This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2
UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.
Upgrade Steps
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.8 directly from 2.0.x, add this step:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Critical Security Patches in 2.1.8
- Fixes a SQL injection vulnerability.
- Fixes a user registration vulnerability.
Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.
Changes in 2.1.8
- Hardens the UserModel against potential abuse.
- Stub content being re-created on utility/update on private communities.
- Increase permissions required for massing banning (from
Moderation.Manage
to Settings.Manage
).
- Collect additional information about mass-banning changes.
- Removes super-admin permissions from secondary accounts on utility update.
- Fixes an issue changing primary keys during utility update
15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.
If you have difficulty upgrading, please start a new discussion for assistance.
Comments
/utility/update fails:
@Nyr Thank you, I will have it corrected shortly. The update as been amended.
We accidentally included a call to
array_column
which was not added to PHP until 5.5. I substitutedConsolidateArrayValuesByKey
, incremented to 2.1.8p1, and updated the first post in this discussion.I can confirm it's working now
Hi i would like to update my forum but can't reason.
set_time_limit() has been disabled for security reasons
Is there a way arround?
@deex Yes, comment out this line:
https://github.com/vanilla/vanilla/blob/2.1/applications/dashboard/controllers/class.utilitycontroller.php#L16
As long as your server is fast enough to do it in the standard time limit, you should be fine.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
How can i update from vanilla 2.1.6?
I just tried updating from 2.1.6. The utility/update says simply 'update failed'. Enabling debugging only gives me a couple of errors about my theme cache. Site seems to be working, but going to utility/structure says there are a couple of google-related updates required; clicking the 'run scripts' button reports success but when I re-scan, they're back.
The instructions are above.
Can you post the update it's requesting repeatedly? Did you try disabling third-party addons?
updating from 2.1.6 give error to me saying simply "update failed".
More troubleshooting steps: http://docs.vanillaforums.com/developers/troubleshooting/
I recommend starting a discussion with the full error message.
the first thing i followed
Set $Configuration['Debug'] = TRUE; in your conf/config.php to reveal full error messages. Remember to remove it when you are done
.the whole forum gives a blank page, without any errors
@AaronWebstey
I think you are talking about
update GDN_UserAuthenticationProvider UserAuthenticationProvider set AuthenticationSchemeAlias = 'GooglePlus' where AuthenticationSchemeAlias = 'Google+';
this is a known issue, if not in Github I will add it. It's okay though, your site is fine. you can ignore it.
Sharing is caring
Thanks @Linc ; I'll try disabling plugins tomorrow. Here's the update it can't do. And now that I think of it, I may have fudged around with the google plugin code (I just made a post about that tonight).
Yes @Adrian; sorry, looks like I posted while you were posting
No worries. I had noticed it before, my bad for not adding an issue in Github
Doing it now.
https://github.com/vanilla/vanilla/issues/2407
Sharing is caring
My version number says "Version 2.1.8p1"
Is the p1 bit weird?
@Simeon_Griggs it's fine, linc had to make a small change
Sharing is caring
Failure
The update was not successful. i have gone to the link to read on the troubleshooting techniques but still. but at the footer of the dashboard i see Version 2.1.8p1
@martin2008 Do you, also, have Google+ enabled?
Nm
@Linc nope i don't use google+ 'cos i have not paid for the openid
Sorry for double posting, I thought I had fixed things but no I definitely haven't.
Getting this error on the update page after putting in my info.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'alter table
GDN_Tag
add unique index UX_Tag (Name
,CategoryID
)' at line 4|Gdn_Database|Query|/* 'unique index UX_Tag (Name
)' => 'unique index UX_Tag (Name
,CategoryID
)' */ alter tableGDN_Tag
drop index UX_Tag; alter tableGDN_Tag
add unique index UX_Tag (Name
,CategoryID
);Thanks. I actually had the same issue @martin2008 describes above. The update page never said that the installation was successful. But in the footer of the dashboard I see the new version number and assumed it was all okay.
Hello, I uploaded the files to the new version but had to roll back to the previous. I run an integrated forum and only a blank screen appeared. Ideas?
I suggest starting a new discussion with details of what "integrated" means after following the additional troubleshooting steps linked in the OP. Also check your PHP error log.
On the database table
GDN_Tag
, delete the index namedUX_Tag
, and then run it again. It should then regenerate correctly.@Simeon_Griggs @martin2008 I need the error message to assist you. Have you completed the troubleshooting steps? Since the last step says "Start a new discussion" and you are still posting in the release thread, I suspect not.
@Chalipa Please check your PHP error log for the error message and start a new discussion for assistance.
I followed the steps in the OP, and getting a blank page, no errors. Need to roll back while we figure out how to correctly make the update.
Any thoughts on how to troubleshoot this?
@JeffHat: try adding this to your
conf/config.php
:$Configuration['Garden']['Errors']['MasterView'] = 'deverror.master.php';
That will show you the real error. Don't forget to delete if from config.php after you are finished with debugging.
I tried going to "yourforum.com/index.php?p=/utility/update" (substituting my forum's domain name for yourforum" as stated in the Read Me instructions, but I just get "Error 404-Page Not Found".
I use Expression Web as an ftp upload program, but it will not show the .htaccess file or allow it to be downloaded from the server. I went directly to the server & located the .htaccess file, but don't know how to get it replaced by the new file. Any suggestions? I am not very proficient in websites & don't understand the "techy" language so if replies could be kept simple, I'd appreciate it.