We are pleased to announce the release of phpBB 3.2.9 "The Rise of Bertie". This version is a maintenance and security release of the 3.2.x branch which fixes two minor security issues, introduces further hardening, and resolves various issues reported in previous versions.
Previous versions of phpBB did not properly enforce form tokens on changing group avatars and handling pending group memberships which could have been used to trick users into carrying out unwanted actions. Both of these issues have been found as part of an internal code audit prior to the release of phpBB 3.3. The issues have been assigned CVE-2020-5501 and CVE-2020-5502 respectively.
The fixed issues include, among others, multiple issues with default Nginx and Sphinx configuration files supplied in the phpBB package as well as an issue with calculating the chunk size while using plupload. In addition to that, the fallback on invalid styles data has been improved and emoji support has been added to forum names and topic titles.
As phpBB 3.3 provides a clear update path with minimal breaking changes, phpBB 3.2 will directly enter a reduced maintenance mode during which it will only receive changes for major issues as well as any security issues. The timetable for maintenance and security fixes is as follows:
- End of Maintenance (EOM): April 6th, 2020
- End of Life (EOL): July 6th, 2020
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.9 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15193
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: 3D-I, Jakub Senko, mrgoldy, EA117, Alfredo Ramos, JoshyPHP, kasimi, rxu, DSR!, oxcom, stevendegroote, KYPREO, v12mike, Matt Friedman
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Release Highlights
Improvements
- Improved fallback on invalid styles data - More fallbacks for when a user has an invalid style configured have been added PHPBB3-16144
- Extended emoji support - More parts of phpBB now support emojis PHPBB3-16151 PHPBB3-16153 PHPBB3-16203
- Improper chunk size calculation during upload - Some conbinations of phpBB and PHP configurations resulted in invalid chunk sizes for plupload PHPBB3-16141
- Issues with default config files - Resolved multiple issues with sample config files for nginx and sphinx search PHPBB3-16242 PHPBB3-16258 PHPBB3-16209