===================================================================== CERT-Renater Note d'Information No. 2008/VULN584 _____________________________________________________________________ DATE : 15/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpBB versions prior to 3.0.4. ====================================================================== http://www.phpbb.com/community/viewtopic.php?f=14&t=1352565 ______________________________________________________________________ Hello, We are very pleased to announce the availability of the "one year anniversary" phpBB 3.0.4 package. With this release we would like to thank everyone who supported phpBB the past years. This release fixes some bugs introduced with the changes in 3.0.3, corrects minor issues, fixes two security bugs and also increases performance significantly. Please note that we urge you to update. The versions we currently support here are phpBB 2.0.23 and phpBB 3.0.4. Bug submissions and incident reports for older versions will be closed. Important changes since 3.0.3: * [Fix] Allow mixed-case template directories to be inherited (Bug #36725) * [Fix] Regression bug from revision #8908 regarding log display in ACP * [Fix] Allow the UCP group management to work for groups with avatars. ( Bug #37375) * [Fix] Fix header list build for replying oldest PM in PM history (Bug #37275) * [Fix] Do not display COPPA group in memberlist find member dialog if COPPA disabled (Bug #37175) * [Fix] Do not try to send jabber notifications if no jid entered (Bug #36775) * [Fix] Only display special ranks to guests; no longer display normal ranks for guests (Bug #36735) * [Fix] Properly treat punctuation marks after local urls (Bug #37055) * [Fix] Make searching for members by YIM address work in prosilver * [Fix] Tell users to recreate the search index after changing the common word threshold for fulltext_native (Bug #36345) * [Fix] Adjusted phpbb_chmod() to always set permissions for group bit. * [Fix] Do not increment users post count after post approval if post had been posted in a forum with no post count increasing set (Bug #37865) * [Fix] Extend vertical line for last post column if no posts in forum (Bug #37125) * [Fix] correctly update last topic/forum information if changing guest usernames through editing posts (Bug #38095) * [Fix] fix postcount resync for situations where low and high post ids are higher than step value, resulting in users having 0 posts. (Bug #38195) * [Fix] Use a left join for the topics table on search to avoid trouble with FROM syntax on some databases (Bug #37005) * [Fix] Do not show 'Forward' button if the user cannot send PM's * [Change] Alllow applications to set custom module inclusion path (idea by HoL) * [Change] Handle checking for duplicate usernames in chunks (Bug #17285 - Patch by A_Jelly_Doughnut) * [Change] Better handling and finer control for custom profile fields visibility options. (Patch by Highway of Life) * [Change] Performance increase for format_date() (Bug #37575 - Patch by BartVB) * [Change] Changed prosilver date separator from 'on' to '»' * [Change] Performance increase for get_username_string() (Bug #37545 - Patch by BartVB) * [Change] Slight performance increase for common parameter calls to append_sid() (Bug #37555 - Patch by BartVB) * [Feature] Added 'AGO' setting to relative date strings. For example: posted 14 minutes ago. (Patch by BartVB) * [Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges. (Reported by Jorick) * [Sec] Ask for forum password if post within passworded forum quoted in private message. (Reported by nickvergessen) Please refer to the changelog for a complete list of fixes since 3.0.3: http://www.phpbb.com/support/documents. ... &version=3 A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. Minimum Requirements phpBB3 has a few requirements which must be met before you are able to install and use it. * A webserver or web hosting account running on any major Operating System with support for PHP * A SQL database system, one of: o MySQL 3.23 or above (MySQLi supported) o PostgreSQL 7.3+ o SQLite 2.8.2+ o Firebird 2.0+ o MS SQL Server 2000 or above (directly or via ODBC) o Oracle * PHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use. * getimagesize() function need to be enabled * These optional presence of the following modules within PHP will provide access to additional features, but they are not required. o zlib Compression support o Remote FTP support o XML support o Imagemagick support o GD Support The presence of each of these optional modules will be checked during the installation process. Security Security issues found should be reported to our security tracker in the usual way. Available packages If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating. With this release, there are five packages available. * Full Package: Contains entire phpBB3 source and english language files. * Automatic Update Package: Update package for the automatic updater, containing the changes from previous release to this release. * Changed Files Only: Contains only those files changed from previous versions of phpBB3. Please note this archive contains changed files for each previous release. * Patch Files: Contains patch compatible patches from previous versions of phpBB3. * Code Changes Package: Package contains changes to the following sections: Language changes, prosilver style changes and subsilver2 style changes. Select whichever package is most suitable for you. As a tiny guide we recommend the following methods based on the requirements: * For a new installation you should use the Full Package * For updates of boards without modifications you can basically use the Automatic Update Package (guided udpate) or the Changed Files Only package (manual update). * For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package. * Style Authors and Translators may use the Code Changes Package to update their styles or language packs directly. * International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users having problems with conflicts or specific code sections. * If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations. Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!. Download Locations You can of course find this download available on our downloads page. We use sourceforge.net for hosting our downloads. If you have problems downloading from there, our packages are also available at Ohloh. Download/Documentation * phpBB Downloads * phpBB Projects page @ ohloh * phpBB Projects page @ sf.net * phpBB3 Documentation * phpBB3 support forum * phpBB3 bug tracker * phpBB3 Coding Guidelines * phpBB3 Sourcecode Documentation * phpBB Code Forge Have fun with the release, the phpBB Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================