To all phpBB developer - where is the announce Mailinglist

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

To all phpBB developer - where is the announce Mailinglist

Post by Saubloed »

psoTFX wrote there: http://www.phpbb.com/phpBB/viewtopic.php?t=161943
Remember always check this forum (and the downloads page) when you come across a "new" vulnerability or other issue. Please ensure you update accordingly. In doing so you are protecting yourself from all known issues and saving us time in fielding questions we've already answered


I really want to write all bad words that i know as reply!
But i think that wont help.

Ok - here is the way if someone want to be informed:
- first noone want to check the forum or the news so you search for a mailing list
- at phpbb.com: nothing
- at sourceforge.net: nice there is one:
http://sourceforge.net/mail/?group_id=7885
but there are only two test messages from 2000!
- if you are lucky you find the monitor link on the main page (the letter icon)
http://sourceforge.net/projects/phpbb/

Ok but i think only 1% know this.
Also it is very intersting that you can "fake" the release date at sourceforge project summary: November 23, 2003!

But one other worse problem ist: most peope just check the version and see - 2.06 - and think - yeah! I have the newest.
Someone added the extension c to the newest version - i hope that appear at the bottom of eacht page if i would install it.


Some time ago i requested a news-mod.
http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=
But it require allow_url_fopen on and if someone have also register_gloabls on it is the worsest security hole ever.


Ok i will also add why I am so angry:
First:
I am a administrator (of a little server) and i know that I have to update all forums (5 or so) on my server myself because noone care for security udates. I know that is everywhere a problem because I have already send a lot of emails to other forum-administrators because their forums are insecure.
Second:
http://www.google.com/search?q=Powered+by+phpBB
-> about 1,960,000 hits
Most people do not update so there are at least 10% insecure (ok I really think 40% or more - I estimatie a half million).
There are at least 3 linux-local user->root security holes from the last few month.
Ok have a nice day.
Sorry for my bad english.
User avatar
dhn
Former Team Member
Posts: 4999
Joined: Wed Jul 04, 2001 8:10 am
Location: Internet
Name: Dominik Dröscher
Contact:

Post by dhn »

We have something in mind for the 2.2 release to improve communication. Stay tuned.
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

Ok that can also be a joke: :(
http://www.phpbb.com/bugs/bug.php?op=sh ... 1262&pos=0

Debug ist by default on because:
Yes, this is intended to be set to on, to better serve the numorous support people. :)


Nice. That make it really easy to use security holes. Sorry i cant write examples because some nice guys will delete everything i wrote.
User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Post by psoTFX »

dhn was a lot more pleasant in reply than I'm going to be ...

Shall I tell you why I'm angry? I'm angry because people do not take any responsbility for the software they use. When something goes wrong it's always someone elses fault. If that's the way people want to operate fine, but they should go offline now because without any doubt they are or will cause harm to others through lack of awareness of vulnerabilities in the very software they use.

We've stated, more than once that those wishing to be notified of new releases should monitor the package @ SF. It's not rocket science and I would expect anyone administering any piece of software to discover where, how, when, etc. support and related issues are discussed.

As dhn notes, it is something that I've wanted to better address for a while. Hopefully by the time 2.2.0 becomes available a better solution will be available. However, I will guarantee that even then people will whine and moan that they weren't informed. It's just the nature of these things.
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

Ok thank you very much that you take me serious.

That linux local root exploits make me cracy if i know that some of my users do no take security holes serious.
Locked

Return to “2.0.x Discussion”