NEW critical security update: Vanilla 2.6.3
All installations must be upgraded to Vanilla 2.6.3 immediately. Please follow the upgrade instructions in the README. (Version 2.6.2 was defective and has been replaced.)
This release contains multiple critical security patches. There are no new features or backwards-incompatible changes.
A security update to the 2.5 branch of Vanilla is also now available as 2.5.6. If you are able to run PHP 7.0+ we strong recommend you do so immediately and upgrade to 2.6.3 (above).
All of the issues patched in these releases were brought to our attention responsibly via our HackerOne campaign, which you can view and participate in by visiting https://hackerone.com/vanilla. We're not aware of any of the issues being exploited in the wild or being otherwise publicized at this time. That said, you should upgrade immediately because it's often easy to infer previous vulnerabilities from the patched code.
Comments
Error while updating from 2.6.1 to 2.6.2, Fatal Error in DashboardHooks.dashboardNavModule_init_handler();
Class 'Vanilla\FeatureFlagHelper' not found
Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file?
Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file? Also I am happy to pay someone to do this for me. I don’t think I have the technical ‘know how’. Just pm me if you can help me.
Watch Out!
That version as of now will crash your dashboard, but there is an easy fix, which @pico34 already showed here
Since there are security issues addressed in this package, I would advise to not wait until this is patched, but to simply do it yourself - something I normally never would have said...
Go to line 330 - 337
Edit line 331 so that it looks like here
It is really easy, don't worry.
@Linc
I think possibly some stuff got merged in that shouldn't, as I only moved from 2.6.1 to 2.6.2 and the are breaking changes. Beyond the one mentioned. I'm doing a lot of custom stuff, but I got those working for the last update and now not.
edit it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)
grep is your friend.
Can I edit class.hooks.php file on my desktop, and then update my server ?
Or should I make the changes after updating my vanilla forum ?
By the way, was the vulnerability made public ?
P.S. . It is /applications/dashboard/settings/class.hooks.php
That's odd; we haven't changed anything about that as far as I know.
Fixing now. Version 2.6.3 incoming.
It's never a good sign when I wake up in the morning and there's actually comments on the release discussion!
Version 2.6.3 is up, now.
Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.
Since the patches are critical and damage may be done to forums I will report a new version now and I advise all users who still use auto-installers or at least have the option to use to report it too so that Softaculous updates sooner from 2.6.2 to 2.6.3.
Is 2.6.3 only fixing bugs or also security updates?
Anyway, thanks to Vanilla Forums developers for informing us and for fixing security issues so quick.
I'm right in the moment struggling with replacing a softaculous 2.6.1 Vanilla with Vanilla 2.6.3 and I cannot succeed! Really frustrating...
yes it was odd.
Don't worry more important to get the security release out. Minor inconvenience.
grep is your friend.
2.6.3 is purely a security release. I scrubbed 2.6.2, the first attempt to release the security patches, due to a problem with one of the patches' compatibility. That compatibility fix was the only change between 2.6.2 (yesterday) and 2.6.3 (today).
I don't have anything against auto-installers, but I also have no idea how to notify Softaculous or any other third party about new Vanilla releases. They operate on their own schedule.
If you have Softaculous on your server, you can click the "Report New Version" button.
Otherwise, leave it to us, Softaculous users. Currently the version available is 2.6.2 and since it will just damage my installation, I will not upgrade and wait patiently for Softaculous to update their versions.
There is always the Contact option too if they are too late on updating and many days have passed.
The problem with them is that they alter Vanilla somehow and if anything is not working as expected you can never tell if it is a problem with the original script or caused by the installer.
Yesterday I've tried to update a 2.6.1 softaculous installation by simply copying the new files into the existing installation and ended with an unexplainable 403 error.
The end result has been a total wipe of the folder and a clean installation.
From my point of view auto-installers are great to test a lot of CMS/forum/gallery/whatever scripts, but they suck in production environments.
Thanks for the security update. Luckily I didn't see the 262 announce and was able to go right from 261 to 263 without issue.
So consider this throwing some love to the devs working on this! I know you guys mostly hear from users when things are NOT working!!! Thanks again.
For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.
So is it safe to use Softaculous for the update today?
Of course, there is no problem with that.
The problem here was that they updated the release only a day afterwards, they had 2.6.2 and as it seems they don't bother checking why it was not good for forums, and only after reporting new version they updated it.
Also, @R_J said they alter Vanilla somehow so if you install it with Softaculous once, it will be very hard to maintain it yourslef afterwards and will have to wait for Softaculous to make the new version available.
By the way, making new version available one day after the post is not so bad I think. I should check out on their antagonist, Fantastico F3, and see how they are doing. Currently they have 2.6.3 as latest version, so Fantastico users can also update safely