HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.2.1 now available

LincLinc Detroit Admin
edited May 2016 in Releases

Problem upgrading? Start a new discussion for assistance.

This release addresses 2 security issues and should be applied immediately to all forums running version 2.2 or earlier.

Download it now: http://vanillaforums.org/addon/vanilla-core

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

If you are upgrading from any 2.1 version, please note:

  • You CANNOT downgrade later (nor is there any reason you ever should). It may result in users being locked out.
  • You MUST update your locales.

If you are upgrading from any 2.0 version, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.2.1

  • Upgrade htmLawed library to 1.1.21 (security fix). Thanks to psych0tr1a for responsibly disclosing this.
  • Fix condition where a filename could be echoed back to user (unsanitized output).

Change log for 2.2.1

  • Sets email default to text. This is future-proofing for HTML emails being added in 2.3.
  • Fix RSS feed when using table layout (thanks to korelstar).
  • Fix breadcrumbs when Vanilla is installed in a sub-directory (thanks to korelstar).
  • Fix translation bug in Captcha.
  • Fix where an error could be thrown on certain 404 pages.
  • Fix redirect after deleting an activity.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.2 branch is now in maintenance mode, which means it is only receiving security patches until the release of 2.3.

«13

Comments

  • kopnakopna Coimbra Portugal ☯

    How about Updates of automatic without intervention in manual mode?

  • LincLinc Detroit Admin
    edited May 2016

    @kopna said:
    How about Updates of automatic without intervention in manual mode?

    Our hosted service essentially does that. We don't have plans to add automatic updates to the product at this time. Mostly because it would take an incredible amount of time to accomplish.

  • kopnakopna Coimbra Portugal ☯

    @Linc написал:

    @kopna said:
    How about Updates of automatic without intervention in manual mode?

    Our hosted service essentially does that. We don't have plans to add automatic updates to the product at this time. Mostly because it would take an incredible amount of time to accomplish.

    Perhaps for the business model is the best option. But - unfortunately my hosting provider even heard of Vanilla! :( And all actions related to upgrades - I own doing. It is sad that the proposed package of CMS is anything other than vanilla. It would be really helpful to use Vanilla automatically updated, thank you!

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @kopna said:
    Perhaps for the business model is the best option.

    It is.

    But - unfortunately my hosting provider even heard of Vanilla! :(

    You are in Ukraine ? They should, otherwise they are not good.

    And all actions related to upgrades - I own doing.

    Yes, because this is free software and you should be capable of updating when necessary.

    It is sad that the proposed package of CMS is anything other than vanilla. It would be really helpful to use Vanilla automatically updated, thank you!

    Why ? because you might be lazy ? What if some plugins are not compatible with the update and it crashes your site ? What if some setting or your theme does not work with the update ? Automatic updates are for absent admins and lazy people. Get a grip !!!

  • LincLinc Detroit Admin

    @vrijvlinder No need to come down that hard on innocent questions. ;) Easy to lose perspective when you see the presumption and the questioner does not, but sometimes it's best to just let it slide. Not a big deal.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Незнання не Невинність….

  • kopnakopna Coimbra Portugal ☯

    @Linc , @vrijvlinder
    Thank you for your answers. Later I will try to update vanilla (now change my hosting platform)

    @vrijvlinder I'm from Ukraine but for many years living in Portugal. Sure that the provider does not know about vanilla, always asks for this site link when I'm having some difficulties and need their help.

  • x00x00 MVP
    edited May 2016

    I'm really against the type of upgrades that wordpress does out of the box. Although it is convenient it gives level of control to a web application it shouldn't really have. it is not the job of a web app to manage your sever, and do file management other then in very limited way. If ti has this control you are probably doing it wrong. it is the tail wagging the dog.

    It can be done another way where the credential are not held by the web app, but the process is still automated.

    grep is your friend.

  • PamelaPamela ✭✭

    Hi, thank to you for this update
    We 're still using a older version called 2.2.5 (downloaded from GitHub, early 2014), so ;-) do you know if we could upgrade it to v2.2.1
    May be we should stay as it in fact... in waiting an upcoming v2.3

  • LincLinc Detroit Admin

    Hi @Pamela, yes you can and should upgrade to the official 2.2.1 release. Your version likely has known security vulnerabilities. For all intents and purposes, you are upgrading from 2.1 and should follow all upgrade instructions accordingly, including carefully testing theme and addon compatibility before upgrading your live server.

  • LincLinc Detroit Admin

    Thanks to psych0tr1a for discovering and responsibly disclosing an XSS exploit in the htmLawed software to us, which we promptly reported upstream and was fixed by them. I added a credit above in the release notes.

  • Hello i got notified 7 hrs ago that there's a new update via softaculous i used the 1 click upgrade , it was successful. is it ok i updated it this way?

  • LincLinc Detroit Admin

    @maxyaeger Unfortunately I have no idea, I'm not familiar with that process.

  • edited May 2016

    Just a note on the upgrade from 2.2. My roles&permissions were messed up... By messed up i mean no guest could view forum posts/comments. Guest had 'unconfirmed' role.. I changed that to 'Guests' and it works.. again

  • LincLinc Detroit Admin

    @CrazyLemon Thanks for the heads up. This was just the patch upgrade from 2.2 to 2.2.1? Are you sure you ran utility/update after the last update? I would've expected an issue like that to present itself on the 2.1 -> 2.2 upgrade.

  • edited May 2016

    @Linc that was from 2.2 to 2.2.1 yeah. I did ran utility/update and it was Successful (after i disabled a few plugins). I only noticed the issue when i checked Piwik and saw every forum url had /entry/signin=Target stuff in it.
    I know you guys didn't change any role/permissions related files on the .1 update (at least i didn't see any on github) so yea.. i'm still confused why that happened.

  • After replace new files doesn't work update via open url %my_domen%/index.php?p=/utility/update. When I try to run update I see HTTP ERROR 500.

  • PamelaPamela ✭✭

    @Linc said:
    Hi @Pamela, yes you can and should upgrade to the official 2.2.1 release. Your version likely has known security vulnerabilities. For all intents and purposes, you are upgrading from 2.1 and should follow all upgrade instructions accordingly, including carefully testing theme and addon compatibility before upgrading your live server.

    Well, test done without any issues! thanks to @Linc, so we 're close to be ready ;-) for upcoming 2.3 version

    We 're using your default theme (only made minor CSS color changes) and this great FileUpload addon (from Github) is still workin'... it seems right for us

  • @Ivan_Gurin said:
    After replace new files doesn't work update via open url %my_domen%/index.php?p=/utility/update. When I try to run update I see HTTP ERROR 500.

    As a relatively new "admin" of a Vanilla installation (used it a lot as a regular member and decided to try and get my local group interested in it) I am a bit worried about the upgrade process going wrong on me when I read comments like this, and blowing a big hole in my efforts to get all of my friends to adopt Vanilla.

    I only run a private community - no one can sign up and only users I've added myself can even view the forum. In this case will it be safe to skip this update until I'm a bit more familiar with the software?

    Softaculous sounds interesting but it's a paid service and I couldn't easily see how to add software you've already got intalled to their one-click upgrade service, but it shows it can be done.

  • R_JR_J Ex-Fanboy Munich Admin

    @Ivan_Gurin: error 500 is a server problem. You have to check your server logs in order to get a hint on what is wrong

    @collents: don't rely on one click installers. Setting up Vanilla is a no brainer.
    If you make a backup of your database, an update bears no danger at all. If there really is a problem, you could simply get a copy of the previous version, restore your database and you are up and running again. There is no reason for not updating your installation.

Sign In or Register to comment.