Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved 1.8.21 Vulnerability
#1
Not Solved
https://github.com/mybb/mybb/commit/44fc...0e05355834

Can you confirm that all the vulns posted in the MyBB blog can be fixed by those commits?

How can you improve the upgrade experience for admins that simply want to keep their forums secure from exploits? May I please suggest that you label clearly security commits.

Not everyone is going to immediately do an upgrade. There are solid reasons to wait. One is that there could be bugs with the upgrade process. Another is that an upgrade might effect existing plugins. And for me it's about the fact I can't use the upgrade script at all anymore because my posts table is too large and it will timeout during the process and destroy my site.

So for those reasons can you please simplify the labeling of exploit patches?
Reply
#2
Not Solved
Hello, normally the meta commit for a version release contains the security patches for the version in question. It looks like the commit you linked contains them all but for your convenience I've attached them individually in this post.

I'll pass on your feedback to the others, though I believe such discussions have already been started internally.


Attached Files
.diff   1820-editpost-xss.diff (Size: 1.06 KB / Downloads: 26)
.diff   1820-nested-video-mycode-xss.diff (Size: 412 bytes / Downloads: 17)
.diff   1820-orphaned-attachments-reflected-xss.diff (Size: 1.65 KB / Downloads: 23)
.diff   1820-phar-deserialization-path-settings.diff (Size: 742 bytes / Downloads: 22)
.diff   1820-theme-import-stylesheet-rce.diff (Size: 825 bytes / Downloads: 21)
.diff   1820-Escape-pmfolders-before-update.diff (Size: 747 bytes / Downloads: 19)
Reply
#3
Not Solved
Those appear to be the same commits as the Github link I posted.
Reply
#4
Not Solved
(06-10-2019, 11:38 PM)labrocca Wrote: Those appear to be the same commits as the Github link I posted.

Correct, I simply attached the individual patches for convenience sake.
Reply
#5
Not Solved
Is it possible to make a lite upgrade for boards over several m posts? They shouldn't be left behind due to size
Reply
#6
Not Solved
You can easily download the security patches for any given recent release by following the below steps. This will yield the exact same .patch files that we use internally when building a release package.

  1. Open the page https://github.com/mybb/mybb/releases
  2. Find the release number you want - in this case mybb_1821: https://github.com/mybb/mybb/releases/tag/mybb_1821
  3. Download the build_X.zip file - in this case build_1821.zip: https://github.com/mybb/mybb/releases/do...d_1821.zip
  4. Extract the downloaded zip file
  5. All of the raw .patch files can be found in the input/patches folder
  6. You can easily apply these patches from the command line: https://www.cyberciti.biz/faq/appy-patch...h-command/

These patches should apply in the majority of cases, but if you have a highly customized board, you might find you have conflicts. In that case, there's isn't really any option but to manually apply the patches by hand
Reply
#7
Not Solved
Solid post Euan. I'll bookmark this and try to keep it in mind.
Reply
#8
Not Solved
(06-11-2019, 04:29 PM)labrocca Wrote: Solid post Euan.  I'll bookmark this and try to keep it in mind.
We should probably make a docs page for it too, I'll do that after dinner. I'm not quite sure where it would fit best in the docs, perhaps under the standard upgrade instructions?
Reply
#9
Not Solved
Quote:perhaps under the standard upgrade instructions?

Yes, even with anchor text like "Security Patches Only Instructions" would be okay.
Reply
#10
Not Solved
Ok, I'll sort that momentarily. Thanks.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)