phpBB 2.0.9 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Anti-Spam Guide
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

phpBB 2.0.9 released

Post by Acyd Burn »

phpBB Group are pleased to announce the release of phpBB 2.0.9 the "we should really be spending time on 2.2" Edition. This release had been made to fix a number of security related issues and some bugs. Work continues on 2.2.0 and again we do not plan on further releases of 2.0.x except where critical issues arise. Note that we do not intend dropping support for 2.0.x even after 2.2 is released.

As with previous releases three different packages are available:
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

Note to 2.0.3 users intending to use the patch file version

Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.

We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.9.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.

To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source.

What has changed in this release?

This changelog is included with all archives:
  • Fixed one vulnerability in admin_board.php - Xore
  • Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
  • Fixed injection vulnerabilities possible with linked avatars
  • Implemented unsetting globalised variables
  • Limited confirm switch to POST variable in posting
  • Changed IP code in common.php to prevent IP spoofing
  • Updated visual confirmation mod [pre-edited files]
  • Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
  • Added the ability to link to https/ftps sites using the img bbcode tag
  • Fixed user online information in admin/index.php
  • Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
  • Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
  • Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
  • Fixed problem with SID not delivered to next page in groupcp.php
As with previous versions the visual confirmation and the template caching Mods are included in the contrib directory.

We urge all users to update promptly to this new release.
If you are still having troubles on reading the documentation provided, please refer to the Support Forum and use the Support Request Template.


For those with a lot of Mods installed a Code Changes Mod will be available very soon.

Return to “Announcements”