vBulletin 3.7.0 Release Candidate 4

[vB.Org System]

vBulletin 3.7.0
Release Candidate 4
Yeah, we know...

THIS IS PRE-RELEASE SOFTWARE.
IT IS UNSUPPORTED.

If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.

We recommend that all customers upgrade as soon as possible.
Customers running 3.7.x should upgrade to 3.7.0 RC4.
Customers running 3.6.9 or earlier should upgrade to 3.6.10.

To all those who have been expecting to download vBulletin 3.7.0 'Gold' this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.

If testing of this release candidate goes well, we will once again be looking at a stable release next week.

PHP and MySQL Recommendations

We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

What does Release Candidate mean?

Release Candidate, or RC for short, means that we believe vBulletin 3.7 will be ready to be declared a "stable" and "supported" supported release once it has undergone some final testing. The only known bugs that may remain are trivial.

RCs will be released until only trivial bugs are being fixed. Once this happens, the next stage is to move on to "gold" or, as it's officially known, 3.7.0.

This is still pre-release software. If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, do not install this version but rather wait for the final, 3.7.0 version.


Customers should bear in mind that this is a release candidate, not a certified 'stable' release so the following caveats apply:

• Pre-release software is unsupported and you install beta and RC versions at your own risk.
• Some minor bugs remain unresolved at this time, so pre-release software should not be deployed on production sites.
• You should always back up your database fully before attempting to install pre-release software.
• If you choose to install this version, you should be aware that we plan to release new RC versions in rapid succession as bugs are fixed and holes are plugged. Do not install this RC version if you are not willing or able to keep up-to-date with new releases.
• The ImpEx import system does not support the 3.7 code yet, and will not support it until the release of 3.7.0 (stable).

More...

For support questions, please use the appropriate forums on vBulletin.com

[Jasem]

Thank you very much :up:

[Jase2]

Hacks that post back to vBulletin scripts will no longer work. vB.org should be letting us know on how to add the information to the hacks.

[rapidphim]

man.... what can I say :-) Any template changes since RC3?

[Marco van Herwaarden]

Quote:

Originally Posted by Jase2

Hacks that post back to vBulletin scripts will no longer work. vB.org should be letting us know on how to add the information to the hacks.

Then have a look in the coders forum.

[Opserty]

Quote:

Mod and plugin authors - the changes in 3.6.10 and 3.7.0 RC4 will break any forms in your code that post back to vBulletin scripts.

However, it is simple to adapt your code to include the new security token and restore full functionality.

Information about how to do this has been passed to the vBulletin.org staff, and they will be releasing that information shortly.

Oh god :erm:

[Lynne]

Quote:

Originally Posted by Opserty

Oh god :erm:

That was exactly what my thought was. I guess getting my site read for 3.7 is gonna take a little more effort than I originally thought. Oh well. It is worth it if it is more secure.

[rapidphim]

God.. I shouldn't of hacked any 3.7.0 (all version) Mods until the stable release. Or it will not matter for all hacks for/already on 3.7.x?

[Lynne]

Quote:

Originally Posted by rapidphim

God.. I shouldn't of hacked any 3.7.0 (all version) Mods until the stable release. Or it will not matter for all hacks for/already on 3.7.x?

From what I understand, this only affects the mods that use $_POST. My guess is that this isn't a large amount of mods.

[Marco van Herwaarden]

There are probably only a very few modifications affected by this. Most will keep working without a change.