The Official vBulletin Modifications Site.

vBulletin 3.7.3 PL1 / vBulletin 3.6.11 PL1

A report was published recently pointing to potential flaws within the random number generator in PHP applications who use a weak seed and then go on to disclose any of the random numbers generated. This flaw could allow random numbers within vBulletin to be predicted and under the correct circumstances allow an attacker to obtain access to a user's account. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.3 and 3.6.11.

This original flaw was discovered by Stefan Esser and its application within vBulletin by another individual.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


Upgrading from 3.7.3 or 3.6.11

If you are already running 3.7.3 or 3.6.11, the process you will be required to follow to make your board immune to this flaw is very simple.

There is no need to run an upgrade script if you are already running 3.7.3 or 3.6.11.

Visit the Patches section of the vBulletin Members' Area and download either the patch for 3.7.3, or the patch for 3.6.11, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.


Upgrading from Versions Earlier than 3.7.3 or 3.6.11

If you are not already running 3.7.3 or 3.6.11, you should download the most latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Download vBulletin 3.7.3 PL1 or 3.6.11 PL1

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area

Please do not use this thread for support questions.

More...

vBulletin 3.7.3

As promised last week, today sees the scheduled release of a maintenance version for vBulletin 3.7.x.

vBulletin 3.7.3 contains a number of bug fixes, details of which can be found in the bug tracker. Additionally, a change has been made to prevent users from setting their password to their username. See below for more information.

The security fixes included in vBulletin the 3.7.2 PL releases are also included in vBulletin 3.7.3.


Username=Password Disallowed

In this release, users will no longer be allowed to set their username and passwords to the same value. Users who already have a password that is the same as their username will be forced to change their password on their next login. Additionally, a tool has be added to the Admin Control Panel to email affected users with a new password. Please be aware of these potential compatibility changes when upgrading.


Upgrading from Previous Versions

3.7.3 is a maintenance release. We recommend that all customers running prior versions of vBulletin 3.7 upgrade to benefit from bug fixes and stability improvements.

Full instructions for upgrading vBulletin are available here.


PHP and MySQL Requirements

Please note that vBulletin 3.7.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

However, we recommend that vBulletin 3.7.x is run on PHP 5.2.6 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.


End of Life for PHP 4

PHP 4 has now reached its end of life. We strongly recommend that customers update their servers to PHP 5.2.6 if they are still running PHP 4. vBulletin 3.7.x supports PHP 5 without any problems, though you may need to disable strict mode for MySQL, see here on how to enable 'force_sql_mode'.

Note: We will continue to support PHP 4 in the vBulletin 3 series.


Download vBulletin 3.7.3

As usual, vBulletin 3.7.3 is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area

Please do not use this thread for support questions.

More...

vBulletin 3.6.11

As promised last week, today sees the release of a maintenance version for vBulletin 3.6.x.

vBulletin 3.6.11 contains a selection of bug fixes, details of which can be found in the bug tracker. Additionally, a change has been made to prevent users from setting their password to their username. See below for more information.

The security fixes included in the vBulletin 3.6.10 PL releases are also included in vBulletin 3.6.11.


Username=Password Disallowed

In this release, users will no longer be allowed to set their username and passwords to the same value. Users who already have a password that is the same as their username will be forced to change their password on their next login. Additionally, a tool has be added to the Admin Control Panel to email affected users with a new password. Please be aware of these potential compatibility changes when upgrading.


Upgrading from Previous Versions

3.6.11 is a maintenance release. We recommend that all customers running prior versions of vBulletin 3.6 upgrade to benefit from bug fixes and stability improvements.

Full instructions for upgrading vBulletin are available here.


PHP and MySQL Requirements

Please note that vBulletin 3.6.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

However, we recommend that vBulletin 3.6.x is run on PHP 5.2.6 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.


End of Life for PHP 4

PHP 4 has now reached its end of life. We strongly recommend that customers update their servers to PHP 5.2.6 if they are still running PHP 4. vBulletin 3.6.x supports PHP 5 without any problems, though you may need to disable strict mode for MySQL, see here on how to enable 'force_sql_mode'.

Note: We will continue to support PHP 4 in the vBulletin 3 series.


Download vBulletin 3.6.11

As usual, vBulletin 3.6.11 is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area

Please do not use this thread for support questions.

More...

vBulletin 3.7.2 PL2 / vBulletin 3.6.10 PL4

An XSS flaw related to JavaScript escaping has been identified. This could allow an attacker to carry out an action as a user or obtain access to a user's account. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.2 and 3.6.10.

This flaw was discovered by Federico Muttis.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


vBulletin 3.7.3 and 3.6.11 to be Released Next Week

In line with our new scheduled maintenance release policy, a new release for 3.6 and 3.7 will be made on Tuesday, August 26th.

These releases will contain bug fixes, but will also address a situation related to users that use their username as their password. In 3.6.11 and 3.7.3, this will be completely disallowed. Users affected by this will be forced to change their password on their first login. Additionally, a tool will be provided to email affected users with a new password. Please be aware of these potential compatibility changes when upgrading.

This release will be mentioned in the security bulletin sent out to customers today, but we will not send a further notification next week when 3.7.3 and 3.6.11 are released. Watch your Admin CP News, or the latest version check in the Admin CP to see when the new version is available. Alternatively, keep an eye on this forum for the 3.7.3 and 3.6.11 announcements.


Upgrading from 3.7.2, 3.6.10 or their patch level versions

If you are already running 3.7.2, 3.6.10 or their patch level versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.2, 3.6.10 or their patch level versions.

Visit the Patches section of the vBulletin Members' Area and download either the patch for 3.7.2, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 or PL3 release respectively.

The 3.7.2 PL2 patch file includes the PL1 fix.
The 3.6.10 PL4 patch file also includes the PL1, PL2, and PL3 fixes.


Upgrading from Versions Earlier than 3.7.2 or 3.6.10

If you are not already running 3.7.2 or 3.6.10, you should download the most latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Download vBulletin 3.7.2 PL2 or 3.6.10 PL4

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area


More...

In light of the recent delays with the BOTM contest, the staff has decided to amend the voting and nomination process of the Board of Month contest.

From now on, the BOTM will run every two months instead of every month. The most recent poll (June / July) will remain open until September 30th as well as the nomination thread.

On October 1st, the current poll and nomination thread will be closed, a new poll tallied, and a new nomination process instantiated for the next two months.

The current BOTM rules and guidelines still apply: (Except for clause #4 which has just been amended)

http://www.vbulletin.org/forum/info.php?do=botm

The current BOTM threads can be found at:

Voting Poll
Nomination Thread

Finally, the BOTM Contest will continue to be called BOTM despite these changes.

Thanks for your patience and good luck!