MyBB Community Forums

On each update if there are security issues MyBB only provides us with a list of the reported exploits that were fixed. It does not provide which files or what code were actually fixed. I think this presents a problem for some of us with very customized forums which are not so easy to upgrade even in minor version. We'd still love to patch security exploits but even on the Github with the issues marked as fixed none of those appear to be the security fixes.

https://github.com/mybb/mybb/issues?q=is...e%3A1.8.15

I'm not sure what the best way to go about this but I'd guess that you label these security but maybe they are private at the Github site. Can you make them public once they are fixed in release? Not only will it assist admins who want to manually patch exploits but it also may allow the community to find similar exploits for patching.

Please seriously consider how you guys approach your security fixes. It is not done openly at this point.

The are indeed many improvements to be made, most of which depend on code structure (e.g. with database migrations users will be able to update MyBB using the repository without waiting for an upgrade script to be released).

Security patches are currently being applied through git patch files exchanged on the Forums using the build script: https://github.com/mybb/mybb-build (we'll create a Blog post on that soon) - I've attached the build_1815.zip package to https://github.com/mybb/mybb/releases/tag/mybb_1815 which contains its input and output, including the patch files - you can find those in input/patches/.

We'll likely use some more accessible solution for releasing security fixes once it becomes available (e.g. GitHub doesn't allow non-public branches or Issues; GitLab does, but moving there now might not be the best solution).

Thank you for attaching that build package. Very helpful. Any chance you can add that for past releases. For me in particular from 1.8.12. I have done my best to manually update files but it's cumbersome how I do it now. Having those patch files is a huge help.

I did most of the important changes manually to 1.8.13 and 1.8.14 but I may have missed some.

The MyBB upgrade process was awesome 10 years ago. Not sure much anymore. Technology has moved into even easier methods.

Note that security patches can also be found in commits such as this one: https://github.com/mybb/mybb/commit/a607...8bafef038c

(the commit usually has the subject being the release number)

The three below links are those commits for 1.8.14, 1.8.13 and 1.8.12:

- 1.8.14: https://github.com/mybb/mybb/commit/020f...f678726d16
- 1.8.13: https://github.com/mybb/mybb/commit/efce...c5a3631a35
- 1.8.12: https://github.com/mybb/mybb/commit/3308...745b07cb69

We will attach the build packages for future releases, but I can't guarantee we'll go back and do old releases - it depends on whether the actual packages are still floating around or whether they'd need to be recreated for each release.

Quote:We will attach the build packages for future releases

Please include a link to them in blog posts.

Pretty sure we can manage that. We'll need to update our documentation on release procedures to include it as a step.