Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
sadams101 Posted February 16, 2021 Posted February 16, 2021 Does the warning in my ACP regarding the Pages vulnerability include Invision Community v4.4.10, or just 4.5? Also, am I on the latest version of 4.4 (Invision Community v4.4.10)?
Kyle F Posted February 17, 2021 Posted February 17, 2021 4 hours ago, sadams101 said: Does the warning in my ACP regarding the Pages vulnerability include Invision Community v4.4.10, or just 4.5? Also, am I on the latest version of 4.4 (Invision Community v4.4.10)? You'll have to completely update to 4.5's latest version to remove the notifications and apply the patches unfortunately. I'm on 4.4.10 too; I cannot update until I've upgraded my forum theme with the 4.5.x edits.
Management Solution Matt Posted February 18, 2021 Management Solution Posted February 18, 2021 The patch is for Invision Community 4.5, but the underlying issue does affect 4.4.x too. There have been several security updates in the 4.5 branch, so it's worth upgrading. sobrenome 1
sadams101 Posted March 1, 2021 Author Posted March 1, 2021 So I think it's important to make your warning messages more clear, and to find a way to not show messages to those whose applications are unaffected. If I'm running 4.4 why should I see, and not be able to permanently dismiss, a warning message that only affects 4.5? If you can't do that, then... instead of saying this: Quote Pages Security Update We have released a fix to resolve a security issue with the Pages application. perhaps the message should say this: Quote Pages Security Update We have released a fix to resolve a security issue with the 4.5 version of the Pages application. This issue does not affect the 4.4 version.
Nathan Explosion Posted March 1, 2021 Posted March 1, 2021 Ummm... On 2/18/2021 at 3:20 PM, Matt said: , but the underlying issue does affect 4.4.x too.
CoffeeCake Posted March 1, 2021 Posted March 1, 2021 To be super clear, @sadams101, 4.4.x is not receiving security updates, there have been multiple vulnerabilities impacting 4.4.x and lower, and the supported way to get the latest security updates is to upgrade to 4.5.x. Presumably with the release of 4.6 at some point in the future, security updates will stop for 4.5.x. The IPS model isn't presently one which continues to support older versions it appears, which can be an understandable challenge for those communities lacking an upgrade path for third-party integrations, applications, extensions, themes, etc. sobrenome 1
sadams101 Posted March 2, 2021 Author Posted March 2, 2021 What security issues are there with the last version of 4.4,10. If this is the case, then IPB needs to put this notice through to all users of those products. Why do they not do this? So far I've not heard of any security issues with 4.4.10, but please let me know what they are.
CoffeeCake Posted March 2, 2021 Posted March 2, 2021 1 minute ago, sadams101 said: If this is the case, then IPB needs to put this notice through to all users of those products. Why do they not do this? I'm confused. You created this thread because you received notice. Granted, a bit more of an explicit message about the dangers of staying on the 4.4 branch may be warranted, but they did push the alert to you.
sadams101 Posted March 2, 2021 Author Posted March 2, 2021 (edited) No need to be confused at all. If you want to issue warnings, make them specific, don't be general. Earlier in this thread I was told that the warning I was receiving regarding the Pages vulnerability did not apply to me, thus I asked why I was receiving it, and complained that their warnings need to be more specific, and if possible, don't warn those who are not running the version that the warning is about. Now you've came on here, apparently ignored most of my original posts, and said that there are indeed "multiple vulnerabilities impacting 4.4.x and lower." I ask again, what are the vulnerabilities in 4.4.10? I'd like to be able to patch it myself if IPB feels it's not important enough to do that. Edited March 2, 2021 by sadams101
Management Charles Posted March 2, 2021 Management Posted March 2, 2021 In 4.5 we have the following security updates: Improved password strength checks to detect password values set identically to the account username or email address and to consider them weak. Improved method of encrypting certain text. Improved AdminCP session handling, removing the session ID from URLs and introducing alternate CSRF protections. Improved email change process to invalidate any pending password reset requests. Fixed user not being prompted for two-factor authentication when signing in from a new device. Fixed an issue where it was possible to bypass the messenger recipient count limit. Fixed a niche issue where it was possible in certain configurations to view others profile field attachments on the registration page. Fixed a race condition issue where it was possible to artificially inflate or reduce a user's reputation score. Limited password inputs to 72 characters max to reduce the chance of a malicious user forcing unnecessary computationally expensive operations on the server. Fixed an issue where AdminCP sessions may be usable longer than expected if a community receives little activity. Fixes an XSS vulnerability when quoting posts and comments. This release also contains the patch from 4.5.4 that resolves a security issue with the Downloads REST API Then of course beyond security there are countless performance, usability, and capability improvements since 4.4. IPCommerceFan and sobrenome 2
