Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.12 released - security update

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited October 2015 in Releases

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.12p3

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.12 directly from 2.0.x, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.12

  • Fix issue where someone other than the original author could delete an activity comment.
  • Tighten security around the database update mechanism.
  • Close 3 CSRF vectors.
  • Close 2 potential XSS vectors.
  • Improve SSO security.

Our sincere thanks to @mtschirs and @Bleistivt for privately reporting security issues via [email protected] that allowed us to create these patches.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.

Comments

  • Thanks, it Was Rly Helpfull :)

  • LincLinc Director of Development Detroit Vanilla Staff

    We've released a 2.1.12p1 to address a couple PHP version requirement problems that crept into our backports. Thanks to @hgtonight for the fast identification & patches.

    AdrianhgtonightR_J
  • Well i updated my 2.1.11 but utility/update kept 500-ing, so did the feeds from vanillaforums in the Dashboard. So i checked the github, applied @hgtonight patches and update after that was successful and feeds on the Dashboard load fine.. So thank you @hgtonight and bad bad @vanillaforums for not testing before sending emails about applying immediate patches.

  • @Linc or @CrazyLemon can you direct me to the specific patches you are talking about? Or will 2.1.13 be coming out to cover this?

  • @gharald said:
    Linc or CrazyLemon can you direct me to the specific patches you are talking about? Or will 2.1.13 be coming out to cover this?

    There are already in the p1 package. Thats why Linc mentioned it.

  • Got it! Thanks for clarifying @CrazyLemon.

  • LincLinc Director of Development Detroit Vanilla Staff

    There has been a second patch with another similar PHP version fix.

    http://vanillaforums.org/addon/vanilla-core-2.1.12p2

    The link in the OP has again been amended. Apologies for the requirements flubs.

  • PFAFFPFAFF
    edited October 2015

    Also having an avatar issue. I posted a new thread here: http://vanillaforums.org/discussion/30967/vanilla-2-1-12-update-css-issues#latest

    @hgtonight fixed it for me.

    peregrine
  • peregrineperegrine MVP
    edited October 2015

    misleading here ^

    coding curiousity or not.

    Released is not accurate on third line and is not consistent, in add-ons when viewing addon itself and when viewing core. Just adds another layer of confusion to new users. As with any answer if you know how to decipher of course its no problem, if you don't know how to decipher well ...

    incorrect and layer of confusion added here ^

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Director of Development Detroit Vanilla Staff

    That the beta sits atop the list as "most recent" is a bug that should get addressed via the community repo, not a release discussion.

    UnderDog
  • peregrineperegrine MVP
    edited October 2015

    the bigger bug is the Released Date for 2.1.12p2 that is 2 lines below Todd's name.

    it is still a bug that will confuse new users reading release notes and then looking at add-ons and wondering what gives, no matter how you decide to fix it or not fix it or ignore it.

    I don't recall a beta ever added to the add-ons section of core in prior releases. I could be wrong. That is the bug in the first place. The beta could have been available via github as usual instead of corrupting the add-ons.

    I was under the impression the add-ons section should be current with the current stable release, not for beta and alpha versions. But maybe that changed with the alpha and "betaning" (to go along with another non-existent word spacening and other argot) of the add-ons section to make it totally confusing to new users.

    I mis-believed github was for experimental, alpha and beta versions, not the add-ons section. Things may have changed though. If the goal is not to confuse people that one would be one way to release things if there is any desire on your part to reduce confusion.

    simple fix (delete beta from the core add-ons). no code needed. just logic.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Director of Development Detroit Vanilla Staff

    @peregrine said:
    I don't recall a beta ever added to the add-ons section of core in prior releases. I could be wrong. That is the bug in the first place. The beta could have been available via github as usual instead of corrupting the add-ons.

    They have always been released via addons. No, it could not be distributed via GitHub in the same way.

    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

    UnderDog
  • peregrineperegrine MVP
    edited October 2015

    @Linc said:
    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

    @Linc said:
    I don't understand the sudden exasperated snark in a release discussion about a bug that has literally always existed, but that'll be enough now.

    My mistake, didn't realize the bug always existed. I just noticed the issue regarding this particular vanilla core release and thought it would be confusing to new users, that is why I brought it up, but as long as you are aware, thats good enough for me as well.

    feel free to delete my comments or split them into oblivion.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Same here, 'fixed' it by adding this to my theme's custom css:

    .BlockColumn-User a.PhotoWrapSmall img,
    .LatestPost a.PhotoWrapSmall img,
    .Author a.PhotoWrap img { width: 40px; height: 40px; }

    Nyrwptolik
  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    @Fifty

    @hgtonight provided a fix for this here:

    http://vanillaforums.org/discussion/30967/vanilla-2-1-12-update-css-issues#latest

    which solves the issue for any images affected.

    Nyr
  • So I guess 2.1.12p3 will be released with @hgtonight's fix?

    This was supposed to be a security update and you guys released 3 broken versions within 24 hours...

  • peregrineperegrine MVP
    edited October 2015

    @Nyr said:
    So I guess 2.1.12p3 will be released with hgtonight's fix?

    that is the 64,000 dollar question. will the fix for pfaff's and other's reported problems be available in a 2.1.x release?

    and you guys released 3 broken versions within 24 hours...

    at least there was an attempt to fix the first three, everyone makes mistakes. They should be applauded for trying to fix security issues with the release and to rectify php requirements with the next two patches.

    However, the fourth problem was reported minutes later after p2 was released, which leads to your as yet unanswered question.

    So I guess 2.1.12p3 will be released with hgtonight's fix?

    perhaps not. It was a "regression" bug. but the announcement says only security bugs will be fixed in the future.

    which presents a dilemma.

    there are several rules at play.

    • thou shall not modify core.
    • bug introduced in release that is not security bug
    • only security releases fixed in 2.1.x
    • the beta version is for test purposes but doesn't have security fixes.
    • 2.1.12 p3 or higher is not available

    So does the patch reintroduce the problem that security fix was supposed to fix and should people change the core, or should they wait until 2.2 is stable with security fixes or should they one by one manually change the core after a upgrade to 2.1.12p2?

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited October 2015

    Images not displaying as they did prior to upgrade.

    READ THIS LINK (if one assumes the solution doesn't open up security issues that the release was meant to close)

    http://vanillaforums.org/discussion/comment/234708/#Comment_234708

    (ever wonder why the wolves are at the doorstep).

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Director of Development Detroit Vanilla Staff

    We have incremented to 2.1.12p3 to fix the avatar regression bug. Apologies for the inconvenience.

  • unixherounixhero
    edited October 2015

    I just had a failed upgrade. The updater script fails, have tried it 10 times.
    All plugins are disabled and debugging = TRUE in the conf file. Ini files cleared from cache.

    Now when I am trying to comment on any thread in the forum I'm getting a Vanilla Installer left-sidebar popup, and the forum does not allow the comment being posted.

    To be sure this behavior also appears when I try to revert to my unpatched runtime files from my previous v2.1.x version.
    To be sure x2 I do also have a database backup.


    How can I get this away?
    My last option will be to backtrack and roll back my database and runtime files to yesterdays backup, but I want to avoid it.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    @unixhero

    What updater script?

    Which version were you updating from?

  • unixherounixhero
    edited October 2015

    @wnu606 : From 2.1.11 -> 2.1.12p3
    I did as the update instructions said, unpacked the files into my main forum folder.
    Ran the "updater script" as I call it is the one you see in my second screenshot here. Located at $forumurl/index.php?p=/utility/updater

    Since it is acting like this with my patched files on 2.1.12p3 files as well as my old backup, I assume that its a database flag that's been set.
    Should I run the installer that pops up when I make a comment on a thread???
    Or update further to the 2.2 beta perhaps?

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator
    edited October 2015

    Have you run DB Structure upgrade?

    I use this addon http://vanillaforums.org/addon/utilitylinks-plugin to get the link to it (Links appear in the Dashboard.)

  • unixherounixhero
    edited October 2015

    I did DB Structure Upgrade, and the other recalculation in that plugin. It didn't fix it. :( Thanks for the suggestion tho. I will look in the database and see if I can find a toggle for this installer to disappear. If not I have to roll back tomorrow I guess.

  • I too hit a snag with the update, and even after all of the suggested resolutions it continues to say the update failed. I am thinking this is a bug.

  • unixherounixhero
    edited October 2015

    Great work on the security update, it looked like you fixed a few pressing things!
    [SOLVED]
    I tried running the installer wizard that appears on the screen in the screenshot above. Really bad idea. It nuked the entire GDN_discussions table! "BAM! You’ve got a sweet forum" post being placed there. Luckily I had ample database backups.
    After dropping all tables from the database and importing a backup I did before trying the installer wizard, I am happy to say that the wizard is gone and the forum seems functional again.

    This experience reminded me of my many travails with Simple Machine Forums and PHPBB. Luckily I'm battle hardened and so is my community (haha).
    [SOLVED]

Sign In or Register to comment.