Vanilla 2.6 is here
! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2
with security patches if you are still on PHP 5.6 to give you additional time to upgrade.
Vanilla 2.1.13 - security updates
If you have difficulty upgrading, please start a new discussion for assistance.
This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.13p1
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.13 directly from 2.0.x, add these steps:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Security Patches in 2.1.13
- Fix issues with
- Implement public stashes.
- Protect transient key from JSONP.
- Protect transient key on profile pages.
- Don’t allow SSO with empty secrets.
- Improve addon testing / enabling / disabling security.
- Add validation to .org feed pulling.
- Protect discussions from unauthorized split/merge.
- Add output filtering to a few places.
Our sincere thanks once again to @mtschirs, whom Vanilla Forums recently worked with on a formal security audit. This update addresses the issues identified during that audit that we prioritized for backport.
We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.
The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.