Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2008-07-10 23:40:37

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

FluxBB 1.2.19 and 1.3 hotfixes released

It's that time again: new release time! smile

Recently, several security vulnerabilities in both the stable (1.2) and development (1.3) branches of FluxBB have come to our attention. Today, we have released a new version of 1.2 and hotfixes for 1.3 to address these vulnerabilities.

1.2.19 addresses three fairly serious security vulnerabilities and provides a fix for an issue with userlist.php. It is a recommended upgrade for all 1.2 installs, both FluxBB and PunBB.

4 hotfixes have been released for 1.3 Beta 2. These hotfixes address various security concerns in the beta. It is recommended that all users of the beta install these hotfixes: when your install checks for updates, either manually or automatically, you should be prompted to do so.

The FluxBB Team would like to thank Stefan Esser, who reported the 1.3 vulnerabilities, and Dan Crowley, who reported the vulnerability in 1.2's parser.

Offline

#2 2008-07-11 04:08:32

raptrex
Member
Registered: 2008-05-11
Posts: 121
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

yay for updates!

Offline

#3 2008-07-11 09:00:53

kankan
Member
From: France
Registered: 2008-06-09
Posts: 6
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

I'll update my forums.

Thank you.


I'm not speak English very well, because I'm French.
I'm kankan_1 in French community of FluxBB.

Offline

#4 2008-07-11 10:18:37

dns777
Member
Registered: 2008-07-11
Posts: 1

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Last edited by dns777 (2008-07-11 13:43:29)

Offline

#5 2008-07-11 14:00:39

Bad Harvest
Member
From: Costa Mesa, CA, USA
Registered: 2008-07-07
Posts: 10
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

dns777 wrote:

This is rather annoying, since it refuses the creation of clickable images

Agreed!  I don't have images enabled in my forum, but linked images are very useful and I use them a lot elsewhere.  In fact, linked images are required to conform to Flickr's ToS when using an image from your Flickr photostream.

Offline

#6 2008-07-11 14:53:43

chris
Member
Registered: 2008-05-09
Posts: 21

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Just a tip for anyone else having this problem.

I uploaded the changefiles for 1.2.19 but my install still said 1.2.18. This is because the database update script was missing from the changed files zip. To fix this:

0) Upload the changed files to your Flux 1.2.18 install
1) UPDATE punbb_config /*(mine is a longtime pun install, the new flux tables probably have a different prefix)*/ SET o_cur_version = '1.2.19';
2) Delete file (your install path)/cache/cache_config.php
3) Load any Flux page in your browser.

You now have the newest release, no updates available.

Offline

#7 2008-07-11 16:46:27

anni
Member
From: Germany
Registered: 2008-06-01
Posts: 13

Re: FluxBB 1.2.19 and 1.3 hotfixes released

smartys plz release a one click 12_to_1219_update.php file

Offline

#8 2008-07-11 17:33:52

Meow
Member
From: Taipei, Taiwan
Registered: 2008-05-10
Posts: 677
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

.19

...

Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?


Enjoy the chosen furry artworks on Chita every day.

Offline

#9 2008-07-11 18:02:18

Mark
Member
From: Southport, Uk
Registered: 2008-05-03
Posts: 535

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Meow wrote:

.19

...

Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?

No, its essential security updates.

Offline

#10 2008-07-11 18:41:45

artoodetoo
Member
From: Far-Far-Away
Registered: 2008-05-11
Posts: 219

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!


I'm not a fan of FluxBB way anymore.

Offline

#11 2008-07-11 18:59:36

Lamonte
Member
From: MO, USA
Registered: 2008-05-12
Posts: 244
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Where do I download from, main website?

Offline

#12 2008-07-11 19:16:09

Coordinator
Member
From: Russia
Registered: 2008-05-11
Posts: 12
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

artoodetoo wrote:

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!

Realy, why?

Offline

#13 2008-07-11 19:59:38

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

dns777 wrote:

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Quite right. And I was hoping to have a release without an issue too. hmm
We'll investigate and see whether we can improve the check to be less overzealous.

Offline

#14 2008-07-11 20:53:42

raptrex
Member
Registered: 2008-05-11
Posts: 121
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Lamonte wrote:

Where do I download from, main website?

you can or go into install extentions on your forum

Offline

#15 2008-07-11 22:51:02

foxmask
Member
From: France
Registered: 2008-05-10
Posts: 20
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Smartys wrote:
dns777 wrote:

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Quite right. And I was hoping to have a release without an issue too. hmm
We'll investigate and see whether we can improve the check to be less overzealous.

i met the same issue with
[ url= ... ] [ b ] [ color = ] text [/ color ] [ / b ] [ / url ]

Offline

#16 2008-07-12 06:05:44

anni
Member
From: Germany
Registered: 2008-06-01
Posts: 13

Re: FluxBB 1.2.19 and 1.3 hotfixes released

I cant even post two links after each other in 1.2.19:(

Like:

FluxBB FluxBB

Error Message:

BBCode can not be nested within [url] tags.

Last edited by anni (2008-07-12 06:09:30)

Offline

#17 2008-07-12 11:35:49

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

anni: Thanks for the report.
Everyone: From this point forward, I'm going to be deleting any posts that report the same issue. We don't need any  "me too" posts. We know there's an issue. wink

Offline

#18 2008-07-12 20:29:18

achos
Member
Registered: 2008-05-20
Posts: 33

Re: FluxBB 1.2.19 and 1.3 hotfixes released

hi
how update SVN 1.3 version ? thx

Last edited by achos (2008-07-12 20:29:33)

Offline

#19 2008-07-12 22:57:38

fpouget
Member
Registered: 2008-05-25
Posts: 6

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Hi,

There is not an issue on edit.php and extern.php ? I can figure out where are the difference in http://fluxbb.org/download/releases/1.2 … .2.19.html same think for http://fluxbb.org/download/releases/1.2 … .2.18.html

Offline

#20 2008-07-13 01:55:35

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

fpouget: edit.php has a > added, extern.php has a PunBB changed to FluxBB (the other change, as you said, appears to not affect anything).

Offline

#21 2008-07-15 13:49:59

Ledo
Member
Registered: 2008-05-10
Posts: 217

Re: FluxBB 1.2.19 and 1.3 hotfixes released

What is the policy on hotfixes.

Will installing hotfixes over extensions system  be a common procedure in the future or will hotfixes be implemented in every new release of Fluxbb.

Offline

#22 2008-07-15 14:56:57

liquidat0r
Member
From: London, England
Registered: 2008-05-22
Posts: 418
Website

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Hotfixes will fix any issues found before a new release is made. Upon updating to that new release, the hotfixes will be removed and replaced by hard-code in the new release.

Last edited by liquidat0r (2008-07-15 14:57:20)

Offline

Board footer

Powered by FluxBB