Jump to content

Invision Community Blog


Managing successful online communities

bfarber
Sign in to follow this  
 

IP.Board 3.4.9 Released

IP.Board 3.4.9 is now available in the client area

This is a maintenance release to consolidate security updates released since 3.4.8, release additional security updates, and fix some minor bugs impacting many clients. We recommend you upgrade to ensure you have all security updates in place.

You can download in the client area and upgrade as normal.

 

We would like to thank newbie LAC for responsibly reporting a potential CSRF (cross-site request forgery) issue related to warnings resolved with the release of 3.4.9.

 

Support Notes

IPS will no longer provide upgrade services for self-hosted licenses on the 3.x series. You can do the upgrade yourself (it's very easy) but our support will only do upgrades for you to IPS Community Suite 4. If you are a IPS Cloud client we will still do the upgrades for you.

IP.Board 3.4.x will reach "End of Support" status soon and we strongly encourage all clients to upgrade to the 4.x Community Suite.

Sign in to follow this  

Comments



Recommended Comments

Which additional security updates, only what LAC reported? If something else, could you inform us about the level of security issues (critical, medium, low, we have to know if we have to act immediately or we have time to plan this upgrade?), and could you release the new security updates as a separate patch?

Share this comment


Link to comment
Share on other sites
2 hours ago, chivitli said:

Which additional security updates, only what LAC reported? If something else, could you inform us about the level of security issues (critical, medium, low, we have to know if we have to act immediately or we have time to plan this upgrade?), and could you release the new security updates as a separate patch?

 

2 hours ago, grinler said:

Can you give us an ETA as to when the additional security updates will be released as a separate patch for those who cannot immediately upgrade to 3.4.9?

Thanks

These security updates require the upgrade routine to execute so we cannot release them as simple patches. We do not really assign severity levels to security issues as we do not want to encourage people to not update based on what is really an arbitrary opinion of an issue. As with any software, staying up to date is your best defense.

Share this comment


Link to comment
Share on other sites

 

41 minutes ago, Charles said:

 

These security updates require the upgrade routine to execute so we cannot release them as simple patches. We do not really assign severity levels to security issues as we do not want to encourage people to not update based on what is really an arbitrary opinion of an issue. As with any software, staying up to date is your best defense.

From my point of view (as a client), knowing severity level allows me to either plan for a timely upgrade or drop everything and start doing it immediately due to a severe impact. I agree that staying up to date is important, but you need to take into account that some things need to be planned in advance, after all some work has priority over other. When you do not want to assign security level you are leaving us in the dark guessing the severity level and either gambling thinking it's not that severe and that we can wait some days or weeks or whatever for it to come up on agenda, or to postpone other work / break deadlines, thinking we are at a high risk.

Do not encourage people to not update, but do not take decisions for clients as to when that must happen. It's maybe simpler for a small forum owner, but not when running forum is just a part of your business and when there are many things which may break. Put yourself in our shoes (at least some of us).

Share this comment


Link to comment
Share on other sites

The option that SQL queries are updated is set to 'run queries manually' during upgrade.

After the upgrade no manual queries are shown - so I assume there aren't any coming from 3.4.8, right?

Thanks

Share this comment


Link to comment
Share on other sites
5 hours ago, Charles said:

 

These security updates require the upgrade routine to execute so we cannot release them as simple patches. We do not really assign severity levels to security issues as we do not want to encourage people to not update based on what is really an arbitrary opinion of an issue. As with any software, staying up to date is your best defense.

I am confused. I do not see anything that would be accomplished in a upgrade routine that could not also be issued as a separate patch. For many businesses, especially during the holidays when there is reduced staff,  upgrading the forums to a completely new version can be a time consuming task. By not releasing a separate patch, like you have always done in the past, you are simply putting your customers at risk when they are the least staffed.

This is not the type of attention to security that I have come to expect from IPS.

Furthermore, you need to do a better job issuing security notices.  If I didn't happen to stumble on this blog I would never have known one was released as it is not telling me in the ACP and we have not received notifications. You really need to send out email notices to all paid customers alerting them to security notices. This was requested in the past and it continues to not happen.

