1 Topic by Anatoly (edited by Anatoly 2008-07-14 13:25)

  • From: Russia
  • Registered: 2007-12-13
  • Posts: 642

Topic: PunBB 1.2.18

EDIT: Please, do update directly to PunBB 1.2.19 due to the parser bug introduced in 1.2.18.
Patches and changes files for 1.2.17 to 1.2.19 migration are available at Downloads page.

Just updated PunBB to 1.2.18.
Several security vulnerabilities fixed.

Changes:

  • Fixed an SMTP command injection vulnerability, discovered by Stefan Esser.

  • Fixed an XSS issue in include/parser.php, discovered by Dan Crowley.

  • Fixed issue with database returning the same user on multiple pages of the userlist, noticed by hcgtv.

  • Fixed several potential XSS vectors in moderate.php.

  • Fixed the avatars of deleted users not being removed.

  • Copyrights and punbb.informer.com links updated.

  • Docs removed.

It is strongly recommended to update your PunBB 1.2 installations as soon as possible.
Visit Downloads page for archives and the patch. Or get latest revision from SVN trunk.

Thanks to the people who reported issues and Smartys who fixed them.

Carpe diem

Anatoly's Website

2 Reply by hcgtv (edited by hcgtv 2008-07-11 17:33)

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PunBB 1.2.18

Anatoly,

The PunBB trunk copyrights update makes the changed files zip contain more files than were actually changed due to issues found.

I think it would be better to have the changed files zip only to contain what files need updating, this would speed up the adoption of these security patches.

Also, should this release announcement be on the front page?

Thanks.

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • From: Russia
  • Registered: 2007-12-13
  • Posts: 642

Re: PunBB 1.2.18

hcgtv wrote:

The PunBB trunk copyrights update makes the changed files zip contain more files than were actually changed due to issues found.

I think it would be better to have the changed files zip only to contain what files need updating, this would speed up the adoption of these security patches.

I agree with your arguments, but we cannot release new version of PunBB with illegal copyrights. And we can't put all of them to "changed files only" zip, because users will have different sources then.

hcgtv wrote:

Also, should this release announcement be on the front page?

Yup. You're right :)

Carpe diem

Anatoly's Website