Announcement

Collapse
No announcement yet.

To Upgrade or Not To Upgrade?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • To Upgrade or Not To Upgrade?

    I download security patches as soon as I find them. However, for something such as upgrading 3.8.4 to 3.8.5, how useful is it? No doubt there are some enhancements/bug fixes in the newer version. But how do upgrades like that affect security? If it turns out there's a big XSS flaw in the coding, would vBulletin release a patch for 3.8.4 rather than forcing you to upgrade to 3.8.5? I ask because when I signed up for vBulletin (about a year ago), the latest version was 3.8.3. Since then, I've upgraded all the way to 3.8.5. Some of the mods I've gotten from vbulletin.org were written in the early days of 3.8.x, and I'm pretty sure one of the ones I'm using is no longer being supported. I don't want to compromise security, but if updating from .5 to .6 (when the day comes) makes no difference with security, and I can keep on using a great forum with functioning modifications, then do I necessarily need to upgrade my forum?

  • #2
    If an exploit is discovered for 3.8.x now, the fix will be released for 3.8.5 not 3.8.4. The fix may work on 3.8.4 but we wouldn't support it.

    Comment


    • #3
      But I've downloaded several security patches for the past year that were released (when needed) before a new upgrade to that version of vBulletin came out. Do you mean to say that on some security issues, upon their discovery, you don't address them until the next upgrade? I don't mean to sound rude, I'm just trying to understand what the protocol is when security flaws are discovered.

      Comment


      • #4
        We only address security issues in the most current versions.

        If an exploit is found in the 3.8.x line, and the current version is 3.8.5, the fix is released only for 3.8.5.

        Comment


        • #5
          If a security issue is discovered, how likely is it for it to affect VB versions prior to the current release? I can imagine that, while upgrading the software, something can get overlooked that isn't discovered until later. But does the vBulletin staff test the software constantly (while it's the latest release) to make sure all i's are dotted and all t's are crossed?

          Comment


          • #6
            They normally effect a line, or several lines.

            Comment


            • #7
              So a line would be like 3.x.x or 4.x.x, right?

              Comment


              • #8
                There have been issues with 4.x and 3.x at the same time. The fact of the matter is we only release security patches for the most recent version of the supported products.

                vbulletin 3.8.5
                vbulletin 4.0.3 suite
                vbulletin 4.0.3 forums
                vbulletin blog 2.0.x
                (as of this post)
                If an exploit was discovered for 3.8, 3.x or 4.x it would b e released for the most current verison

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X