vBulletin Security Patch for 4.X and 3.X

Discussion in 'vBulletin Discussions' started by News Bot, May 31, 2011.

  1. News Bot

    News Bot Regular Member

    Joined:
    Apr 28, 2011
    Messages:
    429
    Likes Received:
    63
    Location:
    Cyber Space
    Yahoo YUI Security Exploit

    We have been notified of a potential, but unconfirmed exploit in vBulletin 3 and 4 (all versions) via the Yahoo YUI component library.
    To rectify this issue we have released a patch for the latest version of vBulletin 3 and vBulletin 4, vBulletin 3.8.7 and vBulletin 4.1.3. Forthcoming vBulletin 4.1.4 will not be affected.
    As such, we have released:
    • vBulletin Publishing Suite 4.1.3 PL1
    • vBulletin Forum Classic 4.1.3 PL1
    • vBulletin Forum Classic 3.8.7 PL1

    Upgrade Process
    The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
    As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.



    New installations/upgrades
    If you are upgrading your site, or installing a new copy of our software, the latest software packages include the patch. These can be downloaded from your Members Area



    To manually fix versions prior to vBulletin 4.1.3 and 3.8.7
    1. Edit one line in class_core.php file located in /includes/class_core.php ; find the following line “define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle” ; replace this line with “define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle”
    2. In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.


    Continue reading...
     
  2. SpacewardAsh

    SpacewardAsh Lurking From Space

    Joined:
    Jan 2, 2011
    Messages:
    211
    Likes Received:
    683
    Location:
    Falmouth, Cornwall, UK
    First Name:
    Ashley
    oopsies another security exploit, you'd think they'd make the effort to at least ensure any third party components were kept updated now would'nt you?
     
    Kaiser likes this.
  3. Kaiser

    Kaiser Regular Member

    Joined:
    Nov 15, 2010
    Messages:
    6,744
    Likes Received:
    1,132
    Indeed, and considering vb 3 has this than that means they were unaware of this for a Long time.
     
  4. SpacewardAsh

    SpacewardAsh Lurking From Space

    Joined:
    Jan 2, 2011
    Messages:
    211
    Likes Received:
    683
    Location:
    Falmouth, Cornwall, UK
    First Name:
    Ashley
    Yea, and if you look, they are two "minor/feature" release versions out, and is like 2+ years out of date...
     
    Kaiser likes this.

Share This Page