Announcement

Collapse
No announcement yet.

New security patch required?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • New security patch required?

    If I'm not using publishing suite (just forum) do I have to upgrade?

  • #2
    I'd like to know too. I've never used CMS or the Blog and have them disabled.

    Comment


    • #3
      Bump for an answer, I think there are a lot of forum admins in this situation.

      Comment


      • #4
        The recently released 4.2.2 Patch Level 3 is only really essential for those with the CMS. Although it won't do any harm if you did upload it.
        Note that for users already running 4.2.2 it is NOT an upgrade - it's just a patch file.
        If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.
        MARK.B | vBULLETIN SUPPORT

        TalkNewsUK - My vBulletin 5.5.4 Demo
        AdminAmmo - My Cloud Demo

        Comment


        • #5
          Originally posted by miketrin View Post
          I'd like to know too. I've never used CMS or the Blog and have them disabled.
          There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
          In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.
          MARK.B | vBULLETIN SUPPORT

          TalkNewsUK - My vBulletin 5.5.4 Demo
          AdminAmmo - My Cloud Demo

          Comment


          • #6
            Originally posted by Mark.B View Post
            There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
            In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.
            And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

            Comment


            • #7
              There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2

              Comment


              • #8
                Originally posted by donald1234 View Post
                There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2
                Please read more carefully, I said 4.1 branch (the latest being 4.1.12 PL4), not 4.2.1.

                Comment


                • #9
                  Originally posted by Silviu View Post

                  And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
                  We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.

                  The vast majority of plugins for 4.1 will work with 4.2. The few that don't tend to be related to the navbar, which changed in 4.2. Most such navbar plugins are now unnecessary anyway due to the new navbar manager. Others fail because they aren't compatible with later versions of php, but if you have that issue you cannot stay on 4.1 anyhow.
                  MARK.B | vBULLETIN SUPPORT

                  TalkNewsUK - My vBulletin 5.5.4 Demo
                  AdminAmmo - My Cloud Demo

                  Comment


                  • #10
                    Sorry, I have had my coffee now.

                    Comment


                    • #11
                      Originally posted by Silviu View Post
                      And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
                      There is always a risk running outdated software. Especially software that isn't receiving active development and only security fixes.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                      vBulletin 5 Documentation - Updated every Friday. Report issues here.
                      vBulletin 5 API - Full / Mobile
                      I am not currently available for vB Messenger Chats.

                      Comment


                      • #12
                        Originally posted by Jennifer2010 View Post
                        If I'm not using publishing suite (just forum) do I have to upgrade?
                        Originally posted by miketrin View Post
                        I'd like to know too. I've never used CMS or the Blog and have them disabled.
                        If you have the CMS installed, then yes you should apply the PL3 fix, regarless of whether you have it enabled or not.


                        Originally posted by Silviu View Post
                        And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
                        Well thats your choice, if you choose to stay on 4.1 you have to face the consequences.

                        In this case, the two updated cms files have remained largely unchanged across 4.x versions.
                        I believe that you could upload the fixed 4.2 versions without them causing any obvious issues.
                        However, you do that at your own risk as I havent checked this, especially as "4.1" actually has 13 sub versions (4.1.0 - 4.1.12).
                        Baby, I was born this way

                        Comment


                        • #13
                          Originally posted by Mark.B View Post
                          If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.
                          I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

                          A link to the 4.2.2 upgrade package would be great.

                          Comment


                          • #14
                            Originally posted by airgunner View Post

                            I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

                            A link to the 4.2.2 upgrade package would be great.
                            You don't need to buy the upgrade, you have a vB4 license so it's already included on your account.

                            Just go to the members area (https://members.vbulletin.com) and click the download link on the right.
                            MARK.B | vBULLETIN SUPPORT

                            TalkNewsUK - My vBulletin 5.5.4 Demo
                            AdminAmmo - My Cloud Demo

                            Comment


                            • #15
                              Originally posted by Mark.B View Post

                              We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.
                              We are currently on 4.1.10pl3 - each time a new security announcement was made in the past, previously vbulletin always released a patch level update for our minor version 4.1.10. There were 3 of these patch level updates, hence we're on 4.1.10pl3 now. However for this latest security announcement there has been no PL update for 4.1.10 (or any other version of 4 apart from 4.2.2).

                              When did the policy of providing security patch level updates for previous version of v4 stop? Is there a link to the announcement?

                              If there are no plans to provide patch level updates for earlier versions - and it appears this is the case based on the comments by the lead devs in this thread and other similar threads from today - would someone please be kind enough to indicate how we would manually patch our older 4.1.10pl3 version? Do we do this by diffing the stock 4.2.2 against the patched version and then manually locate the affected code in our 4.1.10pl3 codebase and affect a patch? (edit: I can't see that this will work since the 4.2.2pl4 patch presumably has all of the patches from pl1 to pl4 rolled into one?)

                              Thanks.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X