Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.5 released (and 2.0.18.14)

LincLinc Vanilla's Bard (and Director of Development)Detroit Vanilla Staff
edited November 2014 in Releases

Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.

This is an urgent upgrade for all forums.

DOWNLOAD HERE

25 files changed in this version. GitHub code diff

Summary:

  • Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
  • Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
  • Fixes issue where enabling cleditor would permanently allow style parameter in comments.
  • Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
  • Fixes OpenID bug effecting Google Sign In.
  • Multiple community-contributed bug fixes.

Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.

Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.


If you are still on the 2.0 series, please upgrade immediately to 2.0.18.14 which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.

JasonBarnabehgtonightBleistivtaccetturoR_JShadowdare

Comments

Sign In or Register to comment.