phpBB 3.2.4 Release - Please Update

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5705
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc

phpBB 3.2.4 Release - Please Update

Post by Marc »

Greetings everyone,

We are pleased to announce the release of phpBB 3.2.4 "Bertie's ‘stache". This version is a maintenance and security release of the 3.2.x branch which fixes one security issue and various issues reported in previous versions.

The security issue was discovered with a new exploitation technique called Phar deserialization. An attacker with control over a founder admin account could escalate to remote code execution by abusing PHP’s default unserialization of metadata in Phar files. More information about this technique can be found here.
In order to fix this issue we’ve removed the ability to define absolute paths in the Admin Control Panel. This resulted in the removal of setting the ImageMagick path, so make sure to have the GD image library available instead. A new event to generate thumbnails was added as replacement, so you’re able to write an extension that uses a different image library to generate thumbnails. We would like to thank Simon Scannell and Robin Peraglie of RIPS Technologies for their report and responsible disclosure. The issue has been assigned CVE-2018-19274.

The fixed issues include, among others, compatibility issues with PHP 7.2 and issues with removing users from the newly registered user group more than once.
Among the notable changes are the addition of the list-unsubscribe header to emails sent by phpBB and the ability to reset your password without entering the username.

The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.4 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14790

The packages can be downloaded from our downloads page.

We recommend following these update instructions for updating your instance of phpBB.

The development team thanks everyone who contributed code to this release: Jakub Senko, MikelAlejoBR, kasimi, Zoddo, v12mike, hubaishan, 3D-I, Matt Friedman, Kailey Truscott, Alec, Alex Miles, Andrii Afanasiev, Anssi Johansson, DSR!, Daniel, Dark❶, David Colón, Ioannis Batas, Jim Mossing Holsteyn, Serge Skripchuk, Toxyy, rxu

If you have any questions or comments, we'll be happy to address them in the discussion topic.

- The phpBB Team



Release Highlights

Enhancement
  • Updated dependencies - Updated dependencies to latest versions, e.g. Symfony, Twig
  • Added list-unsubscribe header - Added list-unsubscribe header to emails PHPBB3-14656
  • Username not required for "forgot password" - Specifying the username is no longer required for using the "forgot password" functionality PHPBB3-10432
Notable Bug Fixes
  • PHP 7.2 issues - Several warnings and incompatibilities when using phpBB 3.2 on PHP 7.2 PHPBB3-15612 PHPBB3-15507 PHPBB3-15557
  • Removing users multiple times from newly registered - Fixed a bug that prevented users from being removed multiple times from newly registered user group PHPBB3-15494
Notable changes
  • Events can use twig syntax - Template events can now employ the twig syntax PHPBB3-15809

Return to “Announcements”