vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   News and Announcements (https://vborg.vbsupport.ru/forumdisplay.php?f=2)
-   -   vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released (https://vborg.vbsupport.ru/showthread.php?t=184623)

vB.Org System 07-07-2008 02:50 PM
vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released
 
vBulletin 3.7.2 PL1 / vBulletin 3.6.10 PL3

An XSS flaw affecting the vBulletin control panel logging system has been identified, another was found affecting boards running in debug mode. It could allow an attacker to trick an admin into unwittingly performing an action within the control panel that they had not intended. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.2 and 3.6.10.

One of the XSS flaws was discovered by Jessica Hope and the other by ourselves.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


Upgrading from 3.7.2, 3.6.10 or their patch level versions

If you are already running 3.7.2, 3.6.10 or their patch level versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.2, 3.6.10 or their patch level versions.

Visit the Patches section of the vBulletin Members' Area and download either the patch for 3.7.2, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 or PL3 release respectively.

The 3.6.10 PL3 patch file also includes the PL1 and PL2 fixes.


Upgrading from Versions Earlier than 3.7.2 or 3.6.10

If you are not already running 3.7.2 or 3.6.10, you should download the most latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Download vBulletin 3.7.2 PL1 or 3.6.10 PL3

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area


More...

cheat-master30 07-07-2008 02:54 PM
Thank goodness I just got my computer working again I suppose, updating now...

EWGF 07-07-2008 02:57 PM
Lol, need to upgrade again

Shazz 07-07-2008 03:31 PM
More updates, love it! I feel so much more safe :D

veenuisthebest 07-07-2008 04:05 PM
thanks for the update !!

nexialys 07-07-2008 04:05 PM
no need to upgrade... jut 3 files to upload back... no code or template change in the product.

Yarike 07-07-2008 04:51 PM
Quick and easy update :)

DieselMinded 07-07-2008 05:15 PM
Done !

steve1966 07-07-2008 06:32 PM
Thanks

Jase2 07-07-2008 07:27 PM
Jessica Hope is onto vBulletin :p

Shazz 07-07-2008 07:43 PM
Quote:
Originally Posted by nexialys (Post 1569229)
no need to upgrade... jut 3 files to upload back... no code or template change in the product.
Thats still hard nex. Requires some knowledge :)

Brandon Sheley 07-07-2008 08:50 PM
more updates. yeah!

Josh1 07-07-2008 11:44 PM
Quote:
Originally Posted by Shazz (Post 1569447)
Thats still hard nex. Requires some knowledge :)
Extract. Upload.

2 steps.

yingzhou 07-08-2008 05:06 AM
:| Thanks vbulletin.com!

KURTZ 07-08-2008 08:03 AM
done!

Q-v-n-s-Q 07-08-2008 09:06 AM
cool, ima download it

CurtisK 07-08-2008 12:57 PM
simple and easy to do

UPGRADED

thanks for all the updates! sure does keep me busy

projectego 07-09-2008 07:35 AM
*downloads new patch*

Thanks, Jelsoft! :)

KURTZ 07-09-2008 03:17 PM
Quote:
Originally Posted by Jase2 (Post 1569431)
Jessica Hope is onto vBulletin :p
that's an interesting issue ... :D

Jase2 07-09-2008 07:30 PM
She seems a really nice person. Afterall, the exploit fixed would of never been found if it wasn't for her. There's an interesting debate going on in the vBulletin 3.7.2 Release Discussion - Jessica Hope is actually participating in that. :) Some people seem to think it is wrong for her to give a demo link exploit... well I don't think it is. She reported it in private to Jelsoft first, but they just said it isn't an exploit and dismissed it. So, she reported it publicly. Check it out: http://securitytracker.com/alerts/2008/Jun/1020322.html

Shazz 07-09-2008 07:46 PM
v/Jessica to jelsoft

gamerfu 07-10-2008 06:51 AM
Quote:
Originally Posted by Jase2 (Post 1571326)
She seems a really nice person. Afterall, the exploit fixed would of never been found if it wasn't for her. There's an interesting debate going on in the vBulletin 3.7.2 Release Discussion - Jessica Hope is actually participating in that. :) Some people seem to think it is wrong for her to give a demo link exploit... well I don't think it is. She reported it in private to Jelsoft first, but they just said it isn't an exploit and dismissed it. So, she reported it publicly. Check it out: http://securitytracker.com/alerts/2008/Jun/1020322.html
Intresting how Jelsoft does not always take concerns seriously.

Marco van Herwaarden 07-10-2008 07:20 AM
Quote:
She reported it in private to Jelsoft first, but they just said it isn't an exploit and dismissed it.
I wonder where you got that impression.

