phpBB 3.2.1 Release - Please Update

Discussion in 'phpBB' started by Feeder, Jul 16, 2017.

  1. Feeder

    Feeder Fan

    759
    75
    +140
    Greetings everyone,

    We are pleased to announce the release of phpBB 3.2.1 "War for the Planet of the Berties". This version is a maintenance & security release of the 3.2.x branch which fixes three security issues, as well as adding more hardening and fixes for various bugs reported in previous versions.

    A server-side request forgery (SSRF) exploit was discovered in the remote avatar functionality which could be used to perform service discovery on internal and external networks as well as retrieve images which are usually restricted to local access (thanks to SEC Consult for the report). Additionally, a cross-site scripting vulnerability via version check files was discovered internally (thanks Derk Ruitenbeek). This could have been used to trick users into clicking on javascript: links. The third fixed issue concerned potential high load scenarios that could be caused by specially crafted search queries while using MySQL fulltext search.

    The bugfixes address issues with migration dependencies preventing updates from phpBB 3.0.6 or older, multiple issues with the new text formatter, make the FTP update method functional again, as well as issues with updating from earlier versions using PostgreSQL. Notable changes include new, higher resolution images for the imageset icons, pagination for IP tables and post info, and added search indexing for topics after splitting a topic. The version check now also supports branches which will result in more helpful information about new versions on other branches.

    The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.1 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14100

    The packages can be downloaded from our downloads page.

    The development team thanks everyone who contributed code to this release: javiexin, rxu, Rubén Calvo, nomind60s, David Colón, Jakub Senko, hanakin, Matt Friedman, JoshyPHP, Louis7777, kasimi, Vinny, Erwan Nader, Richard McGirr, hubaishan, Daniel Mota, Jim Mossing Holsteyn, Rishabh04-02, Saeed Hubaishan, david63, lavigor, Agris, Christian Schnegelberger, Daniel Sinn, Mukesh Kumar Kharita, TarantinoMariachi, lr94, tas2580, upstrocker

    If you have any questions or comments, we'll be happy to address them in the discussion topic.

    - The phpBB Team

    Continue reading...
     
  2. mysiteguy

    mysiteguy Habitué

    1,997
    867
    +1,323
    I suggest to anyone doing this to do it on a test environment first. It has problems.
     
  3. MarkFL

    MarkFL La Villa Strangiato

    191
    335
    +236
    That's good advice anytime one looks into any forum software update. :D
     
  4. CarpCharacin

    CarpCharacin Habitué

    1,285
    92
    +139
    I updated one of the sites that I'm staff on without issues.
     
  5. Sal Collaziano

    Sal Collaziano Womanizer

    759
    465
    +109
    I tried updating my phpBB to the latest version. I'm now on vBulletin 5.3.1.
     
  6. mysiteguy

    mysiteguy Habitué

    1,997
    867
    +1,323
    Here is one of the issues some forums are having:
    https://www.phpbb.com/community/viewtopic.php?f=556&t=2430961

    Looking through their previous bug reports, this issue was reported last year and it still happens.
     
  7. Sal Collaziano

    Sal Collaziano Womanizer

    759
    465
    +109
    That was exactly the problem I had. I installed phpBB 3.2, my first phpBB installation in probably ten years, a couple of days ago. A day or two later, there was an update. So I updated! After that, the forum was broken. I saw the future, and as bad as the alternative looked, I installed it. Just for ****s and giggles, anyway. I just wanted to check out a piece of forum software's latest version to see how things have come along.
     
    Last edited: Jul 17, 2017 at 12:48 PM
  8. mysiteguy

    mysiteguy Habitué

    1,997
    867
    +1,323
    A few minutes ago they instructed me not to use the automated update, download the entire package and use the old update method. I did this, and after clearing out the cache directory everything is now working fine. Personally I can't see using VB 5, I'd migrate to MyBB first if I wanted to stick with open source or IPS/XF for a paid program (or one of my spare VB 4 licenses).

    This particular forum is a very small (few dozen posts) forum I setup for my wife and her local quilting/sewing group, so I'm sticking to open source. Not only can I not justify using a paid license for it, but they only need basic posting and a photo gallery (which is available for phpBB), so IPS or XF would be overkill.
     
  9. Sal Collaziano

    Sal Collaziano Womanizer

    759
    465
    +109
    Yes, I'd have done the same but I had a spare vB5 license laying around since 1971 and decided to install it yesterday. :p I did like how phpBB was responsive out of the box but wasn't crazy about it having no template system. Changing the header via ftp seemed weird. I guess I'd seen enough. I'm going to play around with vB5 for awhile and see what happens...
     
  10. mysiteguy

    mysiteguy Habitué

    1,997
    867
    +1,323
    I do all my edits through a shell prompt so ftp isn't an issue for me. Since I have automatic 4 hour incremental backups on my servers, I still have a history of template edits if I need to revert to an earlier version. But yeah, no direct template editor is a very weak point for phpBB. :(
     
  11. MarkFL

    MarkFL La Villa Strangiato

    191
    335
    +236
    Are you some kind of time traveler? :D
     
Verification:
Draft saved Draft deleted