Simple Machines Community Forum

Dear users,

Simple Machines Forum has released security patches to both the 1.1.x and the 2.0.x release lines. This brings our released versions to SMF 1.1.20 and SMF 2.0.9.

Several security issues were identified in both release lines and have been addressed with this patch.  It is, therefore, recommended that you update your forums immediately to ensure that your community is safe.  In addition to the security patches, a few bug fixes for the SMF 2.0 line have also been included in the 2.0.9 patch.

If you are running version 2.0.8, you can update your forum to version 2.0.9 using the package manager. As usual, you should see the upgrade notification in the Admin panel and in the package manager, which will allow you to download and install the patch seamlessly.  If you don't see the notification about the update, please run the scheduled task "Fetch Simple Machines files".  You can also download the patch for 2.0.9 from the customize site (http://custom.simplemachines.org/upgrades/) by downloading the smf_patch_1.1.20_2.0.9.zip patch file, and then installing it from the package manager, like any other mod package.

If you are running 1.1.19, you can update to 1.1.20 by using the smf_patch_1.1.20_2.0.9.zip patch file and installing it via the package manager as well.  If you are still using 1.1.x branch, please be aware this will be the last patch released for this version, so you are strongly urged to upgrade to 2.0.9, in order to be able to continue to receive security upgrades to your forum. Note that we will continue to provide support for 1.1 until 2.1 final is released.

If you use older versions of SMF, you can upgrade by using the full upgrade archive for version 2.0.9 from the downloads page (http://download.simplemachines.org/). Be aware that using this upgrade method will require you to replace your mods with ones designed for the 2.0.x line

You can also view the change log for the latest release, as usual, on the downloads page (http://download.simplemachines.org/).

If you are having problems downloading the patch from the admin panel, you can download the package from the upgrade patches page (http://custom.simplemachines.org/upgrades/) and install it like a mod, as instructed above.

Please refer to the Online Manual for more details about:
* upgrading  (http://wiki.simplemachines.org/smf/Upgrading)
* patching (http://wiki.simplemachines.org/smf/Patching)

Please do not use this topic for support requests.  You will receive a much quicker and better response by posting in the relevant support board!

Thank you for using SMF! :)

Regards,
Simple Machines Forum

Thanks for keeping us up to date!

Thanks

Appreciated.  ;)

Quote from: SimpMode on October 02, 2014, 08:04:53 PM
Appreciated.  But where is the 2.0.9 patch download? The Upgrade Downloads page only supplies up to 2.0.8. ;)

it is on the bottom of the list.

LOL. I just noticed that.  ;D

No issues works well, thank you.

Updated is successfully. :) Thank you very much SMF team for your very great job! :)

Many thanks to SMF! :)

Congrats on the release! Thanks for update to SMF 1.1.x as well

Woot Woot! :D

Strange, on one forum I see the 2.0.9 in the Administration Center and I can upgrade using the package manager, on another forum it says 2.0.8 is the latest release... any idea how this is possible?

Really nice work guys ~ will update when I get to work  :D

Many thanks to SMF Team for keeping us up to date! !!!

Hi,

when checking for newer files in the board maintenance the Subs-Post.php is shown as "my version 2.0.8" and the "current version 2.0.9" when applying the patch via the package manager. Seems the header @version 2.0.8 was not updated by the patch.

Quote from: forumdraco on October 03, 2014, 03:34:41 AM
Strange, on one forum I see the 2.0.9 in the Administration Center and I can upgrade using the package manager, on another forum it says 2.0.8 is the latest release... any idea how this is possible?

You need to run the Task "fetch simple machines data" in your planned tasks (maintenance)

Not all files are patched only the security ones wich needed to be patched ;)

Hi,

the Subs-Posts.php was patched in the smf_2-0-9_patch.xml or am i wrong?

Subs-Post.php (no "s") was.

Ok, so probably just the header wasn't update. Have now done this manually

Quote from: Fisch.666 on October 03, 2014, 04:31:30 AM

Quote from: forumdraco on October 03, 2014, 03:34:41 AM
Strange, on one forum I see the 2.0.9 in the Administration Center and I can upgrade using the package manager, on another forum it says 2.0.8 is the latest release... any idea how this is possible?

