How can I download 4.3.6 security update? I got the notification in ACP but when i try to download i only get 4.4.1. Thanks

4.3.6 is no longer available, and the security patches are bundled in to 4.4.1

Hello...

Directly installed 4.4.1 or update first to 4.4.0 and then patch with 4.4.1.?

I understand that the possible vulnerability is present in the commerce module. ???

Go directly to 4.4.1 when you're ready.  

Remember to take a backup, disable all third-party applications and plugins, and disable your custom theme.  

 

Go directly to 4.4.1 when you're ready.  

Remember to take a backup, disable all third-party applications and plugins, and disable your custom theme.  

 

What was the critical security issue?

@giovanny castroYou can refer to the Release Notes for more information about each release.  IPS doesn't disclose details about the security fixes.  

https://invisioncommunity.com/release-notes/

 

4.3.6 is no longer available, and the security patches are bundled in to 4.4.1

It says 4.3.6 released yesterday and I can't download the patch? So only way to protect from security issue is to go 4.4.1 while people are not yet ready for 4.4.1?  Before IPS used to support old versions for certain period of time. Now even for active license holders, it's screw you or upgrade, policy? 

What's so hard about providing security patch separately like old days in separate zip file? I am not asking to support 4.3.5, 4.3,4, etc. Just last final release i.e. 4.3.6 before current major version? @bfarber

 

 

 

Now even for active license holders, it's screw you or upgrade, policy? 

Yes. This is what I have been said in support ticket. If you have an issue with 4.3.6 then you must upgrade to the latest version to get support.

I can understand that they want to bundle their efforts into development of the new version. But I am also unhappy not to be able to upgrade right now (not ready for 4.4 yet) and not getting support for the current version.

 

You do not need to update to 4.4.x in order to obtain the security fix - we explicitly released a 4.3.6 patch to address anyone unprepared to upgrade.

You should be able to run the support tool, which will point out the patch and allow you to apply it. If you have any trouble, please feel free to submit a ticket and we will assist.

 

In short - there is a patch available for 4.3.x. You are not being forced to upgrade to 4.4.x at this time for this specific issue.

Thanks @bfarber. @newbie LAC linked helped me to update our site. Joel's response got me worried but all good now. :)  Thank you

 I was able to clarify with IPS that they do sometimes offer a patch in the last version without needing to upgrade to 4.4 since it's such a big upgrade.  Just seeing if you were awake 😁.

 

@giovanny castroYou can refer to the Release Notes for more information about each release.  IPS doesn't disclose details about the security fixes.  

https://invisioncommunity.com/release-notes/

Doesn't really go into specifics on the potential exploit, Can you highlight it for me? 

 

You do not need to update to 4.4.x in order to obtain the security fix - we explicitly released a 4.3.6 patch to address anyone unprepared to upgrade.

You should be able to run the support tool, which will point out the patch and allow you to apply it. If you have any trouble, please feel free to submit a ticket and we will assist.

 

In short - there is a patch available for 4.3.x. You are not being forced to upgrade to 4.4.x at this time for this specific issue.

Hello bfarber, can you also please confirm that the new push-upgrade for 4.4.1 is the same ? I applied the patch to my 4.3.6 after the alert in admin panel, so I don't need to apply furthermore the 4.4.1, right?

(not that I don't want to go on 4.4, but I have to wait for my theme to be updated by its author! )

4.4.1 contains bug fixes for 4.4.0, as well as the same Commerce patch. If you applied the Commerce patch to your 4.3.6 installation, you do not need to upgrade to 4.4.x, correct.

IPB won... upgraded to 4.4.1... could  not find options to just put the patch. lol.

Me neither and at this moment there will not be upgraded from 4.3.6 yet.

Just curious also if the bug I found in Commerce was also fixed in 4.4.1.

There was talk of putting the patch up for client download in the client area, but I'm not sure if that was done. Worst case scenario, if you submit a ticket and request the 4.3.6 patch we will gladly supply it.