Edited by grinler

Share this comment


Link to comment
Share on other sites
8 hours ago, grinler said:

I am confused. I do not see anything that would be accomplished in a upgrade routine that could not also be issued as a separate patch. For many businesses, especially during the holidays when there is reduced staff,  upgrading the forums to a completely new version can be a time consuming task. By not releasing a separate patch, like you have always done in the past, you are simply putting your customers at risk when they are the least staffed.

This is not the type of attention to security that I have come to expect from IPS.

Furthermore, you need to do a better job issuing security notices.  If I didn't happen to stumble on this blog I would never have known one was released as it is not telling me in the ACP and we have not received notifications. You really need to send out email notices to all paid customers alerting them to security notices. This was requested in the past and it continues to not happen.

 

It already notices people who have IPS 4.1.x for upgrades and their patches once they are on their main page/root of their forums (admins notification).

It also sends an e-mail to the admin/owner of the forums if you choose to do so, that's why IPS 4.1.x is newer and more efficient.

Most of my friends are still using IPS 3.4.x and they like the IPS 4.1.x but they complain that the plugins built for IPS 3.4.x aren't compatible with the newer version.

Staff & developers at IPS work hard to give us a successful and secured software.

 

Best regards

Hassan

Share this comment


Link to comment
Share on other sites

It's not just a security patch or ordinarily we would release it as just a security patch. It's a consolidation of security updates and some maintenance fixes. You must run the upgrader because... it's an upgrade. If you're already on 3.4, it's a 5-10 minute thing. Instead of a patch, you upload the 3.4.9 archive... you're already uploading, what's the difference beyond having to run /admin/upgrade at the end? You don't lose properly done customizations, no data loss - a simple upload and upgrade. 

Further, this particular security issue involved a template edit - which involves writing to the database. That's not something that you can just upload a file and off you go. If you knew how involved it is to push a 3.x release (which involves 3 separate builds -- one for you, one for CiC and one for our techs) - I think you'd realize a simple patch would have been easier for us and that was our initial thought. Then, we thought with End of Support in the 3.x line, we would take it a step further and do a full release to fix some common issues, perhaps help out people trying to use PHP7 (though we do not support or recommend PHP7) and consolidate all recent patches before we reach EOS. 

Of course, no good deed goes unpunished. :) 

 

Share this comment


Link to comment
Share on other sites
Quote

It's not just a security patch or ordinarily we would release it as just a security patch. It's a consolidation of security updates and some maintenance fixes. You must run the upgrader because... it's an upgrade. If you're already on 3.4, it's a 5-10 minute thing. Instead of a patch, you upload the 3.4.9 archive... you're already uploading, what's the difference beyond having to run /admin/upgrade at the end? You don't lose properly done customizations, no data loss - a simple upload and upgrade. 

No upgrade is a 5-10 minute thing when you have a modded IPB and many hooks.  I can't speak for your other customers, but for me, I test every upgrade for compatibility with my hooks and modifications before I push it live to production.  IPB's upgrade has broken/reset things in the past for me to just "trust" that everything is going to go smoothly. So, no, this is not just a 5-10 minute process but actually a fairly long one.  That is why a patch or even manual instructions would be better than this ..well.. nothing.

If IPS' direction is to cater to only right-off-the-shelf light users and not the developers who picked IPS for the easy ability to customize it to their needs, then please let us know.

Quote

Further, this particular security issue involved a template edit - which involves writing to the database. That's not something that you can just upload a file and off you go.

So give us the edit. I will do it myself.

Quote

Of course, no good deed goes unpunished.

I just think its important to cater to ALL of your customers..not just those who can simply run and upgrade and forget about it.

 

Quote

It already notices people who have IPS 4.1.x for upgrades and their patches once they are on their main page/root of their forums (admins notification).

Well it's not giving notice to those on 3.4.x and since its not EOS, it should be doing so.  I would love to go to 4.x. Unfortunately, the editor in its current state does not work well with my community.

