Xtratime Community banner

1 - 17 of 17 Posts

·
Registered
Joined
·
4,844 Posts
Discussion Starter #1
I don't remember if it's just exact repetition of their previous mail - at any rate, just to be safe, I'm pasting it again here:

----------------------------------------------------------------------

JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 21st, 2005

This email contains important security-related information.
Please read it carefully.

* vBulletin 3.0.6 / 2.3.6 Released
* Performance Hit Since PHP 4.3.10 / 5.0.3
* Your License Information
* Contact Us


------------ VBULLETIN 3.0.6 / 2.3.6 RELEASED ------------

vBulletin 3.0.6 and 2.3.6 are security and bug fix
releases. They fix a recently discovered XSS issue
regarding BB code parsing.

All versions of vBulletin prior to 3.0.6 and 2.3.6 are
vulnerable. The only workaround is to disable BB code
parsing in signatures and all forums where untrusted users
can post.

We strongly urge all customers to either fully upgrade or
patch their installations as soon as possible. A patch is
available for includes/functions_bbcodeparse.php
(vBulletin 3) and admin/functions.php (vBulletin 2).
Overwrite the version on your server with the file in the
appropriate zip. The patch(es) can be downloaded from here:

http://www.vbulletin.com/forum/showthread.php?t=127027

After a full upgrade your forum will once again be secure.
If you would rather simply patch your forum, please take
note of the following:

Board is running vBulletin 2.3.5 or earlier
- Download patch for 2.3.5
- Overwrite admin/functions.php

Board is running vBulletin 3.0.4 or earlier
- Download patches for 3.0.5 and 3.0.6
- Overwrite includes/init.php
- Overwrite includes/functions_bbcodeparse.php
- Overwrite private.php

Board is running vBulletin 3.0.5
- Download patch for 3.0.6
- Overwrite includes/functions_bbcodeparse.php

Once you have performed the steps outlined above,
your board will be secure.

We would again like to reiterate that security is our
primary concern. In the past weeks, there have been several
reports of security issues in vBulletin that have prompted
the recent releases. We realize that these releases can be
a burden on you. For that, we are sorry, but once we have
become aware of a security issue, it is our duty to provide
a fix to that issue. We are also performing internal security
audits and looking into changes to our core systems to
prevent issues such as these from occurring in the future.

Please read the announcement for upgrade and installation
instructions, as well as the list of bugs fixed and other
changes:

http://www.vbulletin.com/forum/showthread.php?t=127027


-------- PERFORMANCE HIT SINCE PHP 4.3.10 / 5.0.3 --------

Many people have noticed that vBulletin (and a lot of other
PHP applications) suddenly started to run significantly
slowed than normal after installing PHP 4.3.10 or 5.0.3
in order to patch the security flaw in previous versions
of PHP.

This cause of this slow-down has been identified as a problem
with the unserialize() function in PHP. For more details,
see http://bugs.php.net/bug.php?id=31332.

This problem has now been fixed by the PHP developers, though
the fixed version has yet to be released in a 'stable'
version. However, the latest CVS snapshots of PHP 4.3.x and
5.0.x, available from http://snaps.php.net contain the fix
and restore the original speed of unserialize().

While we would not recommend running a 'dev' version of
PHP on any production server, we understand that the
performance problem has been a major issue for some people.
If you are badly affected, you may want to consider running
a 'dev' version of PHP at your own risk in order to overcome
the performance problem.


---------------- YOUR LICENSE INFORMATION ----------------

You can use this information to log into the members area
and download vBulletin 3.0.6 or 2.3.6:

Customer Number: 891294501515

If you have misplaced your customer password, you can
request that it be re-sent to your registered email
address using the following form:
http://www.vbulletin.com/members/lostpw.php

You can use this information to log into the members area:
http://www.vbulletin.com/members/


-------------------- CONTACT US --------------------------

Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/support/

For all other queries, please visit this page:
http://www.vbulletin.com/contact.php

----------------------------------------------------------

This periodic email newsletter is delivered to all current
vBulletin customers, and contains information about new
software versions and Jelsoft.com/vBulletin.com web site
features and content. If you have any questions or
comments about this mailing, please contact us.

This email sent to: [email protected]

Copyright (c) 2000-2005, Jelsoft Enterprises Limited
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
I think this is something we need to upgrade to but after the server move.
 

·
Defunct
Joined
·
23,341 Posts
Again, since we have customized our version of vbulletin, upgrading it is something we pretty much rejected once we isntalled the first hack. You could of course upgrade it and reinstall all hacks for everytime you do an upgrade but that's both a giant pain and not guaranteed to work either...
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
Martin, just curious, did you ACTUALLY read the above?
 