You need to run the Task "fetch simple machines data" in your planned tasks (maintenance)

Thanks, that did the trick! ;-)

Thanks  ;D

Good job boys and girls!

Add my thanks to everyone involved. :D

Yes good work
thank you

Congrats!

Thanks again for keeping SMF secure and bug free!

When can we see the upgrade package?

The upgrade package is there...

Forgive me. :P

(Blame it on being tired of being a receptionist at a busy busy company all week.)

Thanks for the update :)

Just updated without errors but before updating I noticed the latest version was stuck at ?? and the news area says:

QuoteYou are unable to connect to simplemachines.org's latest news file.

This mustve just started happening recently as I've just noticed it. :S

Quotetry
to run the Task "fetch simple machines data"

does that help ?

Admin > Scheduled Tasks > Fetch Simple Machines Files (Run Now)? Yeah I tried it but still nothing.

Of course this topic is not for support and the site in your signature is on 2.0.9. If you are having issues on another site, use the 2.0.x Support board please. :)

I think IMG tag not working in SMF 2.0.9

I tried to put image a post with IMG tag but image not showing.

I notice it also in my forum.

This topic is not for support, once again.

The IMG tag works perfectly both here and on my 2.0.9 anyway so it must be something on your own forum, please post in the support board, so that someone may assist you :)

Quote from: ♦ Ninja ZX-10RR ♦ on October 04, 2014, 02:30:35 AM
This topic is not for support, once again.

The IMG tag works perfectly both here and on my 2.0.9 anyway so it must be something on your own forum, please post in the support board, so that someone may assist you :)

sorry for that see this topic I created image not showing with IMG tag
http://www.simplemachines.org/community/index.php?topic=528506.0

QuoteIf you are still using 1.1.x branch, please be aware this will be the last patch released for this version, so you are strongly urged to upgrade to 2.0.9, in order to be able to continue to receive security upgrades to your forum. Note that we will continue to provide support for 1.1 until 2.1 final is released.

Interesting. So what you are saying is that 2.1 final is going to be released before any new exploits are found for 1.1.x. That would imply that 2.1 final is almost ready. :D

That must be the fastest beta and RC series in history.

Quote from: Antechinus on October 04, 2014, 02:44:14 AM
Interesting. So what you are saying is that 2.1 final is going to be released before any new exploits are found for 1.1.x. That would imply that 2.1 final is almost ready. :D

That must be the fastest beta and RC series in history.

I was wondering the same thing. However, it does partialy make sense to completely shift focus from 1.1 and put every spare second into 2.1.

They'll probably get away with it, given that exploits for 1.1.x don't seem to be turning up very often, but "we will continue to provide support for 1.1 until 2.1 final" implies 1.1.x will be patched if exploits turn up before 2.1 is ready. If it's not going to be patched any more, then in reality it is unsupported now.

Quote from: Antechinus on October 04, 2014, 05:08:48 AM
They'll probably get away with it, given that exploits for 1.1.x don't seem to be turning up very often, but "we will continue to provide support for 1.1 until 2.1 final" implies 1.1.x will be patched if exploits turn up before 2.1 is ready. If it's not going to be patched any more, then in reality it is unsupported now.

They're probably reffering to the support board.

That doesn't fix security problems. ;)

does this patch fix the no UTF8 websites problems with PHP 5.4 or not?

Did you read the changeLog?

And antechinus...
We will continue to provide support in the support boards... However, we will not be patching 1.1.x any further.  From now on, The recommended solution to security issues in 1.1.x is to upgrade to 2.0.x....

Quick question: Which of the files are extremely important to update? Since some get for me: "Test failed (ignore errors)".

What do these parts of the update do exactly...? Is it really wise to ignore them?

Your questions has alreayd been answered, above in this same thread...

congrats, updating now

 :)

Thanks for all the hard work!

2.0.9 Patch installed on two forums and all is working great! Thanks!

Nice work guys, thank you!

Quote from: Kindred on October 04, 2014, 08:00:55 AM
Did you read the changeLog?

And antechinus...
We will continue to provide support in the support boards... However, we will not be patching 1.1.x any further.  From now on, The recommended solution to security issues in 1.1.x is to upgrade to 2.0.x....

Ok, so let's be clear on this. The no-BS version is that in terms of security, 1.1.x is unsupported as of now. This is a change of policy over what has consistenly been claimed for years; that 1.1.x would be patched until 2.1 was stable.

That means that if an exploit for 1.1.x turns up before 2.1 is stable, which is quite possible given the pace of SMF dev, the admin of any 1.1.x site will have to turn their site upside down with a major upgrade to 2.0.x. Then, when 2.1 is stable, they will have to do it all over again if they want something up to date. 2.0.x isn't all that impressive by today's standards, and IMO has little real advantage over a well-customised 1.1.x, so this is going to be annoying. It'd be much better to just be able to go straight to 2.1, and only turn the site upside down once.

Do note that there are already other forum apps, some forked from SMF and some not,  that are stable now, and have very good features, and very good migration tools. If I was still adminning a 1.1.x site, I would not be taking this announcement as an incentive to upgrade to 2.0.x, because frankly there are better options available. I would be looking at those options instead. OTOH, if I could be sure of having 1.1x patched until 2.1 is stable, I would probably be more inclined to wait for 2.1.

Bottom line is you may be shooting yourselves in the foot with this change of policy. My 2c.

Quote from: Antechinus on October 04, 2014, 05:15:39 PM

Quote from: Kindred on October 04, 2014, 08:00:55 AM
Did you read the changeLog?

And antechinus...
We will continue to provide support in the support boards... However, we will not be patching 1.1.x any further.  From now on, The recommended solution to security issues in 1.1.x is to upgrade to 2.0.x....

Ok, so let's be clear on this. The no-BS version is that in terms of security, 1.1.x is unsupported as of now. This is a change of policy over what has consistenly been claimed for years; that 1.1.x would be patched until 2.1 was stable.

That means that if an exploit for 1.1.x turns up before 2.1 is stable, which is quite possible given the pace of SMF dev, the admin of any 1.1.x site will have to turn their site upside down with a major upgrade to 2.0.x. Then, when 2.1 is stable, they will have to do it all over again if they want something up to date. 2.0.x isn't all that impressive by today's standards, and IMO has little real advantage over a well-customised 1.1.x, so this is going to be annoying. It'd be much better to just be able to go straight to 2.1, and only turn the site upside down once.

Do note that there are already other forum apps, some forked from SMF and some not,  that are stable now, and have very good features, and very good migration tools. If I was still adminning a 1.1.x site, I would not be taking this announcement as an incentive to upgrade to 2.0.x, because frankly there are better options available. I would be looking at those options instead. OTOH, if I could be sure of having 1.1x patched until 2.1 is stable, I would probably be more inclined to wait for 2.1.

Bottom line is you may be shooting yourselves in the foot with this change of policy. My 2c.

if some admins rather to stay on 1.1.x (which you need to downgrade your php/mysql for complete compatibility) they already "be shooting themselves in the foot"... But I agree, comparing 2.1 vs 2.0 - there is a big difference and yet its worth to wait for it, rather than going another software. To me I actually asked team to kill SMF 1.1 nearly 1 year ago, but we'll see things after first two beta releases of SMF 2.1.

Quote from: ♦ Ninja ZX-10RR ♦ on October 04, 2014, 05:41:06 PM
@antechinus


I totally agree with you. I will stick to 2.0.9 until 2.1 will have the 110+ mods that I want updated, and since this is not likely to happen in at least 10 years time I think I will upgrade directly to 3, in said time, when mods etc etc... I think you got that.

Illogical

---

I wasn't going to reply to this topic but I don't have permission to split it so, admins will split this topic soon. This topic is not for discussing other softwares/new version or problems.

Quote from: Antes on October 04, 2014, 05:57:28 PMif some admins rather to stay on 1.1.x (which you need to downgrade your php/mysql for complete compatibility) they already "be shooting themselves in the foot"... But I agree, comparing 2.1 vs 2.0 - there is a big difference and yet its worth to wait for it, rather than going another software. To me I actually asked team to kill SMF 1.1 nearly 1 year ago, but we'll see things after first two beta releases of SMF 2.1.

Nope, because many good hosts run 1.1.x just fine. No problems at all. No downgrade required.

QuoteI wasn't going to reply to this topic but I don't have permission to split it so, admins will split this topic soon. This topic is not for discussing other softwares/new version or problems.

Well, split away if you like, but these are valid points to raise IMO, and they are directly related to the content of the OP of this topic. Just don't hide it all if you do split it.

Wrong on your last point.

Any host that upgrades to PHP 5.4 or beyond - you know, for the *supported* versions of PHP (PHP 5.3 is EOL)... will have problems with SMF 1.1.

Any host that upgrades to PHP 5.5 or beyond - for the 'current' stable version of PHP - will definitely have problems with SMF 1.1.

The changes are sufficient that it is not feasible to patch such things.

And it has been recommended for months and months to upgrade anyway.

Quote from: vbgamer45 on October 02, 2014, 09:10:38 PM
Congrats on the release! Thanks for update to SMF 1.1.x as well

Same.

Quote from: Arantor on October 04, 2014, 07:12:33 PM
Wrong on your last point.

Any host that upgrades to PHP 5.4 or beyond - you know, for the *supported* versions of PHP (PHP 5.3 is EOL)... will have problems with SMF 1.1.

Any host that upgrades to PHP 5.5 or beyond - for the 'current' stable version of PHP - will definitely have problems with SMF 1.1.

The changes are sufficient that it is not feasible to patch such things.

And it has been recommended for months and months to upgrade anyway.

Ok, so what you are saying is that 1.1.x is effectively EOL right now, and 2.1 has no ETA. So, for anyone still on 1.1.x it comes down to comparing 2.0.x against whatever else is available right now, then deciding which option they prefer.

BTW, it has been recommended to upgrade to 2.0.x since the day it went stable, so you can't really blame people for ignoring more recent exhortations without the above information being given.

Me? I don't get a say on it, I'm not team :P I'm merely observing the state of play with 1.1 and current PHP versions.

The fact that the codebase is even more legacy and convoluted in places than 2.0 is, the fact that there are likely more security holes simply never discovered thus far...

Let me put it this way: the original vulnerability fixed in 2.0.9 with the package manager was found by me. Recently, in fact, as in this year. Except it's been there since the start. Who knows how many more are waiting to be found? And worse: how many of them cannot meaningfully be fixed in 1.1 because of technical restrictions?

I am surprised, though, at the outright declaration of 'no more patches'. I thought the plan was to be blunt and say 'here's 2.1 beta; officially hereby be notified that with 2.1 final which is coming soon, 1.1 will no longer be supported'.

The fact 1.1 is now 8 1/2 years old is a minor detail.

My understanding was that the policy was always to patch whatever could be patched in 1.1.x, up until the day that 2.1 was stable, at which point 1.1.x would immediately get canned completely.

But 2.1 is not currently relevant, since it has no ETA.

That was my understanding too - with the caveat that with 2.1 beta 1, there would be some prominent 'yo folks, this is what we're doing, time to get your house in order' warning about 1.1's imminent sunset.

First...  Yes, that WAS the "policy".  We have since reviewed and revised it given the difficulty in maintaining a code base which is so outdated and can't even support several of the patches to keep up with current versions of server softwares. Additionally, it is time for people to consider upgrading sooner rather than later, because of that, amongst other things.

Second...  2.1 actually does have an ETA. Such a date has just not been released to the public, per our normal policy of not declaring dates.

Hello!

I think there is something wrong in the upgrade package from 2.0.8 to 2.0.9. It's about the second operation in "$sourcedir/ManageServer.php":

<operation>
<search position="before"><![CDATA[
$context['config_vars'][$config_var[1]]['value'] = unserialize($context['config_vars'][$config_var[1]]['value']);
]]></search>
<add><![CDATA[
$context['config_vars'][$config_var[1]]['value'] = !empty($context['config_vars'][$config_var[1]]['value']) ? unserialize($context['config_vars'][$config_var[1]]['value']) : array();
]]></add>
</operation>

It should be position="replace" instead of position="before", right? I saw some errors in the log after upgrading (I can explain the details if necessary), and after manual fixing they are gone.

That file is OK in the install and upgrade full packages for 2.0.9 (just the upgrade package is wrong).

Regards :)

I don't have any errors in my log after using the patch.  What are the exact errors you're getting?

Quote from: Antechinus on October 04, 2014, 08:51:48 PM
My understanding was that the policy was always to patch whatever could be patched in 1.1.x, up until the day that 2.1 was stable, at which point 1.1.x would immediately get canned completely.

I personally can't understand thier decision to support 1.1.x for so long. If they had dropped support for it back in 2012 vast mojority of (if not all) users would already be on 2.0.x and we wouldn't be in such mess.

Quote from: Chalky on October 05, 2014, 06:39:49 AM
I don't have any errors in my log after using the patch.  What are the exact errors you're getting?

It does not actually make an error, but it does seem that an add after was used instead of a replace.
So technically, instead of replacing the line, it left it and added the newer line that had more code to it.
Thus, leaving extra code that is not needed, and may produce errors that I am unaware of at this time.

Quote from: Ferny on October 05, 2014, 04:48:48 AM
I think there is something wrong in the upgrade package from 2.0.8 to 2.0.9. It's about the second operation in "$sourcedir/ManageServer.

Since this thread is not for support, please raise your issue in the support or bug reports boards...

Installed in seconds. Thanks.

Awesome. :)

Quote from: Kindred on October 05, 2014, 07:58:56 AM

Quote from: Ferny on October 05, 2014, 04:48:48 AM
I think there is something wrong in the upgrade package from 2.0.8 to 2.0.9. It's about the second operation in "$sourcedir/ManageServer.

Since this thread is not for support, please raise your issue in the support or bug reports boards...

Posted here, with more details: http://www.simplemachines.org/community/index.php?topic=528577.0

That should indeed be a replace. Just remove the original line and keep the new one there.

Quote from: Oldiesmann on October 05, 2014, 01:42:21 PM
That should indeed be a replace. Just remove the original line and keep the new one there.

That's what I did ;) Another option is to replace the ManageServer.php by the one in the full-install package of 2.0.9

Thank you! :)

I believe previews in Firefox are hanging. Any clue?

Quote from: Shuban on October 06, 2014, 02:51:20 PM
I believe previews in Firefox are hanging. Any clue?

What exactly are you talking about?

Quote from: Masterd on October 06, 2014, 02:53:50 PM

Quote from: Shuban on October 06, 2014, 02:51:20 PM
I believe previews in Firefox are hanging. Any clue?

What exactly are you talking about?

Make a post in 1.x and click preview before posting. It hangs and on Chrome is reloads the whole page.

Quote from: Kindred on October 05, 2014, 07:58:56 AM
Since this thread is not for support, please raise your issue in the support or bug reports boards...

I think one may have already been made for this issue. ;)

Quote from: Shuban on October 06, 2014, 02:54:48 PM

Quote from: Masterd on October 06, 2014, 02:53:50 PM

Quote from: Shuban on October 06, 2014, 02:51:20 PM
I believe previews in Firefox are hanging. Any clue?

What exactly are you talking about?

Make a post in 1.x and click preview before posting. It hangs and on Chrome is reloads the whole page.

Have a post on it at http://www.simplemachines.org/community/index.php?topic=528614.0

Thanks folks.

Thanks for the update, as always easy installation  8)

Subs-Post.php was shown in the version check 2.08 and red marked. I have changed it manualy to 2.09.
Hope it is OK

Many thanks

Thanks for updating :D

Just I got problems with some mods, after installing the update 2.0.9.
Following mods are not function anymore:
- Arcade games
- Aeva
- tapatalk --> get it funcion again after reinstall

As I try to reinstall Arcade and Aeva, the forum is break down and I have to restore the forum.
Hope I get it working again.

thanks!!!

Upgraded my 5 forums in 3 clicks each : many thanks for all your work and the ease to have access to it.

Quote from: rentner on October 07, 2014, 08:33:07 AM
Just I got problems with some mods, after installing the update 2.0.9.
Following mods are not function anymore:
- Arcade games
- Aeva
- tapatalk --> get it funcion again after reinstall

As I try to reinstall Arcade and Aeva, the forum is break down and I have to restore the forum.
Hope I get it working again.

Quote from: Kindred on October 05, 2014, 07:58:56 AM
Since this thread is not for support, please raise your issue in the support boards...

Thank you Arantor, emanuele, Antes, fun4us, NanoSector, Suki, Chainy and SMF team for your time to make this software awesome!

Thanks!

When I click to install the patch in the package manager I get ERROR 403 - FORBIDDEN

Why does this occur?

