FluxBB 1.2.21 released

Connor · 2008-12-04 23:40:16

We have just released an updated version of the 1.2 branch, this addresses a fairly serious security issue discovered by Smartys (thanks )

If you run 1.2 then it is highly recommended that you update your install.

Connor

Smartys · 2008-12-04 23:45:42

http://fluxbb.org/trac/changeset/738
For anyone curious about the change

MisterAwesome · 2008-12-05 01:16:53

http://fluxbb.org/downloads/updates.php
Whats are the files to change to upgrade from 1.2.20 ?

Connor · 2008-12-05 01:17:36

http://fluxbb.org/download/releases/1.2 … .2.21.html just one small change

MisterAwesome · 2008-12-05 01:23:39

I've done that but it still shows 1.2.20 on the main page ?

elbekko · 2008-12-05 01:48:38

Oh yes, we didn't update the DB update script -.-
*glares at Connor*

Pedro · 2008-12-05 04:03:34

Forgive me my ignorance, why is this dangerous?
fp.group_id=1

I guess the group with the id=1 could be other than the admin group in some situations...?

Reines · 2008-12-05 04:14:58

Pedro wrote:

Forgive me my ignorance, why is this dangerous?
fp.group_id=1
I guess the group with the id=1 could be other than the admin group in some situations...?

group_id 1 is the admin group, the old query was basically selecting all forums the admin group could view, rather than the actual user logged in can view.

hcgtv · 2008-12-05 05:13:18

elbekko wrote:

Oh yes, we didn't update the DB update script -.-

Don't feel bad, the PunBB team forgot the 12_to_1221_update.php file in their changed files zip.

Let's cut them some slack though, they're doing the best they can in their spare time

Smartys · 2008-12-05 05:13:50

To be clear, it's dangerous from an information security perspective more than anything else: it's a missing permissions check on subscriptions.

xable · 2008-12-05 05:24:20

Thanks guys.

chris · 2008-12-05 07:01:03

You can follow my instructions here to update your version number. The database update script was missing again (as noted above).

Pedro · 2008-12-05 08:51:55

So it was bug rather than a security issue.

I mean, that "group_id=1" should never be there because it didn't make sense at all, not because it was dangerous. Did I got it right?

Smartys · 2008-12-05 15:05:48

Pedro wrote:

So it was bug rather than a security issue.
I mean, that "group_id=1" should never be there because it didn't make sense at all, not because it was dangerous. Did I got it right?

Yes and no. You're right that it didn't make sense at all. The security issue is that it allows me to subscribe to topics I'm not allowed to see. Which means I get emails when people post in them (along with the contents of the post)

kankan · 2008-12-14 13:06:42

Thanks you for the maintain of 1.2 branch .

But when the 1.3 branch was stabilized ? And it's possible to use the SVN version in production ?

frozen_space · 2008-12-15 06:32:12

kankan wrote:

Thanks you for the maintain of 1.2 branch .
But when the 1.3 branch was stabilized ? And it's possible to use the SVN version in production ?

1.3 is still in development stage, and you are not recommended to use it in production environment.

Forums

#1 2008-12-04 23:40:16

FluxBB 1.2.21 released

#2 2008-12-04 23:45:42

Re: FluxBB 1.2.21 released

#3 2008-12-05 01:16:53

Re: FluxBB 1.2.21 released

#4 2008-12-05 01:17:36

Re: FluxBB 1.2.21 released

#5 2008-12-05 01:23:39

Re: FluxBB 1.2.21 released

#6 2008-12-05 01:48:38

Re: FluxBB 1.2.21 released

#7 2008-12-05 04:03:34

Re: FluxBB 1.2.21 released

#8 2008-12-05 04:14:58

Re: FluxBB 1.2.21 released

#9 2008-12-05 05:13:18

Re: FluxBB 1.2.21 released

#10 2008-12-05 05:13:50

Re: FluxBB 1.2.21 released

#11 2008-12-05 05:24:20

Re: FluxBB 1.2.21 released

#12 2008-12-05 07:01:03

Re: FluxBB 1.2.21 released

#13 2008-12-05 08:51:55

Re: FluxBB 1.2.21 released

#14 2008-12-05 15:05:48

Re: FluxBB 1.2.21 released

#15 2008-12-14 13:06:42

Re: FluxBB 1.2.21 released

#16 2008-12-15 06:32:12

Re: FluxBB 1.2.21 released

Board footer