phpBB 2.0.12 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning

phpBB 2.0.12 released

Postby psoTFX » Mon Feb 21, 2005 9:17 pm

phpBB Group are pleased to announce the release of phpBB 2.0.12 the "Horray for Furrywood" release. This release addresses a number of bugs and a couple of potential exploits. It also adds a new feature in the form of an ACP based version checker (maintainers of language packages please take note of the need for the additional localised string!).

Please note, the exploits of which we've been notified and which are addressed in 2.0.12 are in absolutely no way to blame for the loss of www.phpbb.com which we are still extremely confident was the fault of an outdated awstats and kernel.

However one of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible. Mostly this release is concerned with eliminating disclosures of information which while useful in debug situations may allow third parties to gain information which could be used to do harm via unknown or unfixed exploits in this or other applications.

As with previous releases three different packages are available:
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

Note to 2.0.3 users intending to use the patch file version

Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.

We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.12.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.

To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source

What has changed in this release?

The changelog (contained within this release) is as follows:

  • Added confirm table to admin_db_utilities.php
  • Prevented full path display on critical messages
  • Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
  • Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
  • Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
  • Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
  • Removed version number from powered by line
  • Merged database update files to update_to_latest.php file
  • Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
  • Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
User avatar
psoTFX
Former Team Member
 
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Postby Acyd Burn » Mon Feb 21, 2005 10:28 pm

As always, our Code Changes Tutorial will be available too for those with heavily modded boards.

It can be downloaded from this topic.
User avatar
Acyd Burn
Consultant
 
Posts: 5831
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen


Return to Announcements

Who is online

Users browsing this forum: No registered users and 11 guests