Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

CRITICAL: Vanilla 2.1.8 released

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited January 2015 in Releases

This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2

UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.8 directly from 2.0.x, add this step:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Critical Security Patches in 2.1.8

  • Fixes a SQL injection vulnerability.
  • Fixes a user registration vulnerability.

Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.

Changes in 2.1.8

  • Hardens the UserModel against potential abuse.
  • Stub content being re-created on utility/update on private communities.
  • Increase permissions required for massing banning (from Moderation.Manage to Settings.Manage).
  • Collect additional information about mass-banning changes.
  • Removes super-admin permissions from secondary accounts on utility update.
  • Fixes an issue changing primary keys during utility update

15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.

If you have difficulty upgrading, please start a new discussion for assistance.

LincAdrianBleistivtShadowdaregohunter
«134

Comments

«134
Sign In or Register to comment.