Acyd Burn wrote: We have now updated all archives (for 2.0.7) as made available on the download page here. Therefore all new installations and upgrades will be immune.
The current system appears to be that whenever theres a slight security patch, you name the file as 2.0.7a or whichever patch it is, then modify the existing phpBB-2.0.7.tar.gz archive. However after downloading what I thought was 2.0.7a today, I checked the files to ensure they were patched. I had downloaded the original 2.0.7 and not 2.0.7a.
After checking some of the Sourceforge mirrors, Aleron gave me 2.0.7a, while others like easynews gave me the original 2.0.7. The downloads page says about downloading 2.0.7a, however I got the unpatched 2.0.7. If I didn't check the source code after downloading, I'd still be running the unpatched version which has a possible SQL injection problem.
How many other people have downloaded what they thought was 2.0.7a but got the original 2.0.7 due to Sourceforge mirrors not all being updated? There could be quite a few forum admins out there who believe they're running 2.0.7a but they're not.
Wouldn't it be a better idea to actually name the patched tarballs after their new name? Call the new file phpBB-2.0.7a.tar.gz instead, someone might get an error 404 if all download mirrors haven't updated - however its better than having someone running a potentially old version.