FUDforum: FUDforum Announcements » FUDforum 2.7.0 Released

Home » FUDforum » FUDforum Announcements » FUDforum 2.7.0 Released

Show: Today's Messages :: Polls :: Message Navigator

FUDforum 2.7.0 Released [message #26956]

Tue, 23 August 2005 13:50

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

After a fairly short incubation period, 2.7.0 final is now available for download.

!!!!!!!!!!!!!!!!
The release was made a bit faster then anticipated in response to a rather serious security problem found in the uploaded avatar handling code. All who use FUDforum and allow forum members to upload custom avatars are encouraged to upgrade immediately.
!!!!!!!!!!!!!!!!

The details of the exploit are not being released at this time, but believe me when I say that the problem is quite serious and you should most definitely upgrade if you use the uploaded avatar functionality.

Aside from the fix for the security problem, this release integrates a number of other changes and improvements.

Changes:

Fixed a number of edge cases where E_NOTICE warnings may be generated.
Unify SQL error handling.
A number of PostgreSQL fixes and computability changes for older PostgreSQL releases.
Fixed topic view skip in upgrade script.
Fixed per-topic show unread and today's posts links.
Added view building validation.
Datadump import fixes for PostgreSQL.
Added support for [ hr ] tag to FUDcode.
Added handlers for situations where mbstring function overload is enabled.
Allow database settings to remain strings, even when they are numbers.

FUDforum Core Developer

[Updated on: Tue, 30 August 2005 13:35]

Report message to a moderator

Re: FUDforum 2.7.0 Released [message #26957 is a reply to message #26956]

Tue, 23 August 2005 14:09

JamesS

Messages: 275
Registered: July 2002
Location: Atlanta, GA

Karma: 0

Senior Member

Will disabling custom avatar uploading prevent the exploit? Also, will disabling custom avatar uploading disable any avatars that have already been uploaded? I will be installing 2.7.0 ASAP but if I can get by for a little while by working around the problem without impacting current uploads I would like to do so.

Report message to a moderator

Re: FUDforum 2.7.0 Released [message #26958 is a reply to message #26957]

Tue, 23 August 2005 14:11

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

You don't need to disable custom avatars all together, simply disabling UPLOADing of avatars will solve the problem for older versions of the forum.

Existing uploaded avatars will not be affected by the disabling process.

FUDforum Core Developer

Report message to a moderator

Re: FUDforum 2.7.0 Released [message #26960 is a reply to message #26956]

Tue, 23 August 2005 14:13

JamesS

Messages: 275
Registered: July 2002
Location: Atlanta, GA

Karma: 0

Senior Member

Thanks.

Report message to a moderator

Re: FUDforum 2.7.0 Released [message #26971 is a reply to message #26956]

Tue, 23 August 2005 19:19

scoates

Messages: 1
Registered: August 2005

Karma: 0

Junior Member

I upgraded to FUDForum 2.7.0, this morning.

I'm running MySQL 3.23 (yeah, I know -- old).

There's a bug in the SQL for MySQL this old. I've already spoken to Ilia about this, and he's on the case.

Just a friendly warning.

S

Report message to a moderator