CoffeeCake Posted March 2, 2021 Posted March 2, 2021 2 minutes ago, sadams101 said: No need to be confused at all. If you want to issue warnings, make them specific, don't be general. I'm all for this! 2 minutes ago, sadams101 said: Earlier in this thread I was told that the warning I was receiving regarding the Pages vulnerability did not apply to me, thus I asked why I was receiving it, and complained that their warnings need to be more specific, and if possible, don't warn those who are not running the version that the warning is about. I don't think anyone (in this thread) told you the warning wasn't applicable for the 4.4.x branch. 3 minutes ago, sadams101 said: No you've came on here, apparently ignored most of my original posts, and said that there are indeed "multiple vulnerabilities impacting 4.4.x and lower." There are multiple security vulnerabilities that were fixed in the 4.4.x branch. If you're running 4.4.10, then the only outstanding security fix are those addressed in 4.5.4.2. You can see each of the security vulnerabilities listed in the release notes (look for the red triangle). There are general security improvements in 4.5 from 4.4. Here's the release notes for 4.4.x to present with security issues addressed: 4.5.4.2 4.4.9.1 4.4.7 4.4.6 4.4.1
sadams101 Posted March 2, 2021 Author Posted March 2, 2021 Thanks, I did look at those, and 4.4.10 is missing. And the reason I'm in no rush to upgrade is because the only time my site has been hacked is after I did a major IPB upgrade which had a serious vulnerability in it. Additionally I spent a couple of years getting IPB to run reasonably fast, and after speaking with those who have upgraded I understand 4.5 is SLOW. If there are security issues in 4.4.10 IPB should issue a patch for them, that is the responsible thing to do.
CoffeeCake Posted March 2, 2021 Posted March 2, 2021 25 minutes ago, sadams101 said: Thanks, I did look at those, and 4.4.10 is missing. You need to remember that each release is iterative and builds on the previous, so things included after 4.4.10's release notes are not in 4.4.10. Things preceding it are in it. I only linked the ones with the security flag set to true, but there are certainly security improvements in many releases that aren't flagged with a red triangle. If you are concerned about doing all you can to prevent another exploit against your site and being hacked, you need to stay as close to the current version as possible and upgrade. I think your current approach is a bit backwards, though can understand that you're hesitant to put trust in new versions after that experience. 28 minutes ago, sadams101 said: I understand 4.5 is SLOW. The largest hit can be addressed by turning off the function that gives an expanded forum view (where you see a bit of the first post in the forum table view). That's hot garbage in 4.5 in terms of performance. Jordan was excited to note that there would be improvements in this area with 4.6.
Adlago Posted March 2, 2021 Posted March 2, 2021 14 minutes ago, Paul E. said: The largest hit can be addressed by turning off the function that gives an expanded forum view (where you see a bit of the first post in the forum table view). That's hot garbage in 4.5 in terms of performance. Jordan was excited to note that there would be improvements in this area with 4.6. I'm still skeptical - stopping a feature won't speed up a site ... Many other changes are needed to make mobile work fast ...
CoffeeCake Posted March 2, 2021 Posted March 2, 2021 Just now, Adlago said: I'm still skeptical - stopping a feature won't speed up a site ... Many other changes are needed to make mobile work fast ... Yeah, turning on that feature on our test site with no load made it completely non-functional. We're not talking a few milliseconds. I imagine the underlying SQL needed refinement and did something silly like retrieve all the things.
Colonel_mortis Posted March 6, 2021 Posted March 6, 2021 (edited) On 3/2/2021 at 8:04 PM, Charles said: In 4.5 we have the following security updates: Improved password strength checks to detect password values set identically to the account username or email address and to consider them weak. Improved method of encrypting certain text. Improved AdminCP session handling, removing the session ID from URLs and introducing alternate CSRF protections. Improved email change process to invalidate any pending password reset requests. Fixed user not being prompted for two-factor authentication when signing in from a new device. Fixed an issue where it was possible to bypass the messenger recipient count limit. Fixed a niche issue where it was possible in certain configurations to view others profile field attachments on the registration page. Fixed a race condition issue where it was possible to artificially inflate or reduce a user's reputation score. Limited password inputs to 72 characters max to reduce the chance of a malicious user forcing unnecessary computationally expensive operations on the server. Fixed an issue where AdminCP sessions may be usable longer than expected if a community receives little activity. Fixes an XSS vulnerability when quoting posts and comments. This release also contains the patch from 4.5.4 that resolves a security issue with the Downloads REST API Then of course beyond security there are countless performance, usability, and capability improvements since 4.4. You forgot "Fixed a remote code execution vulnerability" (which has existed since at least 4.2). Edited March 6, 2021 by Colonel_mortis
Recommended Posts