MyBB Community Forums

Full Version: 1.8.21 Vulnerability
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
https://github.com/mybb/mybb/commit/44fc...0e05355834

Can you confirm that all the vulns posted in the MyBB blog can be fixed by those commits?

How can you improve the upgrade experience for admins that simply want to keep their forums secure from exploits? May I please suggest that you label clearly security commits.

Not everyone is going to immediately do an upgrade. There are solid reasons to wait. One is that there could be bugs with the upgrade process. Another is that an upgrade might effect existing plugins. And for me it's about the fact I can't use the upgrade script at all anymore because my posts table is too large and it will timeout during the process and destroy my site.

So for those reasons can you please simplify the labeling of exploit patches?
Hello, normally the meta commit for a version release contains the security patches for the version in question. It looks like the commit you linked contains them all but for your convenience I've attached them individually in this post.

I'll pass on your feedback to the others, though I believe such discussions have already been started internally.
Those appear to be the same commits as the Github link I posted.
(2019-06-10, 11:38 PM)labrocca Wrote: [ -> ]Those appear to be the same commits as the Github link I posted.

Correct, I simply attached the individual patches for convenience sake.
Is it possible to make a lite upgrade for boards over several m posts? They shouldn't be left behind due to size
You can easily download the security patches for any given recent release by following the below steps. This will yield the exact same .patch files that we use internally when building a release package.

  1. Open the page https://github.com/mybb/mybb/releases
  2. Find the release number you want - in this case mybb_1821: https://github.com/mybb/mybb/releases/tag/mybb_1821
  3. Download the build_X.zip file - in this case build_1821.zip: https://github.com/mybb/mybb/releases/do...d_1821.zip
  4. Extract the downloaded zip file
  5. All of the raw .patch files can be found in the input/patches folder
  6. You can easily apply these patches from the command line: https://www.cyberciti.biz/faq/appy-patch...h-command/

These patches should apply in the majority of cases, but if you have a highly customized board, you might find you have conflicts. In that case, there's isn't really any option but to manually apply the patches by hand
Solid post Euan. I'll bookmark this and try to keep it in mind.
(2019-06-11, 04:29 PM)labrocca Wrote: [ -> ]Solid post Euan.  I'll bookmark this and try to keep it in mind.
We should probably make a docs page for it too, I'll do that after dinner. I'm not quite sure where it would fit best in the docs, perhaps under the standard upgrade instructions?
Quote:perhaps under the standard upgrade instructions?

Yes, even with anchor text like "Security Patches Only Instructions" would be okay.
Ok, I'll sort that momentarily. Thanks.