vBulletin 3.7.4 PL1 Released

[vB.Org System]

vBulletin 3.7.4 PL1

An XSS flaw within the user control panel has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account. To resolve this issue, it is necessary to release a patch level version of vBulletin 3.7.4.

vBulletin 3.6 is not affected. vBulletin 3.8 is affected, and the next beta/release candidate will include the fix.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


Upgrading from 3.7.4

If you are already running 3.7.4, the process you will be required to follow to make your board immune to this flaw is very simple.

There is no need to run an upgrade script if you are already running 3.7.4.

Visit the Patches section of the vBulletin Members' Area and download the patch for 3.7.4, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.


Upgrading from Versions Earlier than 3.7.4

If you are not already running 3.7.4, you should download the latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Download vBulletin 3.7.4 PL1

As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area

Please do not use this thread for support questions.

More...

[veenuisthebest]

Thank you!

[Golzarion]

Thanks!

[Shazz]

A forced upgrade

[gamerfu]

Why does 3.7.x series have so many problems?

[ADDED]: Thanks for the patches. *uploaded*

[Si?uNoopy]

Thanks you

[Pete C]

Initially I accepted that recent error messages generated after my upgrade were due to my host installing hardened php and Suhosin. (see here: https://vborg.vbsupport.ru/showpost....6&postcount=28) After further discussions it appears that the problems with hardened php and Suhosin only seem apparent when upgrading to 3.7.4

In this regard there is clearly an issue with this version of vBulletin.

In addition, since upgrading to 3.7.4 I've noticed that guests no longer appear in the Currently Active Users display. Only logged in members appear. Clicking "Who's Online" reveals several guests present, but the Currently Active Users display says there are none.

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

I had no such problems with previous versions and I am rapidly coming to the conclusion that 3.7.4 is a disaster. So much so in fact that I'm seriously considering giving up vBulletin. Releasing software with known bugs to paying customers is simply not acceptable - this is supposed to be a final release not a BETA! These constant "upgrades" are frankly nothing short of a nuisance - especially if they cause problems that didn't exist before. Most of the time they offer little if anything to improve the average forums - they just cause more work for webmasters. It seems to me that the constant release of "upgrades" is simply a way of ensuring that renewal fees keep rolling in!

Why can there not be an established and stable version where owners do not need to constantly edit templates and etc? Surely security patches could still be released if vulnerabilities are discovered.

Well I'm sure these are questions that have been asked before and I'm equally sure there will be some pat answers to them . . . but at the end of the day the 3.7.0 release candidate, together with subsequent security patches would have been less troublesome than the "upgraded" version I'm currently stuck with.

Yeh yeh, nobody HAS to upgrade, but if you're trying to design skins, graphics etc. there is little credibility for the work if it's presented on an out-of-date board version.

I've been running vBulletin on an active owned license for several years now, but it's unlikely I'll renew again. I've closed my board now and I'll probably remove vBulletin from my server soon. Back to open source software and html pages if this is the best vB can offer.

[Valyx]

Quote:

Originally Posted by Belder

Initially I accepted that recent error messages generated after my upgrade were due to my host installing hardened php and Suhosin. (see here: https://vborg.vbsupport.ru/showpost....6&postcount=28) After further discussions it appears that the problems with hardened php and Suhosin only seem apparent when upgrading to 3.7.4

In this regard there is clearly an issue with this version of vBulletin.

In addition, since upgrading to 3.7.4 I've noticed that guests no longer appear in the Currently Active Users display. Only logged in members appear. Clicking "Who's Online" reveals several guests present, but the Currently Active Users display says there are none.

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

I had no such problems with previous versions and I am rapidly coming to the conclusion that 3.7.4 is a disaster. So much so in fact that I'm seriously considering giving up vBulletin. Releasing software with known bugs to paying customers is simply not acceptable - this is supposed to be a final release not a BETA! These constant "upgrades" are frankly nothing short of a nuisance - especially if they cause problems that didn't exist before. Most of the time they offer little if anything to improve the average forums - they just cause more work for webmasters. It seems to me that the constant release of "upgrades" is simply a way of ensuring that renewal fees keep rolling in!

Why can there not be an established and stable version where owners do not need to constantly edit templates and etc? Surely security patches could still be released if vulnerabilities are discovered.

Well I'm sure these are questions that have been asked before and I'm equally sure there will be some pat answers to them . . . but at the end of the day the 3.7.0 release candidate, together with subsequent security patches would have been less troublesome than the "upgraded" version I'm currently stuck with.

Yeh yeh, nobody HAS to upgrade, but if you're trying to design skins, graphics etc. there is little credibility for the work if it's presented on an out-of-date board version.

I've been running vBulletin on an active owned license for several years now, but it's unlikely I'll renew again. I've closed my board now and I'll probably remove vBulletin from my server soon. Back to open source software and html pages if this is the best vB can offer.

obviously it's not vBulletin's fault if you're the only one having those problems?

[Pete C]

Quote:

Originally Posted by Valyx

obviously it's not vBulletin's fault if you're the only one having those problems?

No I'm not the only one.

https://vborg.vbsupport.ru/showpost....9&postcount=22

https://vborg.vbsupport.ru/showpost....1&postcount=37

As already stated, the issue with guests not appearing has already been reported in the bug tracker and is apparently still unresolved.

[Wayne Luke]

Quote:

Originally Posted by Belder

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

PL or Patch Level releases deal solely with security issues that can affect the integrity of your board by allowing someone permissions that they shouldn't have. Patch Levels do not address other individual bugs if they are not a security risk. A non-critical bug such as what you describe if confirmed will be fixed as soon as its possible, most likely the next version which would be vBulletin 3.7.5 in this case.

You will find a patch for this issue here: http://www.vbulletin.com/forum/proje...6759#note71097