Because your host has screwed up the server configuration, probably,,,   However...    This thread is not for support.

Quote from: Kindred on October 14, 2014, 06:17:44 AMThis thread is not for support.

I was curious (and bored) so I looked back to see how many times this was said. It was surprisingly less than I thought ... only five times.

I guess peeples don't get it. :P

Quote from: Steve on October 14, 2014, 09:40:07 AM
I guess peeples don't get it. :P

Like always. I've never understood why these aren't just locked as soon as they are posted.

Quote from: Arantor on October 16, 2014, 02:01:47 PM

Quote from: Steve on October 14, 2014, 09:40:07 AM
I guess peeples don't get it. :P

Like always. I've never understood why these aren't just locked as soon as they are posted.

How else do you expect people to show us their undying love and gratitude for our hard work? :P

I was torn between that and Arantor's opinion. :D

Many thanks to SMF Team for keeping us up to date! !!!

Quote from: Steve on October 17, 2014, 03:40:55 PM
I was torn between that and Arantor's opinion. :D

Always assume I am right until the universe says anything to the contrary ;D

Hey, I know that I am large, but I am not universe sized, yet...  :P

:P ;D

Here I am, brain the size of a planet, and they ask me to pick up that piece of paper. Call that job satisfaction? 'Cause I don't.

(Yes, I channel Marvin *so* well.)

Quote from: Arantor on October 17, 2014, 08:42:34 PMAlways assume I am right until the universe says anything to the contrary ;D

Roger that. :P


*I wonder if anyone else got the HGTTG reference ...

Of course we did...  Silly boy. ;)

Perhaps I need to make MarvinBot come here too.

Marvin is God

Not according to So Long And Thanks For All The Fish, he's not.

Quote from: Arantor on October 17, 2014, 08:50:51 PM
:P ;D

Here I am, brain the size of a planet, and they ask me to pick up that piece of paper. Call that job satisfaction? 'Cause I don't.

(Yes, I channel Marvin *so* well.)

Ever heard of egoism?

You do realise that Marvin describes so himself as a manically depressed android, right?

Quote from: Kindred on October 18, 2014, 12:38:50 AM
Of course we did...  Silly boy. ;)

Lol ... don't know you guys well enough yet to know these things. :P

Thanks...

Update install went fine. Thank you.

Update to 2.09 went well with no dramas here, thanks SMF devs :)

Done,
I never received any upgrade notification email as usual?

I never got that. I always see that in my admin panel.

The last few haven't been sent for various reasons.

 
No email here either, have I turned something off?

Quote from: Arantor on November 01, 2014, 01:43:33 PM
The last few haven't been sent for various reasons.

thank you very much. I use this forum system at my site www.meslekciyiz.com/forum and I like this forum system.

So, I heard that SMF 2.0.10 is confirmed.

Careful, you might be allucinating ;D

A possible update is always talked about, and ideas as to what goes into one if it is made.
There's always going to be ideas for adding to future updates, whether or not they do, is another story.

2.0.10 is confirmed as in "It will probably be released, some time in the future, when there is a new security update required."

Until that time, no... there is no "confirmation" of 2.0.10 other than your imagination.

Great Forum you guys. Keep up the good work. /happy :)

great job, but I wanted to point something out about a typo in  ./Sources/Memberlist.php

The typo was introduced in SMF2.0.8 update and was not fixed during SMF2.0.9

$serach_fields[] = 'email';

$condition = allowedTo('moderate_forum') ? '' : ')';

Which of course should have been

$search_fields[] = 'email';

$condition = allowedTo('moderate_forum') ? '' : ')';

Thanks for the great cms and the great forum, lots of hard work and greatly appreciated.

The typo in 2.0.8 was only present for a short period of time and was fixed in the mainstream 2.0.8 patch.

And 2.0.9 does include a fix if the damaged 2.0.8 code was found as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.20_2.0.9.zip;smf_version=2.0.8

1.1.20 killed the message preview function.

Yes. We know.

Thanks for keeping us up to date!

thank you so much ..........

Thanks alot

Thank you for giving me this message

Thank you very much. Great job. A possible update is always justified, and ideas as to what goes into one if it is made. There's always ideas for adding to future updates, whether or not they do, is another matter.

OK Thanks......