HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.13 - security updates

LincLinc Detroit Admin
edited November 2015 in Releases

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.13p1

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.13 directly from 2.0.x, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.13

  • Fix issues with fetchPageInfo() implementation.
  • Implement public stashes.
  • Protect transient key from JSONP.
  • Protect transient key on profile pages.
  • Don’t allow SSO with empty secrets.
  • Remove htmlEntityDecode() endpoint.
  • Improve addon testing / enabling / disabling security.
  • Add validation to .org feed pulling.
  • Protect discussions from unauthorized split/merge.
  • Add output filtering to a few places.

Our sincere thanks once again to @mtschirs, whom Vanilla Forums recently worked with on a formal security audit. This update addresses the issues identified during that audit that we prioritized for backport.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.1 branch is in maintenance mode which means it is only receiving security patches until the release of 2.2.

«1

Comments

  • kopnakopna Coimbra Portugal ☯
    edited October 2015

    Hi, I'm testing vanilla ( 2.1.11 ) on the virtual server. How to update without error. Or is the whole step by step instructions applicable to the use of a virtual server?

  • LincLinc Detroit Admin

    @kopna said:
    Hi, I'm testing vanilla ( 2.1.11 ) on the virtual server. How to update without error. Or is the whole step by step instructions applicable to the use of a virtual server?

    Using a virtual server should make no difference.

  • Failure
    The update was not successful.

    How Can i Update ? What's The Wrong

  • kopnakopna Coimbra Portugal ☯

    Excuse me, I incorrectly expressed. Tested on a virtual machine, Denwer. Thanks again :-)

  • Hi,
    I updated and after running "myforum.com/vanilla/index.php?p=/utility/update" I got the attached error massage.
    Pls help ;-)
    thx in advance.

  • LincLinc Detroit Admin

    If you have trouble upgrading, please follow the instructions in the first post.

    1. Do this: http://docs.vanillaforums.com/developers/troubleshooting/
    2. Start a new discussion for help, detailing what you've done so far.
  • LincLinc Detroit Admin

    There was a minor regression bug in the Split/Merge plugin. We've released 2.1.13p1 to correct it. Thanks to Graham Mills for reporting the issue via GitHub.

  • kopnakopna Coimbra Portugal ☯

    Hello,
    go back again to the question: I am not on tests vanylla eral hosting. I downloaded the update Vanilla 2.1.13, passed by reference yourforum.com/index.php?p=/utility/update

    - nothing has changed. Has. I did not understand :-(

    Is there a guide how to update vanilla in a virtual machine? You may need to do the update manually? Thank you.

  • LincLinc Detroit Admin

    I have no idea what you're asking, and this is not the appropriate discussion for it.

  • jackmaessenjackmaessen ✭✭✭
    edited November 2015

    This is yet another security update. I can remember that was said when it was version 2.1.10: this is probably the last update for the 2.1 version. Now we have 2.1.13p1. Ofcourse, security has the highest priority, but so many updates is a little bit confusing for the people who run Vanilla forum.
    For every update, you have to overwrite the complete core files, even if only 1 line in a file has changed.
    As you can see in the discussions, there a lot of problems people encounter when doing an update.
    I think, many people think when they get aware of an update: " No, please not again. I can regain problems with it!".
    This is really i am a little bit concerned about.
    I advocate for an easy way of updating in which people encounter less difficulties

  • Thanks to work on Vanilla forum for us. Working great :)

  • HillfootHillfoot Stockton-on-Tees New

    I have downloaded 2.1.13 and installed it and the site runs OK. But at the foot (when in "Dashboard") it shows v. 2.1.8 !!

  • LincLinc Detroit Admin

    @Hillfoot Sounds like the version is being pulled from the config, which is no longer updated by the code. I'd just remove it from the foot, or change the version number in the conf/config.php file if it really bothers you. It isn't used for anything else.

  • LincLinc Detroit Admin

    @jackmaessen said:
    This is really i am a little bit concerned about.
    I advocate for an easy way of updating in which people encounter less difficulties

    A security update is, on the whole, unlikely to cause a problem when upgrading. The difficulties are more often someone waking up and trying to jump directly from a much older version, especially if they had a great number of plugins and database modifications.

    For every person who complains about needing to overwrite every core file, I believe there are two with broken, unsafe, hybrid versions of Vanilla from badly doing selective upgrades. It's easier to troubleshoot a known code version than a mishmash.

  • hello..

    are this really need updates ? is there main or major vulneralbility with vanilla forums ?

    thank you,

  • R_JR_J Ex-Fanboy Munich Admin

    @whitefl0w said:
    hello..

    are this really need updates ? is there main or major vulneralbility with vanilla forums ?

    thank you,

    Good question! Let me use some words a wise man used long, long time before...

    @Linc said:
    This release addresses multiple security issues issues and should be applied immediately to all forums running the 2.1 release branch.

  • LincLinc Detroit Admin

    @whitefl0w said:
    is there main or major vulneralbility with vanilla forums ?

    We don't do security releases for fun.

  • Hi!

    After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin. Early appear windows with dropdown field with selected topics. But now windows appears without any fields. There is close button on that windows only.

  • Thanks, I updated here and is ok B)

  • LincLinc Detroit Admin

    @Ivan_Gurin said:
    After upgrade to 2.1.13 version, doesn't work merge action of Split/Merge plugin.

    Upgrade to 2.1.13p1, updated in the original post above. Sorry 'bout that.

Sign In or Register to comment.