Announcement

Collapse
No announcement yet.

New security patch required?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Paul M
    replied
    Originally posted by munkfish View Post
    can you confirm that it was only files in the modcp directory that were modified to address this current security issue?
    Yes, yesterdays csrf patch modified only the global.php file in modcp.

    Leave a comment:


  • munkfish
    replied
    Originally posted by Wayne Luke View Post
    Upload the files from the 4.2.2 Patch into your modcp directory and you should be patched.
    Ok I was reluctant to do that since there may have been changes after 4.1.10pl3 but prior to (this) 4.2.2pl4, nonetheless though I'll have a look at the diffs for those modcp files modified in the latest patch - can you confirm that it was only files in the modcp directory that were modified to address this current security issue?

    Providing patches for all versions of vBulletin 4.X in the past is actually the aberrant behavior. Our official policy is to release patches for the latest version in branches that are not actively being developed. Since your license allows access to this version, you should consider upgrading as that will provide you with the most stable and secure copy of vBulletin available.
    Well yes I can appreciate that it's hard to maintain patch support for every minor version, my point was that in the past you appeared to have done that as a matter of course / general policy though, so I was just wondering when that changed.

    Our issue, like a lot of others, is that we have heavily modified installations and it's nigh on impossible to upgrade without there being considerable problems along the way (templates are the main issue and modifying them entails manually editing hundreds of files, using the diff facilities built into the template editor unfortunately doesn't work well for our install). This is why we were always happy to just use the patch level updates to update only the affected files whenever security releases were announced in the past - it saved us having to do a full upgrade and deal with the update of hundreds of templates files. The lack of a patch level update for this release was sadly missed.

    Many thanks for your help though, I will attempt to patch it manually or just copy the modcp files over if it turns out nothing else has changed in there other than for the security update.

    Leave a comment:


  • Wayne Luke
    replied
    Upload the files from the 4.2.2 Patch into your modcp directory and you should be patched. Providing patches for all versions of vBulletin 4.X in the past is actually the aberrant behavior. Our official policy is to release patches for the latest version in branches that are not actively being developed. Since your license allows access to this version, you should consider upgrading as that will provide you with the most stable and secure copy of vBulletin available.

    Leave a comment:


  • munkfish
    replied
    Originally posted by Mark.B View Post

    We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.
    We are currently on 4.1.10pl3 - each time a new security announcement was made in the past, previously vbulletin always released a patch level update for our minor version 4.1.10. There were 3 of these patch level updates, hence we're on 4.1.10pl3 now. However for this latest security announcement there has been no PL update for 4.1.10 (or any other version of 4 apart from 4.2.2).

    When did the policy of providing security patch level updates for previous version of v4 stop? Is there a link to the announcement?

    If there are no plans to provide patch level updates for earlier versions - and it appears this is the case based on the comments by the lead devs in this thread and other similar threads from today - would someone please be kind enough to indicate how we would manually patch our older 4.1.10pl3 version? Do we do this by diffing the stock 4.2.2 against the patched version and then manually locate the affected code in our 4.1.10pl3 codebase and affect a patch? (edit: I can't see that this will work since the 4.2.2pl4 patch presumably has all of the patches from pl1 to pl4 rolled into one?)

    Thanks.

    Leave a comment:


  • Mark.B
    replied
    Originally posted by airgunner View Post

    I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

    A link to the 4.2.2 upgrade package would be great.
    You don't need to buy the upgrade, you have a vB4 license so it's already included on your account.

    Just go to the members area (https://members.vbulletin.com) and click the download link on the right.

    Leave a comment:


  • airgunner
    replied
    Originally posted by Mark.B View Post
    If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.
    I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

    A link to the 4.2.2 upgrade package would be great.

    Leave a comment:


  • Paul M
    replied
    Originally posted by Jennifer2010 View Post
    If I'm not using publishing suite (just forum) do I have to upgrade?
    Originally posted by miketrin View Post
    I'd like to know too. I've never used CMS or the Blog and have them disabled.
    If you have the CMS installed, then yes you should apply the PL3 fix, regarless of whether you have it enabled or not.


    Originally posted by Silviu View Post
    And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
    Well thats your choice, if you choose to stay on 4.1 you have to face the consequences.

    In this case, the two updated cms files have remained largely unchanged across 4.x versions.
    I believe that you could upload the fixed 4.2 versions without them causing any obvious issues.
    However, you do that at your own risk as I havent checked this, especially as "4.1" actually has 13 sub versions (4.1.0 - 4.1.12).

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by Silviu View Post
    And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
    There is always a risk running outdated software. Especially software that isn't receiving active development and only security fixes.

    Leave a comment:


  • donald1234
    replied
    Sorry, I have had my coffee now.

    Leave a comment:


  • Mark.B
    replied
    Originally posted by Silviu View Post

    And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?
    We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.

    The vast majority of plugins for 4.1 will work with 4.2. The few that don't tend to be related to the navbar, which changed in 4.2. Most such navbar plugins are now unnecessary anyway due to the new navbar manager. Others fail because they aren't compatible with later versions of php, but if you have that issue you cannot stay on 4.1 anyhow.

    Leave a comment:


  • Silviu
    replied
    Originally posted by donald1234 View Post
    There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2
    Please read more carefully, I said 4.1 branch (the latest being 4.1.12 PL4), not 4.2.1.

    Leave a comment:


  • donald1234
    replied
    There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2

    Leave a comment:


  • Silviu
    replied
    Originally posted by Mark.B View Post
    There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
    In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.
    And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

    Leave a comment:


  • Mark.B
    replied
    Originally posted by miketrin View Post
    I'd like to know too. I've never used CMS or the Blog and have them disabled.
    There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
    In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.

    Leave a comment:


  • Mark.B
    replied
    The recently released 4.2.2 Patch Level 3 is only really essential for those with the CMS. Although it won't do any harm if you did upload it.
    Note that for users already running 4.2.2 it is NOT an upgrade - it's just a patch file.
    If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X