Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #1  
Old 18 Jun 2008, 13:30
vB.Org System vB.Org System is offline
 
Join Date: Aug 2007
vBulletin 3.7.1 PL2 and 3.6.10 PL2 Released

vBulletin 3.7.1 PL2 / vBulletin 3.6.10 PL2

An XSS flaw affecting the vBulletin URL redirection system has been identified. It could allow an attacker to trick a moderator or admin into unwittingly performing an action in either the front-end or control panel that they had not intended. To resolve this issue, it is necessary to release PL2 versions of vBulletin 3.7.1 and 3.6.10.

This XSS flaw, and that which made the release of the PL1 versions necessary, was discovered by Jessica Hope and others.

The upgrade process is the same as the PL1 releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


vBulletin 3.7.2 to be Released Next Week

In line with our new scheduled maintenance release policy, we have evaluated the merits of providing a new maintenance release one month after the previous release or waiting until next month. It has been decided that we will bring forward the release of vBulletin 3.7.2 from Tuesday July 29th to this coming Tuesday, June 24th.

This release will be mentioned in the security bulletin sent out to customers today, but we will not send a further notification next week when 3.7.2 is released. Watch your Admin CP News, or the latest version check in the Admin CP to see when the new version is available. Alternatively, keep an eye on this forum for the 3.7.2 announcement.

To reiterate, vBulletin 3.7.2 will be released on Tuesday, June 24th 2008.


Upgrading from 3.7.1, 3.6.10 or their PL1 versions

If you are already running 3.7.1, 3.6.10 or their PL1 patch versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.1, 3.6.10 or their PL1 versions.

Visit the Patches section of the vBulletin Members' Area and download either the patch for 3.7.1, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL2 release.

The 3.7.1 PL2 patch file also includes the PL1 fixes. The same is true of the 3.6.10 PL2 patch file.


Upgrading from Versions Earlier than 3.7.1 or 3.6.10

If you are not already running 3.7.1 or 3.6.10, you should download the most latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Download vBulletin 3.7.1 PL2 or 3.6.10 PL2

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area


More...
  #2  
Old 18 Jun 2008, 13:36
KURTZ KURTZ is offline
 
Join Date: Nov 2006
Real name: Christian
just patched thanks
  #3  
Old 18 Jun 2008, 14:13
vip-q.com's Avatar
vip-q.com vip-q.com is offline
 
Join Date: Oct 2006
thanks
  #4  
Old 18 Jun 2008, 14:26
projectego's Avatar
projectego projectego is offline
 
Join Date: Feb 2006
Location: UK
Real name: Steve
Cool!

*goes up upgrade*
__________________
  #5  
Old 18 Jun 2008, 15:03
rapidphim rapidphim is offline
 
Join Date: Feb 2007
sorry for such a noob but how are you going just to apply the patch without rerunning the whole upgrade procedure all over again? I just had mine upgraded to PL1. Thanks.
  #6  
Old 18 Jun 2008, 15:07
RS_Jelle's Avatar
RS_Jelle RS_Jelle is offline
 
Join Date: Jul 2005
Originally Posted by rapidphim View Post
sorry for such a noob but how are you going just to apply the patch without rerunning the whole upgrade procedure all over again? I just had mine upgraded to PL1. Thanks.
Just upload/overwrite the files on your FTP with the patched ones you can find on http://members.vbulletin.com/patches.php
__________________
Now released: DownloadsII 6.0.9 (for vB 4.x) and 5.1.2 (for vB 3.7.x and 3.8.x)
Minatica.be - Belgian/Dutch computer and technology site
  #7  
Old 18 Jun 2008, 16:59
rapidphim rapidphim is offline
 
Join Date: Feb 2007
Thanks... I'll try that.
  #8  
Old 18 Jun 2008, 18:32
RvG2's Avatar
RvG2 RvG2 is offline
 
Join Date: Jan 2007
patched
  #9  
Old 18 Jun 2008, 18:59
steve1966 steve1966 is offline
 
Join Date: Dec 2007
Thanks patched
  #10  
Old 18 Jun 2008, 20:49
SALIMUS SALIMUS is offline
 
Join Date: May 2007
Patched .
thanks for the simplest way .
wbr
  #11  
Old 18 Jun 2008, 22:53
Pete C's Avatar
Pete C Pete C is offline
 
Join Date: Aug 2005
Real name: Peter
This was certainly an easy patch to apply. I was wondering though, is there any news yet on whether 3.7.2 is going to require yet another round of reverting templates and the subsequent editing this requires?

I sincerely hope not as I've only just finished the process for 3.7.1!
__________________
  #12  
Old 18 Jun 2008, 22:54
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
The only time we know about Template Edits are on release days.
__________________
Former vBulletin.org Staff Member

Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
  #13  
Old 20 Jun 2008, 02:53
rapidphim rapidphim is offline
 
Join Date: Feb 2007
When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?
  #14  
Old 20 Jun 2008, 03:05
RvG2's Avatar
RvG2 RvG2 is offline
 
Join Date: Jan 2007
Originally Posted by rapidphim View Post
When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?
Just upload them all...
  #15  
Old 20 Jun 2008, 03:26
King Kovifor's Avatar
King Kovifor King Kovifor is offline
 
Join Date: Nov 2004
Real name: Jeremy
Originally Posted by rapidphim View Post
When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?
Did you download the patch from the patches page or from the main download page?
__________________
Former vBulletin.org Staff Member

Do not request support through any other means except the forums.

Useful Post With Links on Learning How To Develop vBulletin Plugins

Latest Modification: Stop Forum Spam Integration
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:19.

Layout Options | Width: Wide Color: