SMF 2.0.1 and 1.1.15 critical security patches released

Started by Norv, September 18, 2011, 06:24:43 PM

Previous topic - Next topic

Oldiesmann

Quote from: live627 on September 19, 2011, 12:17:50 AM
Did you emulate a different version?

That won't have anything to do with it. In 2.0, the files containing that info (and other info, such as the news and the latest themes/packages), are fetched from our servers once every 24 hours and stored in your forum database. This saves bandwidth for us and eliminates the possibility of your forum admin center taking forever to load if our site is down. I posted info on the previous page about how to get it to show up if it isn't already showing up.
Michael Eshom
Christian Metal Fans

ForumGuy789

Norv and Oldiesmann were right. I just needed to run that task.

Vincent Volmer


KVL

 SMF 2.0.1 and 1.1.15: updated is successfully!  :)  Thank you very much! :)

Tjati

Hi there,

in the Changelog (http://download.simplemachines.org/index.php?thanks;filename=smf_2-0-1_changelog.txt) is written:
Quote! A sensitive token was sent in the URL, allowing CSRF vulnerability (Subs-Menu.php)
But comparing Subs-Menu.php of version 2.0 and 2.0.1 does not show any differences except the @version-Line.

Was the bug already fixed in 2.0 or have you missed to replace the files correctly?

Thanks for information!

Update: Since 2.0 RC4 is no change (except a comment) done in Sources/Subs-Menu.php


Fisch.666

Quote from: Tjati on September 19, 2011, 03:37:47 AM
in the Changelog (http://download.simplemachines.org/index.php?thanks;filename=smf_2-0-1_changelog.txt) is written:
Quote! A sensitive token was sent in the URL, allowing CSRF vulnerability (Subs-Menu.php)
But comparing Subs-Menu.php of version 2.0 and 2.0.1 does not show any differences except the @version-Line.

Was the bug already fixed in 2.0 or have you missed to replace the files correctly?

Good question, any info for this?

Roph

Updated a couple installations of mine without a hitch. Great work. Happy that us long-time SMF 2 users don't have to go the manual route any more :)

N3RVE

Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

Robert.


Rohan_

Proud To Be An Indian

Rain Forest

Nicely done. Although the language packages for 2.0.1 are corrupt..

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Ventic

cause i dont wanna lose the mods i added manual which package should i use

Oldiesmann

Quote from: Ventic on September 19, 2011, 11:52:49 AM
cause i dont wanna lose the mods i added manual which package should i use

If you're on 1.1.x, you can upgrade through the admin center by following the instructions in the upgrade notice (click to download the patch, then install it through the admin center).

If you're on 2.0 final, you can also upgrade through the admin center.

If you're on 2.0 RC5 or earlier, you will need to use the full upgrade.
Michael Eshom
Christian Metal Fans

Ventic

Quote from: Oldiesmann on September 19, 2011, 11:55:57 AM
Quote from: Ventic on September 19, 2011, 11:52:49 AM
cause i dont wanna lose the mods i added manual which package should i use

If you're on 1.1.x, you can upgrade through the admin center by following the instructions in the upgrade notice (click to download the patch, then install it through the admin center).

If you're on 2.0 final, you can also upgrade through the admin center.

If you're on 2.0 RC5 or earlier, you will need to use the full upgrade.
i use 2.0 final but i dont need to update via the package,but by uploading the files

Oldiesmann

Quote from: Ventic on September 19, 2011, 11:57:17 AM
Quote from: Oldiesmann on September 19, 2011, 11:55:57 AM
Quote from: Ventic on September 19, 2011, 11:52:49 AM
cause i dont wanna lose the mods i added manual which package should i use

If you're on 1.1.x, you can upgrade through the admin center by following the instructions in the upgrade notice (click to download the patch, then install it through the admin center).

If you're on 2.0 final, you can also upgrade through the admin center.

If you're on 2.0 RC5 or earlier, you will need to use the full upgrade.
i use 2.0 final but i dont need to update via the package,but by uploading the files

You can upload through the admin center then. If you don't see a notice in your admin center about the patch, do the following:

Admin -> Maintenance -> Scheduled Tasks
Check the second box next to "Fetch Simple Machines Files" (the first one should already be checked)
Click the "Run Now" button

Alternately you can download the patch from the Upgrade Site and upload it through your package manager.
Michael Eshom
Christian Metal Fans

Ventic

i told you i dont wanna do the upgrade via the package manager but by uploading the files normally

Crime

Thanks a lot for the upgrade. i had upgraded all my web sites

Advertisement: