HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.12 released - security update

LincLinc Detroit Admin
edited October 2015 in Releases

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.12p3

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.12 directly from 2.0.x, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.12

  • Fix issue where someone other than the original author could delete an activity comment.
  • Tighten security around the database update mechanism.
  • Close 3 CSRF vectors.
  • Close 2 potential XSS vectors.
  • Improve SSO security.

Our sincere thanks to @mtschirs and @Bleistivt for privately reporting security issues via support@vanillaforums.com that allowed us to create these patches.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.

«1

Comments

  • Thanks, it Was Rly Helpfull :)

  • LincLinc Detroit Admin

    We've released a 2.1.12p1 to address a couple PHP version requirement problems that crept into our backports. Thanks to @hgtonight for the fast identification & patches.

  • Well i updated my 2.1.11 but utility/update kept 500-ing, so did the feeds from vanillaforums in the Dashboard. So i checked the github, applied @hgtonight patches and update after that was successful and feeds on the Dashboard load fine.. So thank you @hgtonight and bad bad @vanillaforums for not testing before sending emails about applying immediate patches.

  • @Linc or @CrazyLemon can you direct me to the specific patches you are talking about? Or will 2.1.13 be coming out to cover this?

  • @gharald said:
    Linc or CrazyLemon can you direct me to the specific patches you are talking about? Or will 2.1.13 be coming out to cover this?

    There are already in the p1 package. Thats why Linc mentioned it.

  • Got it! Thanks for clarifying @CrazyLemon.

  • LincLinc Detroit Admin

    There has been a second patch with another similar PHP version fix.

    http://vanillaforums.org/addon/vanilla-core-2.1.12p2

    The link in the OP has again been amended. Apologies for the requirements flubs.

  • PFAFFPFAFF
    edited October 2015

    Also having an avatar issue. I posted a new thread here: http://vanillaforums.org/discussion/30967/vanilla-2-1-12-update-css-issues#latest

    @hgtonight fixed it for me.

  • peregrineperegrine MVP
    edited October 2015

    misleading here ^

    coding curiousity or not.

    Released is not accurate on third line and is not consistent, in add-ons when viewing addon itself and when viewing core. Just adds another layer of confusion to new users. As with any answer if you know how to decipher of course its no problem, if you don't know how to decipher well ...

    incorrect and layer of confusion added here ^

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin

    That the beta sits atop the list as "most recent" is a bug that should get addressed via the community repo, not a release discussion.

  • peregrineperegrine MVP
    edited October 2015

    the bigger bug is the Released Date for 2.1.12p2 that is 2 lines below Todd's name.

    it is still a bug that will confuse new users reading release notes and then looking at add-ons and wondering what gives, no matter how you decide to fix it or not fix it or ignore it.

    I don't recall a beta ever added to the add-ons section of core in prior releases. I could be wrong. That is the bug in the first place. The beta could have been available via github as usual instead of corrupting the add-ons.

    I was under the impression the add-ons section should be current with the current stable release, not for beta and alpha versions. But maybe that changed with the alpha and "betaning" (to go along with another non-existent word spacening and other argot) of the add-ons section to make it totally confusing to new users.

    I mis-believed github was for experimental, alpha and beta versions, not the add-ons section. Things may have changed though. If the goal is not to confuse people that one would be one way to release things if there is any desire on your part to reduce confusion.

    simple fix (delete beta from the core add-ons). no code needed. just logic.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin

    @peregrine said:
    I don't recall a beta ever added to the add-ons section of core in prior releases. I could be wrong. That is the bug in the first place. The beta could have been available via github as usual instead of corrupting the add-ons.

    They have always been released via addons. No, it could not be distributed via GitHub in the same way.

    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

  • peregrineperegrine MVP
    edited October 2015

    @Linc said:
    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

    @Linc said:
    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

    My mistake, didn't realize the bug always existed. I just noticed the issue regarding this particular vanilla core release and thought it would be confusing to new users, that is why I brought it up, but as long as you are aware, thats good enough for me as well.

    feel free to delete my comments or split them into oblivion.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Same here, 'fixed' it by adding this to my theme's custom css:

    .BlockColumn-User a.PhotoWrapSmall img,
    .LatestPost a.PhotoWrapSmall img,
    .Author a.PhotoWrap img { width: 40px; height: 40px; }

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @Fifty

    @hgtonight provided a fix for this here:

    http://vanillaforums.org/discussion/30967/vanilla-2-1-12-update-css-issues#latest

    which solves the issue for any images affected.

  • So I guess 2.1.12p3 will be released with @hgtonight's fix?

    This was supposed to be a security update and you guys released 3 broken versions within 24 hours...

  • peregrineperegrine MVP
    edited October 2015

    @Nyr said:
    So I guess 2.1.12p3 will be released with hgtonight's fix?

    that is the 64,000 dollar question. will the fix for pfaff's and other's reported problems be available in a 2.1.x release?

    and you guys released 3 broken versions within 24 hours...

    at least there was an attempt to fix the first three, everyone makes mistakes. They should be applauded for trying to fix security issues with the release and to rectify php requirements with the next two patches.

    However, the fourth problem was reported minutes later after p2 was released, which leads to your as yet unanswered question.

    So I guess 2.1.12p3 will be released with hgtonight's fix?

    perhaps not. It was a "regression" bug. but the announcement says only security bugs will be fixed in the future.

    which presents a dilemma.

    there are several rules at play.

    • thou shall not modify core.
    • bug introduced in release that is not security bug
    • only security releases fixed in 2.1.x
    • the beta version is for test purposes but doesn't have security fixes.
    • 2.1.12 p3 or higher is not available

    So does the patch reintroduce the problem that security fix was supposed to fix and should people change the core, or should they wait until 2.2 is stable with security fixes or should they one by one manually change the core after a upgrade to 2.1.12p2?

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited October 2015

    Images not displaying as they did prior to upgrade.

    READ THIS LINK (if one assumes the solution doesn't open up security issues that the release was meant to close)

    http://vanillaforums.org/discussion/comment/234708/#Comment_234708

    (ever wonder why the wolves are at the doorstep).

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.