·
Registered
Joined
·
17,861 Posts
He's probably amazed! I know I read the first sentence and then skipped the rest! :)
 

·
Defunct
Joined
·
23,341 Posts
Yeah I just read the first two paragraphs the first time, I've read tons of these in the past and they're all the same. :D
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
No, they said it effects ONE php file, its not a full system delivery.

So WE CAN OF COURSE upgrade to this! :D
 

·
Defunct
Joined
·
23,341 Posts
Jonny, you do of course realize that when you keep replacing or updating certain files while you ignore the others that also come with the update, you're doing yourself a disservice, right? ;) The upgrade from 3.0.5 to 3.0.6 involves two files that we may not even have touched but that won't get you a 3.0.6 release from a 3.0.1 obviously. If you want to actually upgrade instead of just patch the vulnerability, there's a very good chance that upgrade will involve a whole lot of files, and possibly updates to the database structure as well.

I think we should either do all the updates as they come or do none at all. No partial stuff.
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
I know what you are saying.

I'll take a look at it next hopefully, and try the upgrade files.
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
Mart, can you email me the new server password please, so I can ftp files to the server :)

Thanks.
 

·
Defunct
Joined
·
23,341 Posts
Balis-of-Steel said:
Mart, can you email me the new server password please, so I can ftp files to the server :)

Thanks.
Do you mind running it by me again? I would look it up on msn but the bugger kicked me out around 3pm today and haven't been able to connect again.
 

·
Third Place Winner, December 2011 Photo Contest
Joined
·
12,813 Posts
I'm not sure what youa re talking about?

Do you have the new server password? (I assume you do)
 

·
Registered
Joined
·
4,844 Posts
Discussion Starter #16
Ok a new mail, something to do with why ver 3.0.7 is not released yet. Do we need to do anything?

--------------------------------------------------------------
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
February 19th, 2005

This email contains important security-related information.
Please read it carefully.

* vBulletin 3.0.7 Released
* Security Reminder
* Your License Information
* Contact Us


---------------- VBULLETIN 3.0.7 RELEASED ----------------

The discovery of a potentially serious security hole has
necessitated the release of vBulletin 3.0.7. All customers
are strongly encouraged to take one of the actions
described in this email.

All versions of vBulletin 3 up to and including 3.0.6 are
affected only if you have enabled the "Add Template Name
in HTML Comments" option (Admin Control Panel -> vBulletin
Options -> General Settings). We hope most of you will not
have had this option enabled anyway, as it is mostly for
debugging and creates unessary bandwidth usage on a
production site.

To fix the issue, you should choose one of these options:

1. Disable the "Add Template Name in HTML Comments" option
on your board.
2. Download this zip file:
http://www.vbulletin.com/members/getfile.php/patch_307.zip
Follow the instructions within to patch your vBulletin.
3. Upgrade to 3.0.7. Please see the link below for more
information on this release.

We recommend options 2 or 3, if possible.

For more information on this release, including upgrade
instructions and information on bugs fixed, please see
this thread:

http://www.vbulletin.com/forum/showthread.php?t=130591


-------------------- SECURITY REMINDER -------------------

We would like to take this time to reiterate the importance
of keeping current with security updates. If you are not
currently running a version with the recent patches built
in or have not manually patched your board, please see the
3.0.5 and 3.0.6 announcements for important patches.

- vBulletin 3.0.5 Announcement:
http://www.vbulletin.com/forum/showthread.php?t=125480

- vBulletin 3.0.6 Announcement:
http://www.vbulletin.com/forum/showthread.php?t=127027

Recently, more issues have been discovered than we would
have liked, but we try to make patching as painless as
possible to ease the burden these issues create. We are
looking into ways to make patch delivery even easier for
future versions.


---------------- YOUR LICENSE INFORMATION ----------------

You can use this information to log into the members area
and download vBulletin 3.0.7:

Customer Number: 891294501515

If you have misplaced your customer password, you can
request that it be re-sent to your registered email
address using the following form:
http://www.vbulletin.com/members/lostpw.php

You can use this information to log into the members area:
http://www.vbulletin.com/members/


-------------------- CONTACT US --------------------------

Please do not respond to this email directly. We will not
receive your response. Please use the links below.

Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/support/

For all other queries, please visit this page:
http://www.vbulletin.com/contact.php

----------------------------------------------------------

This periodic email newsletter is delivered to all current
vBulletin customers, and contains information about new
software versions and Jelsoft.com/vBulletin.com web site
features and content. If you have any questions or
comments about this mailing, please contact us via the
links above.

This email sent to: [email protected]

Copyright (c) 2000-2005, Jelsoft Enterprises Limited
 
1 - 17 of 17 Posts
Top