KURTZ 07-10-2008 09:58 AM
Quote:
Originally Posted by gamerfu (Post 1571729)
Intresting how Jelsoft does not always take concerns seriously.
exactly ... :down:

Quote:
Originally Posted by Marco van Herwaarden (Post 1571742)
I wonder where you got that impression.
maybe Jason has some private channels ... :p

Marco van Herwaarden 07-10-2008 11:29 AM
Where was it posted that Jelsoft does not take security concerns serious? If we would not take it serious, then why are we releasing a patch immediate after the discovery of a new possible exploit?

PS I doubt Jason has private channels that give him any more information then i have, on the contrary.

Jase2 07-10-2008 02:43 PM
Quote:
She told vBulletin about it first. Jelsoft downplayed it, putting their users at risk. So what about blaming them instead of Jessica? They are the ones who didn't take responsibility. But in the end, you have nobody to blame but yourself. It is attitudes like these that are the reason that Storm and others continue to thrive.
I'm reading the discussion thread over @ vbulletin.com and Jessica is posting in that thread.

Marco, are you employed by Jelsoft?

King Kovifor 07-10-2008 03:24 PM
Quote:
Originally Posted by Jase2 (Post 1571971)
I'm reading the discussion thread over @ vbulletin.com and Jessica is posting in that thread.

Marco, are you employed by Jelsoft?
Yes. Marco is the only Paid Staff member at vBulletin.org as he is employed by Jelsoft. He is here to coordinate between vB.com and vB.org.

Shazz 07-10-2008 03:39 PM
Quote:
Originally Posted by Jase2 (Post 1571971)
I'm reading the discussion thread over @ vbulletin.com and Jessica is posting in that thread.

Marco, are you employed by Jelsoft?
http://www.vbulletin.com/forum/member.php?u=60067

Marco van Herwaarden 07-11-2008 06:26 AM
Quote:
Originally Posted by Jase2 (Post 1571971)
I'm reading the discussion thread over @ vbulletin.com and Jessica is posting in that thread.
If you would read it good you will find that the discussion is only about the wording in the release announcement.

We did take our responsibility, we did not deny or let go the report, a patch was constructed and released immediate. The discussion is only if we should have classified the real life risk of this vulnerability as Low/Medium/High in the announcement. I can hardly see this as not taking responsibility.
Quote:
Originally Posted by Jase2 (Post 1571971)
Marco, are you employed by Jelsoft?
Yes i am employed by Jelsoft.

nexialys 07-11-2008 02:30 PM
Quote:
Originally Posted by Marco van Herwaarden (Post 1572588)
Yes i am employed by Jelsoft.
no, no, i thought you were sooo devoted to your task that you refused to be paid....

gosh, we're all managed by a monstruous conglomerate.... AAARRGGHHHHH http://nexialys.net/vb/images/smilie..._tzuki/r28.gif

in some countries, employed mean slaved... i suppose that's what some guys here are reading now... http://nexialys.net/vb/images/smilie...t_tzuki/r3.gif

Jase2 07-11-2008 02:57 PM
Quote:
Originally Posted by Marco van Herwaarden (Post 1572588)
If you would read it good you will find that the discussion is only about the wording in the release announcement.

We did take our responsibility, we did not deny or let go the report, a patch was constructed and released immediate. The discussion is only if we should have classified the real life risk of this vulnerability as Low/Medium/High in the announcement. I can hardly see this as not taking responsibility.

Yes i am employed by Jelsoft.
I read it just fine. Thanks! ;)

yingzhou 07-27-2008 11:24 AM
where is the suggestion for Vbulletin software? I want to ask, why I received no notification about new reply on my picture in album, new reply on my social group message? I think Jelsoft miss this in 3.7.x product! Please add the notification!

Marco van Herwaarden 07-27-2008 11:34 AM
For feature suggestions please use the appropriate forum on vBulletin.com.

cheat-master30 07-27-2008 02:26 PM
Quote:
Originally Posted by yingzhou (Post 1585208)
where is the suggestion for Vbulletin software? I want to ask, why I received no notification about new reply on my picture in album, new reply on my social group message? I think Jelsoft miss this in 3.7.x product! Please add the notification!
Then go here for suggestions and suggest it:

http://www.vbulletin.com/forum/forumdisplay.php?f=55

lim(x?-5x?) = ∞ 07-28-2008 11:58 PM
so today we will know when new version will be released


All times are GMT. The time now is 07:40 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01706 seconds
  • Memory Usage 1,810KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (15)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (35)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete