HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.10 released - critical security update

LincLinc Detroit Admin
edited May 2015 in Releases

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses two security issues and a few other bugs.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.10

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.10 directly from 2.0.x, add these steps:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.10

  • Fixes a SSRF (server-side request forgery) vulnerability. Hat tip to Neal Poole (Facebook Security) for disclosing this issue.

Other changes in 2.1.10

  • Removed unused WordPress functions.
  • Removed unused method RenderAlternate.

We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

This is potentially the final release of the 2.1 branch.

Comments

  • LincLinc Detroit Admin

    Added security credit for Neal Poole – Facebook Security.

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭

    Hi, where can I see the Code differences between 2.1.9 and 2.1.10?
    Would like to do it manually, thx... ;)

  • hgtonighthgtonight ∞ · New Moderator

    @Dr_Sommer if you are going to perform manually fixes, you should learn how to create a diff.

    1. Download 2.1.9
    2. Download 2.1.10
    3. Do a diff
    4. Apply the changes

    If you are at all savvy with GitHub, you can use the commit compare tool to see a diff online. For example: Discussion Polls V 1.3 -> V 1.3.4

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • x00x00 MVP
    edited May 2015

    @Dr_Sommer said:
    Hi, where can I see the Code differences between 2.1.9 and 2.1.10?
    Would like to do it manually, thx... ;)

    I don't know why people insist on doing this. Unless you have the exact previous version you can become unstuck, it is easy to make a mistake, and people like me have to unravel the mess.

    What does manually mean, as copy an pasting? Well then next time you are unlikely to have an exact copy, kinda stupid. Or are you going to properly apply the diff? If you have diff tool like that then you likely also have ssh, rsync, etc so you can upgrade quickly and efficiently anyway.

    Just upgrade normally.

    grep is your friend.

  • Dr_SommerDr_Sommer Dr. of tender Programing ;) ✭✭

    @hgtonight: yes, exactly what I was searching for... the Github diff presentation, like in the 2.1.9 version, but not shure how to use it...

    @X00:
    Explanation:

    Its my first Vanilla Forum and I did some changes, even I don't remember anymore... :D:D:D

    Because the changes from 2.1.9 to 2.1.10 seem to be minor, I would rater do the Code changes manually and not risking to F** it up and angry out my Users.. ;)

    I do this just till the 2.2. Version is out! THEN I'll do a nice update and fight with the changes I made myself, but with the knowledge of TODAY... :D

    It's like getting your first PC and loading tons of useless stuff to try it out... after time and proper knowledge the next fresh install is always awesome... :D:D

  • LincLinc Detroit Admin

    I've stopped providing a diff because I don't want to encourage that upgrade approach.

  • Is there a best practise command to overwrite a folder "vanilla" from ssh with the update-archive?

  • @Guido Richter said:
    Is there a best practise command to overwrite a folder "vanilla" from ssh with the update-archive?

    It has the relevant files, follow the ugrade instructions, backup the folder first. You can Use scpand you will normally be fine, rsync will be more optimised. You have to learn how to use either.

    However the minor inconvenience of upgrading, isn't worth skimping on.

    grep is your friend.

  • Not sure why but every time I do an update I get a failure message, but when I check the dashboard the new version is installed. I do have the 'maintenance mode' plugin running when I update, not sure if this is part of the issue.

  • Not sure why but every time I do an update I get a failure message, but when I check the dashboard the new version is installed.

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    Is the security issue this release fixes only a problem if you use Facebook as a login option? I only have jsConnect...

    I ask because I have about a dozen patches that I need to apply on every upgrade, so I'd rather skip if it's not necessary.

  • LincLinc Detroit Admin

    @JasonBarnabe said:
    Is the security issue this release fixes only a problem if you use Facebook as a login option?

    No, it's completely unrelated to that. It effects every install.

Sign In or Register to comment.