Share this comment


Link to comment
Share on other sites

What are you talking about? Unless you've hacked your code to pieces, you shouldn't lose anything upgrading minor releases -- hooks are just that... hooks. They would not get overwritten going from 3.4.8 to 3.4.9. If you've modified the source code directly, well I hate to say, that's your bad... the app and hooks system is quite extensible and there's no reason you couldn't accomplish anything you'd ever need to reasonably do using that. We upgraded our own backend site from 3.4.8 to 3.4.9 and I can guarantee we have the most modified installation of anyone -- it powers our chat service, license systems, monitoring, community in the cloud accounts, etc. Still only a 10 minute upgrade. 

It's not possible to cater to everyone's individual needs. We make decisions based on the interests of most customers. If you've hacked your code to the point you can't run a simple upgrade -- I'm afraid you don't fall within the realm of most customers. I empathize with your situation, but we don't have the resources to do everything twice. 

Sorry for your frustration. This process is much simpler in IPS4 as all patches run through the upgrader, but they're in delta format. 

Share this comment


Link to comment
Share on other sites
10 hours ago, Rory Soh said:

Upgrading your board takes 5 minutes, got to be kidding. Applying the patch takes almost as much as time as upgrading the board.

You have to try to understand their point too...

Most of us have heavily customized board... Patches are extremely useful... I hope you understand their view....

Thanks

Share this comment


Link to comment
Share on other sites

Issue with iPhone not being able to sign in.  Sign in process occurs, but on success, users still aren't signed in.

2 minutes ago, Clover13 said:

Issue with iPhone not being able to sign in.  Sign in process occurs, but on success, users still aren't signed in.

I moved iPhone/iPad user agents to the top and re-cached all.  That fixed it.

Share this comment


Link to comment
Share on other sites
31 minutes ago, RevengeFNF said:

3.4.9 works with php7?

We've addressed what we knew was preventing it from running at all. I want to be clear in saying that while it may work, there may also be additional bugs related to PHP7 and we do not intend on releasing any further PHP7 fixes for the 3.x line. 

Share this comment


Link to comment
Share on other sites
2 hours ago, Lindy said:

If you've modified the source code directly, well I hate to say, that's your bad... the app and hooks system is quite extensible and there's no reason you couldn't accomplish anything you'd ever need to reasonably do using that.

We are just going to have to agree to disagree on this. Hooks are great and we use them extensively when we can, but there are some things that hooks cant fix and require code edit in order to extend or fix the functionality of components of IPB.

As I have already said, you could release a stand alone patch that includes the PHP files and the template updates that a owner needs to manually add. As you have said, you have obviously chosen not to do that, so there is not much to discuss on this subject anymore.

There still have not been any responses as to why people must be subscribed to your blog to even know about new security updates. There really should be emails to your paid customers so that everyone is notified. 

Share this comment


Link to comment
Share on other sites
3 minutes ago, grinler said:

There still have not been any responses as to why people must be subscribed to your blog to even know about new security updates. There really should be emails to your paid customers so that everyone is notified. 

I agree, I have missed updates in the past having not visited the site.  Emails would be a better approach (without needing to subscribe for notification of every blog posted).

Share this comment


Link to comment
Share on other sites

In IPS4 you can enter your email to be notified of updates. In IPB3 it's not as advanced so we do not have an easy way to email out updates but it does show in the AdminCP feed. Unfortunately it's a really old codebase so there's no way for us to make that better.

As was said many times: this is a full update. It contains security updates in addition to other bug fixes and updates. While we technically could I supposed, it would be a waste of time for us to pull out just the security updates, provide patch instructions for both code and templates, and all that when the vast majority of clients would not have the technical skill necessary to manually update code and templates needed for this fix. I really cannot comprehend what the issue is here: just upgrade like you always have. :console:

Share this comment


Link to comment
Share on other sites
1 hour ago, Lindy said:

We've addressed what we knew was preventing it from running at all. I want to be clear in saying that while it may work, there may also be additional bugs related to PHP7 and we do not intend on releasing any further PHP7 fixes for the 3.x line. 

Lindy was the MySQL full text search issue and IPB 3.4.x series not working with it was fixed? I did created a ticket like you had asked me while back to do. I hope to seek resolution. I wish I could upgrade to 4.1.x but sadly few of my add-ons are still not updated to 4.1.x series. Awaiting for the updates from 3rd party developers. Thanks

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...