Not logged in. · Lost password · Register
Forum: News and announcements RSS
Released UNB 1.5.3 Patch 2, 3, 4
also known as 1.5.3-b/c/d
Avatar
Yves (Administrator) 2005-11-02, 22:50 #1
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Subject: Released UNB 1.5.3 Patch 2
Hi,
this is only a short note on the updated version 1.5.3 Patch 2 (1.5.3-b) that I have just released. It fixes a number of security issues that have recently been discovered. It's mainly about Cross-Site Scripting bugs. I'm not sure about further security flaws but I have also corrected some other potential problems while thoroughly scanning the code for them.

This time there's no diff patch available, there's quite a lot changes in many files, and I've discovered that the previous patch release (1.5.3-a) was a bit chaotic. You'll have to create your own patch file if you need one. And if you need one, I'm sure, you are able to do that. Additionally, I have again removed the light version from the download page until the release of version 1.6 which should be in no longer than two weeks.

I really do recommend you to upgrade to 1.5.3 Patch 2 if you're still running an older version and do not want to switch over to the new 1.6 RC 3, which already seems to be stable enough for production use.

Sorry for the inconveniences, but old code tends to be strange... Btw, the UNB 1.6 series is not affected by these problems, as far as I can tell by now. I will add the problems I have found to my source code check list and go through it within the next days to be sure.

Continue to the download page.

Deutsche Zusammenfassung:
Soeben habe ich die aktualisierte Version UNB 1.5.3 Patch 2 (1.5.3-b) veröffentlicht, die einige sicherheitsrelevante Fehler beseitigt. Einen diff-Patch gibt es dieses Mal nicht, da der letzte Patch schon etwas durcheinander war. Auch gibt es bis Version 1.6 keinen Light-Download mehr. Die 1.6er-Reihe ist von den genannten Fehlern nicht betroffen, soweit ich das derzeit sagen kann.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
rvwsak 2005-11-03, 00:29 #2
Member since Jul 2005 · 107 posts · Location: Norway
Group memberships: Members
Show profile · Link to this post
Quote by Yves:
This time there's no diff patch available, there's quite a lot changes in many files, and I've discovered that the previous patch release (1.5.3-a) was a bit chaotic. You'll have to create your own patch file if you need one. And if you need one, I'm sure, you are able to do that. Additionally, I have again removed the light version from the download page until the release of version 1.6 which should be in no longer than two weeks.

I will continue to use 1.5.3 for some time, since I haven't yet got the time to adapt ver. 1.6 to my needs (translation and design). So I would like to upgrade to 1.5.3-b. But could you be more specific as to how to upgrade without a patch? I download the whole package, but then what? Do I simply replace all the old files with all the files in the new package (except language files) or what? Couldn't find any info on this neither on the download nor installation pages.
Dixi et liberavi
Avatar
Yves (Administrator) 2005-11-03, 09:05 #3
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Yes, that's pretty much it. Replace any file in your board with the file from the archive, if it's newer or has changed. To be sure, replace all files. It's almost the same as upgrading from 1.5.2 to 1.5.3, they were quite similar, too. No database or config file upgrade is required.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
rvwsak 2005-11-03, 10:44 #4
Member since Jul 2005 · 107 posts · Location: Norway
Group memberships: Members
Show profile · Link to this post
Thanks for the confirmation :-)
Dixi et liberavi
cURT 2005-11-03, 22:58 #5
Member since Jul 2005 · 24 posts
Group memberships: Members
Show profile · Link to this post
Subject: 2ter Patch alter Fehler
Sag mal, warum ist der RSS-Fehler mit dem "PD" das ein "h2t(PD)" seien müsste immer noch da ? ;)

Hab eben den Patch eingespielt und schon haben die RSS-Links wieder nicht funktioniert. Nicht wirklich schlimm, hab es gleich geändert, aber kannst du, falls es noch einen Patch gibt, mit einfließen lassen?

1.6 RC3 gefällt mir recht gut, freue mich schon aufs Final. Gute Arbeit, weiter so. Lohnt es sich eigentlich schon ein eigenes Design für 1.6 zu basteln, oder stehen da noch größere Änderungen an?

cURT
Avatar
Yves (Administrator) 2005-11-03, 23:07 #6
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Ich habe die bislang gefundenen Fehler in Version 1.5.3 nicht für diese Version korrigiert. Meine Absicht mit Patch-Versionen ist eigentlich nur die, kritische Fehler zu beheben und dabei möglichst wenig zu verändern. Unkritische Fehler werden erst in weiteren Versionen behoben oder mit einem Workaround beschrieben. Mehr dazu findest du im Thema "Known issues with version 1.5.3". Und eigentlich hab ich zugegeben jetzt keine große Lust mehr, mich um die immerhin fast ein Jahr alte Version 1.5.3 zu kümmern. ;) 1.6 ist so viel besser...
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Yves (Administrator) 2005-11-11, 10:51 #7
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Subject: 1.5.3 Patch 3
I don't want to make a new thread for this. But today a (critical?) bug has been reported for version 1.5.3 Patch 2 that will break sending e-mails to users. No, nothing security-relevant, but the board will just stop with a fatal error when an e-mail is to be sent. I will release Patch 3 in a while to fix this. It's only a small change:
Replace mail.lib.php line 104
  1.                     $subject = MimeEncodeWord($subject, false, false, $CHARSET);
with
  1.                     $subject = mime_enc_word($subject, false, false, $CHARSET);
that's all.

Deutsche Zusammenfassung:
Heute wurde mir ein (kritischer?) aber nicht sicherheits-relevanter Fehler in Version 1.5.3 Patch 2 berichtet, den ich in Kürze mit dem Patch 3 beseitigen werde. Wenn eine E-Mail an einen Benutzer gesendet werden soll, beendet das Programm mit einem PHP-Fehler. Die Änderung ist minimal, es muss nur ein Funktionsname ersetzt werden (siehe oben).
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Yves (Administrator) 2005-11-12, 00:49 #8
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
PS: Patch 3 fixes an issue that has been introduced with Patch 2. I have added this function call to increase the security of sent e-mails and to prevent possible exploits of this code. Apparently I have mixed this up with the new 1.6 code, where the new function name comes from. So if for any reason you don't need or want to use Patch 2, this one isn't necessary for you as well.

(de) PS: Patch 3 behebt einen Fehler, der mit Patch 2 eingeführt wurde. Der Funktionsname stammt dabei irrtümlicherweise aus dem aktuellen 1.6er Code. Wenn du also aus irgendeinem Grund Patch 2 nicht verwenden willst oder kannst, ist dieses Update auch nicht notwendig.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Yves (Administrator) 2005-11-15, 20:50 #9
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Subject: 1.5.3 Patch 4
And again, not much later, one of those hackers* had to find a mistake I must have overseen in the code. The search function offers a way to retrieve information from the database that were not really meant to be made public. It's a quite tricky thing to exploit this bug, and the information is virtually useless (if you use secure passwords which the board can help you with already), but it is possible and so I have released a patch for it. You can find the updated distribution archive along with a diff and a ZIP patch against 1.5.3-c on the download page here. Version 1.6 is also affected by this bug as the relevant code place didn't change. An updated devel release will be available in a while.

*) Can I call that one a "hacker"? I thought hackers were the relatively "good" ones. But publishing information of this kind without even notifying the code author is not "good" for sure.

Can anyone point me to a good way to receive interesting security-related information really fast? By "interesting" I mean only those related to a certain product. I was subscribed to SecurityFocus for a while but it was soo boring. And a try to find the bulletins for this one in Google ended unsuccessful. How am I supposed to know about such publishings? :huh:
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
cURT 2005-11-15, 22:47 #10
Member since Jul 2005 · 24 posts
Group memberships: Members
Show profile · Link to this post
Download der Zips funktioniert nicht. Ich jedenfalls kann weder die Vollversion noch den Patch runterladen. Hab es mit Firefox und Safari probiert. Das diff lässt sich runterladen, funktioniert unter MacOS aber nicht.

MfG cURT
Avatar
Yves (Administrator) 2005-11-16, 07:03 #11
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Seit gestern ca. 22:45 geht es wieder.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
cURT 2005-11-16, 17:39 #12
Member since Jul 2005 · 24 posts
Group memberships: Members
Show profile · Link to this post
Prima, danke. geladen und installiert.

cURT
Avatar
Yves (Administrator) 2005-11-17, 21:56 #13
User title: UNB developer & webmaster
Member since Jan 2004 · 3814 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Subject: Bug in Patch 4 - Fixed
Hellow everybody. When making Patch 4, I have done this in UNB 1.6 first and then backported it to version 1.5. There I have cleaned up the code a little too much and removed a line that wasn't required in 1.6 but is in 1.5. Now the entire search function always returns no result. The fix is easy, but this time, here's a file to replace only. I'll update the download archive and the Patch 4 afterwards.

To correct this bug, simply replace the file bb_lib/search.inc.php with the one attached here. (Unzip it first!)
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
The author has attached one file to this post:
search.inc.zip 5.7 kBytes
You have no permission to open this file.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:

Go to forum
This board is powered by the Unclassified NewsBoard software, 20110527-dev, © 2003-2011 by Yves Goergen
Page created in 229.7 ms (141.4 ms) · 114 database queries in 141.8 ms
Current time: 2012-02-07, 19:48:41 (UTC +01:00)