransientKey') }
                 );
              }
           });
    

    http://vanillaforums.org/discussion/comment/213937/#Comment_213937

    http://vanillaforums.org/discussion/comment/214078/#Comment_214078

    and it was masked by the fact that admins were ususally setting their own timezones so it didn't matter and they never noticed the time was off.

    it may have been working in 2.1b2 - not sure.

    that is why so many new fourm owners are having problem 2.1 never updated user table correctly, hence with 2.1.2 the houroffset was always different js vs db table (as a result of all users created during 2.1 phase) and just fresh install of 2.1.2 it finally evaluated gdn.url which was never defined early enough.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

«1
Sign In or Register to comment.