phpBB 3.2.8 Release - Please Update

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5705
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc

phpBB 3.2.8 Release - Please Update

Post by Marc »

Greetings everyone,

Today we’re announcing the release of phpBB 3.2.8. This release is dedicated to the memory of Maria Wilhelmina Theodora 'Marian' Verhoog-Wienk [08 October 1958 - 18 September 2019], who you may know as marian0810. Rust in vrede, Marian.

This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions.

Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively.
In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108.

For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively.

The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions.
Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up.

In order to help the support team in assessing issues in phpBB, we have now disabled the uninstallation of prosilver. Prosilver can however still be deactivated.

The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.8 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15090

The packages can be downloaded from our downloads page.

The development team thanks everyone who contributed code to this release: 3D-I, Dark❶, Jakub Senko, mrgoldy, rxu, Christian Schnegelberger, EA117, kasimi, JoshyPHP, Casey Peel, Nekstati, Nuno Lopes, cclauss, espipj, kinerity

If you have any questions or comments, we'll be happy to address them in the discussion topic.

- The phpBB Team



Release Highlights

Improvements
  • Group helper methods - New group helper methods have been added that will allow easy access to e.g. get a group's avatar PHPBB3-15886
  • Add Referrer-Policy header - phpBB will now output the Referrer-Policy header by default PHPBB3-16101
Notable Changes
  • Deny prosilver uninstallation - It's no longer possible to uninstall prosilver from the ACP. It can however still be deactivated PHPBB3-16019
  • User search by last visit - The user search by last visit returned unexpected users PHPBB3-16124
Notable Bug Fixes
  • Support for newer TLS in SMTP - Enable use of newer TLS versions for sending mail via SMTP PHPBB3-15961
  • Login form token check - Restore ability to login from any page in phpBB and fix issues with banned users PHPBB3-16054 PHPBB3-16066
  • Inability to restore backups - An incorrect change in a previous release resulted in the inability to restore backups via the ACP PHPBB3-16048
  • OAuth login - Multiple issues with logging in from other pages and linking a user's account were resolved PHPBB3-16055 PHPBB3-13175 PHPBB3-16065

Return to “Announcements”