Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
Vanilla 2.6 is here! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2 with security patches if you are still on PHP 5.6 to give you additional time to upgrade.

CRITICAL: Vanilla 2.1.8 released

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited January 2015 in Releases

This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2

UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.8 directly from 2.0.x, add this step:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Critical Security Patches in 2.1.8

  • Fixes a SQL injection vulnerability.
  • Fixes a user registration vulnerability.

Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.

Changes in 2.1.8

  • Hardens the UserModel against potential abuse.
  • Stub content being re-created on utility/update on private communities.
  • Increase permissions required for massing banning (from Moderation.Manage to Settings.Manage).
  • Collect additional information about mass-banning changes.
  • Removes super-admin permissions from secondary accounts on utility update.
  • Fixes an issue changing primary keys during utility update

15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.

If you have difficulty upgrading, please start a new discussion for assistance.

LincAdrianBleistivtShadowdaregohunter
«134

Comments

«134
Sign In or Register to comment.