HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

NEW critical security update: Vanilla 2.6.3

LincLinc Detroit Admin
edited September 2018 in Releases

All installations must be upgraded to Vanilla 2.6.3 immediately. Please follow the upgrade instructions in the README. (Version 2.6.2 was defective and has been replaced.)

This release contains multiple critical security patches. There are no new features or backwards-incompatible changes.

A security update to the 2.5 branch of Vanilla is also now available as 2.5.6. If you are able to run PHP 7.0+ we strong recommend you do so immediately and upgrade to 2.6.3 (above).

All of the issues patched in these releases were brought to our attention responsibly via our HackerOne campaign, which you can view and participate in by visiting https://hackerone.com/vanilla. We're not aware of any of the issues being exploited in the wild or being otherwise publicized at this time. That said, you should upgrade immediately because it's often easy to infer previous vulnerabilities from the patched code.

«1

Comments

  • pioc34pioc34 Pézenas ✭✭

    Error while updating from 2.6.1 to 2.6.2, Fatal Error in DashboardHooks.dashboardNavModule_init_handler();
    Class 'Vanilla\FeatureFlagHelper' not found

  • Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file?

  • Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file? Also I am happy to pay someone to do this for me. I don’t think I have the technical ‘know how’. Just pm me if you can help me.

  • R_JR_J Ex-Fanboy Munich Admin

    Watch Out!

    That version as of now will crash your dashboard, but there is an easy fix, which @pico34 already showed here

    Since there are security issues addressed in this package, I would advise to not wait until this is patched, but to simply do it yourself - something I normally never would have said... :mrgreen:

    1. Download the zip file from here
    2. Unpack it to your server
    3. Edit /applications/dashboard/structure/class.hooks.php like that:

    Go to line 330 - 337

                ->addLinkIf(
                    \Vanilla\FeatureFlagHelper::featureEnabled('Import') && $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    Edit line 331 so that it looks like here

                ->addLinkIf(
                    $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    It is really easy, don't worry.

  • x00x00 MVP
    edited September 2018

    @Linc

    I think possibly some stuff got merged in that shouldn't, as I only moved from 2.6.1 to 2.6.2 and the are breaking changes. Beyond the one mentioned. I'm doing a lot of custom stuff, but I got those working for the last update and now not.

    edit it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    grep is your friend.

  • Can I edit class.hooks.php file on my desktop, and then update my server ?
    Or should I make the changes after updating my vanilla forum ?

    By the way, was the vulnerability made public ?

    P.S. . It is /applications/dashboard/settings/class.hooks.php

    @R_J a dit :

    Watch Out!

    That version as of now will crash your dashboard, but there is an easy fix, which @pico34 already showed here

    Since there are security issues addressed in this package, I would advise to not wait until this is patched, but to simply do it yourself - something I normally never would have said... :mrgreen:

    1. Download the zip file from here
    2. Unpack it to your server
    3. Edit /applications/dashboard/structure/class.hooks.php like that:

    Go to line 330 - 337

                ->addLinkIf(
                    \Vanilla\FeatureFlagHelper::featureEnabled('Import') && $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    Edit line 331 so that it looks like here

                ->addLinkIf(
                    $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    It is really easy, don't worry.

  • LincLinc Detroit Admin

    @x00 said:
    it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    That's odd; we haven't changed anything about that as far as I know.

  • LincLinc Detroit Admin
    edited September 2018

    @R_J said:
    That version as of now will crash your dashboard

    Fixing now. Version 2.6.3 incoming.

    It's never a good sign when I wake up in the morning and there's actually comments on the release discussion!

  • LincLinc Detroit Admin

    Version 2.6.3 is up, now.

  • PCTipsGRPCTipsGR Unknown New

    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    Since the patches are critical and damage may be done to forums I will report a new version now and I advise all users who still use auto-installers or at least have the option to use to report it too so that Softaculous updates sooner from 2.6.2 to 2.6.3.

    Is 2.6.3 only fixing bugs or also security updates?

    Anyway, thanks to Vanilla Forums developers for informing us and for fixing security issues so quick.

  • R_JR_J Ex-Fanboy Munich Admin

    I'm right in the moment struggling with replacing a softaculous 2.6.1 Vanilla with Vanilla 2.6.3 and I cannot succeed! Really frustrating...

  • @Linc said:

    @x00 said:
    it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    That's odd; we haven't changed anything about that as far as I know.

    yes it was odd.

    @Linc said:

    @R_J said:
    That version as of now will crash your dashboard

    Fixing now. Version 2.6.3 incoming.

    It's never a good sign when I wake up in the morning and there's actually comments on the release discussion!

    Don't worry more important to get the security release out. Minor inconvenience.

    grep is your friend.

  • LincLinc Detroit Admin
    edited September 2018

    @PCTipsGR said:
    Is 2.6.3 only fixing bugs or also security updates?

    2.6.3 is purely a security release. I scrubbed 2.6.2, the first attempt to release the security patches, due to a problem with one of the patches' compatibility. That compatibility fix was the only change between 2.6.2 (yesterday) and 2.6.3 (today).

  • LincLinc Detroit Admin

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers, but I also have no idea how to notify Softaculous or any other third party about new Vanilla releases. They operate on their own schedule.

  • PCTipsGRPCTipsGR Unknown New

    @Linc said:

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers, but I also have no idea how to notify Softaculous or any other third party about new Vanilla releases. They operate on their own schedule.

    If you have Softaculous on your server, you can click the "Report New Version" button.

    Otherwise, leave it to us, Softaculous users. Currently the version available is 2.6.2 and since it will just damage my installation, I will not upgrade and wait patiently for Softaculous to update their versions.

    There is always the Contact option too if they are too late on updating and many days have passed.

  • R_JR_J Ex-Fanboy Munich Admin

    @Linc said:

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers

    The problem with them is that they alter Vanilla somehow and if anything is not working as expected you can never tell if it is a problem with the original script or caused by the installer.

    Yesterday I've tried to update a 2.6.1 softaculous installation by simply copying the new files into the existing installation and ended with an unexplainable 403 error.
    The end result has been a total wipe of the folder and a clean installation.

    From my point of view auto-installers are great to test a lot of CMS/forum/gallery/whatever scripts, but they suck in production environments.

  • Thanks for the security update. Luckily I didn't see the 262 announce and was able to go right from 261 to 263 without issue.

    So consider this throwing some love to the devs working on this! I know you guys mostly hear from users when things are NOT working!!! Thanks again.

  • PCTipsGRPCTipsGR Unknown New

    For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

  • @PCTipsGR said:
    For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

    So is it safe to use Softaculous for the update today?

  • PCTipsGRPCTipsGR Unknown New

    @mauwiks said:

    @PCTipsGR said:
    For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

    So is it safe to use Softaculous for the update today?

    Of course, there is no problem with that.

    The problem here was that they updated the release only a day afterwards, they had 2.6.2 and as it seems they don't bother checking why it was not good for forums, and only after reporting new version they updated it.

    Also, @R_J said they alter Vanilla somehow so if you install it with Softaculous once, it will be very hard to maintain it yourslef afterwards and will have to wait for Softaculous to make the new version available.


    By the way, making new version available one day after the post is not so bad I think. I should check out on their antagonist, Fantastico F3, and see how they are doing. Currently they have 2.6.3 as latest version, so Fantastico users can also update safely :smile:

Sign In or Register to comment.