phpBB 3.0.7-PL1 released

[Developer [Bot]]

This was posted in the phpbb.com annoucements forum here by naderman, Development Team Leader.

Hi everyone,

We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn't noticed during testing and has only surfaced a week after the release of 3.0.7.

We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise - a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:

* Feeds are enabled
* Any of the posts or topics feeds are enabled
* The unauthorised user - or one of the groups they are a member of - have forum permissions set on a private forum
* If you have excluded a forum from the list of forums that provide feeds, it is unaffected


The fix for the issue is a single line change inside of feed.php, line 525 has changed from:

Code: Select all
$forum_ids = array_keys($auth->acl_getf('f_read'));

to:

Code: Select all
$forum_ids = array_keys($auth->acl_getf('f_read', true));



There were no other changes, in particular neither style nor language changes.

Installation instructions

A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. You can find a list of requirements on our Downloads page.

Security

If you find any security issues please report them to our security tracker.

Available packages

If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.

* Full Package:
Full phpBB 3 source code and english language files.
* Automatic Update Package:
Update package for the automatic updater, contains changes from previous release to this release.
* Changed Files Only:
Complete files, but only those that were changed since previous releases of phpBB 3. This archive contains changed files for every previous release.
* Patch Files:
This file contains diffs against the previous phpBB 3 release, which can be applied with the patch utility.


Select the package most suitable for you. We recommend the following methods depending on your situation:

* For new installations you should use the Full Package
* For updates of boards without modifications you can use the Automatic Update Package (guided update) or the Changed Files Only package (manual update).
* For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package.
* International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users with problematic conflicts during their update process or to help them update code sections.
* If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations.


Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!

Download Locations

The download is of course available on our downloads page.
Our release archive provides all packages we build. If you do not find your desired package you can probably find it in the release archive.

These are the files with their md5 sums:

phpBB-3.0.7-PL1.zip (Full Package)
md5sum: 1125b615e13a5bb8787afab58a27c627
phpBB-3.0.7-PL1.tar.bz2 (Full Package)
md5sum: 67570654462c442c29080007c0af1e1b
phpBB-3.0.7-PL1-patch.zip (Patch Files)
md5sum: 44d163c6f945207f666b4b8ecbf179b8
phpBB-3.0.7-PL1-patch.tar.bz2 (Patch Files)
md5sum: 4d611e1160599835ff48fc6454bf85e0
phpBB-3.0.7-PL1-files.zip (Changed Files)
md5sum: 579f5685cc37c69dd6ce023b46ce2593
phpBB-3.0.7-PL1-files.tar.bz2 (Changed Files)
md5sum: 2779984411598d919a6a1e6adc35894d
phpBB-3.0.7_to_3.0.7-PL1.zip (Automatic Update Package from 3.0.7)
md5sum: e135fd3b43c17c0bdc69f3fc246e6524
phpBB-3.0.7_to_3.0.7-PL1.tar.bz2 (Automatic Update Package from 3.0.7)
md5sum: 589d21934c14a6517583316659f0225f
phpBB-3.0.6_to_3.0.7-PL1.zip (Automatic Update Package from 3.0.6)
md5sum: b93e31c7930ace5af89d9804b55d8c66
phpBB-3.0.6_to_3.0.7-PL1.tar.bz2 (Automatic Update Package from 3.0.6)
md5sum: cf9b3a42872be8afcddb42648a390861

Download & Documentation

* phpBB Downloads
* phpBB Projects page @ ohloh
* phpBB 3 Documentation
* phpBB 3 support forum
* phpBB 3 bug tracker
* phpBB Code Forge
* phpBB Code Wiki

[david]

Thanks for posting this darkly!

The board has been updated using the fix provided.

[SA007]

*sighs* first security bug since 3.0.4.

This is a perfect example as to why people shouldn't rush into getting things the first day they release them

[SA007]

Yup. I hadn't updated to 3.0.7 at the time so only 1 update for me.

[david]

well the second update is one word, so no biggie, really. And it just shows how good they are at finding bugs and fixing them right away!

[SA007]

Yup. Although, the bug was reported and seen my a dev team member 9 hours before the phpBB 3.0.7 release.

Why wasn't the release halted? Especially seeing as bantu had seen it and found the person was right and it was a security bug.

If they were really serious with secuurity they would have halted the 3.0.7 release. Not released a patch a week after the main release.

These changes after a few days is happening alot at the moment. phpBB Main, MODX, MOD Team Leader, the list goes on. Its getting ridiculous.

Yup. Although, the bug was reported and seen my a dev team member 9 hours before the phpBB 3.0.7 release.

Wrong.

phpBB 3.0.7 was released on Mar 1 2010. The bug was reported on Mar 5 2010. phpBB 3.0.7-PL1 was released 9 hours later.

Obviously you misinterpreted this post.

As to the fixups with phpBB, MODX and the MOD TL; I agree that those are unfortunate, and it would be better to catch these things early. But at the end of the day you can be glad that there actually are people who care about fixing the issues and don't mind admitting a mistake. Let's hope such things can be prevented in the future.

[david]

Yup. Although, the bug was reported and seen my a dev team member 9 hours before the phpBB 3.0.7 release.

Wrong.

phpBB 3.0.7 was released on Mar 1 2010. The bug was reported on Mar 5 2010. phpBB 3.0.7-PL1 was released 9 hours later.

Obviously you misinterpreted this post.

As to the fixups with phpBB, MODX and the MOD TL; I agree that those are unfortunate, and it would be better to catch these things early. But at the end of the day you can be glad that there actually are people who care about fixing the issues and don't mind admitting a mistake. Let's hope such things can be prevented in the future.

I agree. That's the great thing about open source as well, as anyone can look at the code to find vulnerabilities and bugs can be found quite quickly.

And thanks for the info about the timing.

Oh, and we see yet another fixup: STK 1.0.0-PL1.