Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #1  
Old 23 Apr 2008, 16:30
vB.Org System vB.Org System is offline
 
Join Date: Aug 2007
vBulletin 3.7.0 Release Candidate 4

vBulletin 3.7.0
Release Candidate 4
Yeah, we know...

THIS IS PRE-RELEASE SOFTWARE.
IT IS UNSUPPORTED.

If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.

We recommend that all customers upgrade as soon as possible.
Customers running 3.7.x should upgrade to 3.7.0 RC4.
Customers running 3.6.9 or earlier should upgrade to 3.6.10.

To all those who have been expecting to download vBulletin 3.7.0 'Gold' this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.

If testing of this release candidate goes well, we will once again be looking at a stable release next week.

PHP and MySQL Recommendations

We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

What does Release Candidate mean?

Release Candidate, or RC for short, means that we believe vBulletin 3.7 will be ready to be declared a "stable" and "supported" supported release once it has undergone some final testing. The only known bugs that may remain are trivial.

RCs will be released until only trivial bugs are being fixed. Once this happens, the next stage is to move on to "gold" or, as it's officially known, 3.7.0.

This is still pre-release software. If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, do not install this version but rather wait for the final, 3.7.0 version.


Customers should bear in mind that this is a release candidate, not a certified 'stable' release so the following caveats apply:
  • Pre-release software is unsupported and you install beta and RC versions at your own risk.
  • Some minor bugs remain unresolved at this time, so pre-release software should not be deployed on production sites.
  • You should always back up your database fully before attempting to install pre-release software.
  • If you choose to install this version, you should be aware that we plan to release new RC versions in rapid succession as bugs are fixed and holes are plugged. Do not install this RC version if you are not willing or able to keep up-to-date with new releases.
  • The ImpEx import system does not support the 3.7 code yet, and will not support it until the release of 3.7.0 (stable).

More...

For support questions, please use the appropriate forums on vBulletin.com

Last edited by Marco van Herwaarden; 23 Apr 2008 at 16:52.
  #2  
Old 23 Apr 2008, 16:55
Jasem's Avatar
Jasem Jasem is offline
 
Join Date: Feb 2006
Location: www.menokia.com
Thank you very much
__________________
games
Forum Nokia
  #3  
Old 23 Apr 2008, 16:58
Jase2 Jase2 is offline
 
Join Date: Dec 2007
Hacks that post back to vBulletin scripts will no longer work. vB.org should be letting us know on how to add the information to the hacks.
  #4  
Old 23 Apr 2008, 17:01
rapidphim rapidphim is offline
 
Join Date: Feb 2007
man.... what can I say :-) Any template changes since RC3?
  #5  
Old 23 Apr 2008, 17:04
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Originally Posted by Jase2 View Post
Hacks that post back to vBulletin scripts will no longer work. vB.org should be letting us know on how to add the information to the hacks.
Then have a look in the coders forum.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #6  
Old 23 Apr 2008, 17:08
Opserty Opserty is offline
 
Join Date: Apr 2007
Mod and plugin authors - the changes in 3.6.10 and 3.7.0 RC4 will break any forms in your code that post back to vBulletin scripts.

However, it is simple to adapt your code to include the new security token and restore full functionality.

Information about how to do this has been passed to the vBulletin.org staff, and they will be releasing that information shortly.
Oh god
  #7  
Old 23 Apr 2008, 17:11
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Originally Posted by Opserty View Post
Oh god
That was exactly what my thought was. I guess getting my site read for 3.7 is gonna take a little more effort than I originally thought. Oh well. It is worth it if it is more secure.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
  #8  
Old 23 Apr 2008, 17:11
rapidphim rapidphim is offline
 
Join Date: Feb 2007
God.. I shouldn't of hacked any 3.7.0 (all version) Mods until the stable release. Or it will not matter for all hacks for/already on 3.7.x?
  #9  
Old 23 Apr 2008, 17:13
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Originally Posted by rapidphim View Post
God.. I shouldn't of hacked any 3.7.0 (all version) Mods until the stable release. Or it will not matter for all hacks for/already on 3.7.x?
From what I understand, this only affects the mods that use $_POST. My guess is that this isn't a large amount of mods.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
  #10  
Old 23 Apr 2008, 17:13
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
There are probably only a very few modifications affected by this. Most will keep working without a change.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #11  
Old 23 Apr 2008, 17:21
KURTZ KURTZ is offline
 
Join Date: Nov 2006
Real name: Christian
too many templates are changed onto my board ...
  #12  
Old 23 Apr 2008, 17:26
steve1966 steve1966 is offline
 
Join Date: Dec 2007
I was looking foreward to the gold release but i would rather wait until all the security issues and bugs have been fixed before i upgrade from 3.69
  #13  
Old 23 Apr 2008, 17:29
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Originally Posted by steve1966 View Post
I was looking foreward to the gold release but i would rather wait until all the security issues and bugs have been fixed before i upgrade from 3.69
A security update for the 3.6 version has also been released. I strongly suggest that you install 3.6.10 if you are currently using the 3.6 version.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #14  
Old 23 Apr 2008, 17:34
Cyberkef's Avatar
Cyberkef Cyberkef is offline
 
Join Date: Jan 2003
Bunny!

Originally Posted by Marco van Herwaarden View Post
Then have a look in the coders forum.
Call me blind, but I seem unable to find it ^.^
  #15  
Old 23 Apr 2008, 17:36
Jase2 Jase2 is offline
 
Join Date: Dec 2007
Originally Posted by Cyberkef View Post
Call me blind, but I seem unable to find it ^.^
I think you need to have the user title designer/coder or just coder. I've just seen the fix, but many hacks shouldn't need it.
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 04:59.

Layout Options | Width: Wide Color: