vBulletin 3.7.0 Release Candidate 4

Discussion in 'vBulletin Discussions' started by ForumAddict, Apr 23, 2008.

  1. ForumAddict

    ForumAddict The AdminAddict Bot

    Joined:
    Dec 24, 2007
    Messages:
    114
    Likes Received:
    0
    vBulletin 3.7.0
    Release Candidate 4

    Yeah, we know...

    THIS IS PRE-RELEASE SOFTWARE.
    IT IS UNSUPPORTED.

    If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

    Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

    A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

    Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

    It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

    As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

    Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.

    We recommend that all customers upgrade as soon as possible.
    Customers running 3.7.x should upgrade to 3.7.0 RC4.
    Customers running 3.6.9 or earlier should upgrade to 3.6.10.

    To all those who have been expecting to download vBulletin 3.7.0 'Gold' this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.

    If testing of this release candidate goes well, we will once again be looking at a stable release next week.

    PHP and MySQL Recommendations

    We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

    What does Release Candidate mean?

    Release Candidate, or RC for short, means that we believe vBulletin 3.7 will be ready to be declared a "stable" and "supported" supported release once it has undergone some final testing. The only known bugs that may remain are trivial.

    RCs will be released until only trivial bugs are being fixed. Once this happens, the next stage is to move on to "gold" or, as it's officially known, 3.7.0.

    This is still pre-release software. If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, do not install this version but rather wait for the final, 3.7.0 version.

    Customers should bear in mind that this is a release candidate, not a certified 'stable' release so the following caveats apply:
    • Pre-release software is unsupported and you install beta and RC versions at your own risk.
    • Some minor bugs remain unresolved at this time, so pre-release software should not be deployed on production sites.
    • You should always back up your database fully before attempting to install pre-release software.
    • If you choose to install this version, you should be aware that we plan to release new RC versions in rapid succession as bugs are fixed and holes are plugged. Do not install this RC version if you are not willing or able to keep up-to-date with new releases.
    • The ImpEx import system does not support the 3.7 code yet, and will not support it until the release of 3.7.0 (stable).


    More on this...
     
  2. Tyler

    Tyler The Badministrator

    Joined:
    Dec 23, 2007
    Messages:
    3,079
    Likes Received:
    63
    Location:
    Long Island, NY
    First Name:
    Tyler
    Ah, that's a shame. At least they're taking proper precautions rather than giving us something that isn't safe just to get it out earlier.
     
  3. Daniel

    Daniel Regular Member

    Joined:
    Dec 23, 2007
    Messages:
    352
    Likes Received:
    22
    Noooo! But, but, they promised! Gah, oh well. Doesn't matter much anyway, but I wish it'd get out soon. I'm still waiting for the next version of the blog, which is supposedly coming out soon after 3.7 goes gold. It is good to see their commitment for security though.
     
  4. Disasterpiece

    Disasterpiece Addict

    Joined:
    Apr 11, 2008
    Messages:
    60
    Likes Received:
    0
    Sigh.. that'll be the 4th upgrade within two weeks of my site. do not want... ^^
     
  5. kaiila

    kaiila Newcomer

    Joined:
    Apr 11, 2008
    Messages:
    4
    Likes Received:
    0
    lol i was too lazy so im just gonna wait for the other admin to upgrade haha
     
  6. Daniel

    Daniel Regular Member

    Joined:
    Dec 23, 2007
    Messages:
    352
    Likes Received:
    22
    Yeah, gold's supposed to come out sometime this week. Any day now. :D
     

Share This Page