Vanilla 2.1.13 - security updates
If you have difficulty upgrading, please start a new discussion for assistance.
This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.13p1
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.13 directly from 2.0.x, add these steps:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Security Patches in 2.1.13
- Fix issues with
- Implement public stashes.
- Protect transient key from JSONP.
- Protect transient key on profile pages.
- Don’t allow SSO with empty secrets.
- Improve addon testing / enabling / disabling security.
- Add validation to .org feed pulling.
- Protect discussions from unauthorized split/merge.
- Add output filtering to a few places.
Our sincere thanks once again to @mtschirs, whom Vanilla Forums recently worked with on a formal security audit. This update addresses the issues identified during that audit that we prioritized for backport.
We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.
The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.