We are pleased to announce the release of phpBB 3.2.4 "Bertie's ‘stache". This version is a maintenance and security release of the 3.2.x branch which fixes one security issue and various issues reported in previous versions.
The security issue was discovered with a new exploitation technique called Phar deserialization. An attacker with control over a founder admin account could escalate to remote code execution by abusing PHP’s default unserialization of metadata in Phar files. More information about this technique can be found here.
In order to fix this issue we’ve removed the ability to define absolute paths in the Admin Control Panel. This resulted in the removal of setting the ImageMagick path, so make sure to have the GD image library available instead. A new event to generate thumbnails was added as replacement, so you’re able to write an extension that uses a different image library to generate thumbnails. We would like to thank Simon Scannell and Robin Peraglie of RIPS Technologies for their report and responsible disclosure. The issue has been assigned CVE-2018-19274.
The fixed issues include, among others, compatibility issues with PHP 7.2 and issues with removing users from the newly registered user group more than once.
Among the notable changes are the addition of the list-unsubscribe header to emails sent by phpBB and the ability to reset your password without entering the username.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.4 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14790
The packages can be downloaded from our downloads page.
We recommend following these update instructions for updating your instance of phpBB.
The development team thanks everyone who contributed code to this release: Jakub Senko, MikelAlejoBR, kasimi, Zoddo, v12mike, hubaishan, 3D-I, Matt Friedman, Kailey Truscott, Alec, Alex Miles, Andrii Afanasiev, Anssi Johansson, DSR!, Daniel, Dark❶, David Colón, Ioannis Batas, Jim Mossing Holsteyn, Serge Skripchuk, Toxyy, rxu
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Release Highlights
Enhancement
- Updated dependencies - Updated dependencies to latest versions, e.g. Symfony, Twig
- Added list-unsubscribe header - Added list-unsubscribe header to emails PHPBB3-14656
- Username not required for "forgot password" - Specifying the username is no longer required for using the "forgot password" functionality PHPBB3-10432
- PHP 7.2 issues - Several warnings and incompatibilities when using phpBB 3.2 on PHP 7.2 PHPBB3-15612 PHPBB3-15507 PHPBB3-15557
- Removing users multiple times from newly registered - Fixed a bug that prevented users from being removed multiple times from newly registered user group PHPBB3-15494
- Events can use twig syntax - Template events can now employ the twig syntax PHPBB3-15809