Vanilla 2.6 is here! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2 with security patches if you are still on PHP 5.6 to give you additional time to upgrade.
Vanilla 2.5 - the stable gold release - can now be downloaded. The upgrade instructions are in the README.md as part of the download. This release brings a completely revised Dashboard, a native REST… (View Post)
This upgrade includes:
* A critical upgrade to the PHPMailer library to prevent remote code execution.
* Mitigation of a medium-level exploit of the HTTP_HOST header.
* Additional minor fixes … (View Post)
Just past noon (ET) we were contacted for comment about "vulnerabilities in Vanilla Forums that were apparently reported back in December" by a blog. We were linked to two vulnerabilities that were p… (View Post)
If you are using master branch from git, please note the HTTP_HOST patch is not included in it yet. This is because we are still working on a nicer fix and/or our own internal systems have not yet be… (View Post)
The critical security flaw in PHPMailer was already not present in the 2.4 prerelease. If you are using 2.4a, you may continue doing so. To close the HTTP_HOST flaw if you're not sanitizing HTTP_HOST… (View Post)