News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

SMF 2.0.3, 1.1.17 and 1.0.23 security patches released

Started by emanuele, December 16, 2012, 05:05:30 PM

Previous topic - Next topic

avepeachy

I downloaded the patch and tried to install it through the package manager, but I got an error that the package appeared to be empty?

emanuele

Try to download it from this page and decompress it on your computer.
If it works, try uploading it from the admin panel.
If you get the same error try to zip and upload it again.
If none of the above works, unzip the package and upload it from ftp...

...that's a very strange situation... :(


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Road Rash Jr.

Quote from: Kindred on December 19, 2012, 09:15:39 AM
actually, no... you can't.

remember, the copyright to SMF is held by Simple Machines. Therefore, the (c) 2011 is a legal statement by Simple Machines that has nothing to do with your individual forum and is not yours to change.

Unless you change it SMF's copyright is only valid until Dec 31, 2011 as stated in SMF's legal statement as you are not declaring copyright for 2012. This needs to be declared and changed yearly (January 1, (year) or prior to year end, to make it legally valid. Copyright declaration must remain current or it is nul and void.
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

emanuele

Quote from: Road Rash on December 20, 2012, 11:19:36 AM
Unless you change it SMF's copyright is only valid until Dec 31, 2011 as stated in SMF's legal statement as you are not declaring copyright for 2012. This needs to be declared and changed yearly (January 1, (year) or prior to year end, to make it legally valid. Copyright declaration must remain current or it is nul and void.
http://www.copyright.gov/title17/92chap4.html#401
Quote for easier reference:
Quote(a) General Provisions. — Whenever a work protected under this title is published in the United States or elsewhere by authority of the copyright owner, a notice of copyright as provided by this section may be placed on publicly distributed copies from which the work can be visually perceived, either directly or with the aid of a machine or device.

(b) Form of Notice. — If a notice appears on the copies, it shall consist of the following three elements:

(1) the symbol © (the letter C in a circle), or the word "Copyright", or the abbreviation "Copr."; and

(2) the year of first publication of the work; in the case of compilations or derivative works incorporating previously published material, the year date of first publication of the compilation or derivative work is sufficient. The year date may be omitted where a pictorial, graphic, or sculptural work, with accompanying text matter, if any, is reproduced in or on greeting cards, postcards, stationery, jewelry, dolls, toys, or any useful articles; and

(3) the name of the owner of copyright in the work, or an abbreviation by which the name can be recognized, or a generally known alternative designation of the owner.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

FrizzleFried

Jesus... how hard would it be to simply change it to (c) 2011,2012?   This is some seriously ridiculous crap from BOTH sides.


Kindred

Frizzle,   multiple years is stupid...

While we all agree that it probably should be changed, some people are obsessing over it AND spreading incorrect information.

here's the correct summary.
1- Copyright does not EXPIRE in the year stated. Copyright STARTS in that year and is valid for 70 years afterwards (of there abouts)
2- You can change your footer and remove the smf copyright, etc... but you can NOT (legally) change the smf copyright statement.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Road Rash Jr.

Thanks for posting that, section 2 clearly qualifies my point. The original work was copyright 2011, the compilation or derivative work of previously published work requires the year of its release which in this case is 2012. ;)
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Kindred

actually, if you are trying to be pedantic, by that logic, since 2.0.2 is just an addition to 2.0, leaving the 2.0 release date is completely appropriate -- it's not a NEW compilation.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Road Rash Jr.

What ever, legally any change to the original work is a NEW compilation of the previosly published work.
But then you know that and just want to pick up your petty arguing with me from years past.  ::) When you learn to interpret law properly, I'll learn to code properly. Just sayin :laugh:
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

NanoSector

Quote from: Road Rash on December 20, 2012, 01:25:39 PM
What ever, legally any change to the original work is a NEW compilation of the previosly published work.
Technically the patch is just something that's placed over the original work, so not an all new compilation.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

mashby

Always be a little kinder than necessary.
- James M. Barrie

FrizzleFried

Oh... and for the overly anal amongst us...

Why not simple add: "Updated 2012" or some such thing in the footer in ADDITION to the 2011 copyright if it's that big of a deal?

I added "Content (c) 2012 [form name]" to my footer after all the legal hubub...

Dave Pitman

Fist, some feedback:
I have a clean install of SMF 2.0.2, no mods. When I went to Admin > Package Manager, the update was listed, but when I clicked on the "install now", I received a 404 error from my domain.

I was able to install the update manually.

Secondly, A Question:
I had modified the nav menu in the file "Sources > Sub.php" This file was overwritten in the update. Can I simply overwrite this file with the previous version (that I had modified) without compromising security? I did try to just edit the new file, but was having difficultly. Dropping in the previous file works fine, just want to make sure this is not leaving some security hole open.

Thank You.

mikejmac

#93
Quote from: emanuele on December 16, 2012, 05:27:05 PM
Quote from: DeVIL-I386 on December 16, 2012, 05:24:15 PM
Where should this option be hidden? Is it Administration Center » Maintenance » Forum Maintenance » Routine » Check all files against current versions?
Almost but not exactly: admin > maintenance > scheduled tasks > scheduled tasks
Then under the column "run now" select the box corresponding to "Fetch Simple Machines Files", and click the button "run now".

Hi emanuele.  I did the above but I still get this Forbidden message below on a white page whether I click "update your forum" from my main Administration Center or when I click "this patch (click here to install)" from the Package Manager.  I'm trying to get 2.0.3 from 2.0.2.

-------------------

Forbidden

You don't have permission to access /forum/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at --mysite-- Port 80

-------------------

PS  It doesn't have [nofollow] on the white page.  That showed up when I copied it here.


mod edit - removed link.

Kindred

Quote from: Dave Pitman on December 20, 2012, 03:46:45 PM
Fist, some feedback:
I have a clean install of SMF 2.0.2, no mods. When I went to Admin > Package Manager, the update was listed, but when I clicked on the "install now", I received a 404 error from my domain.

I was able to install the update manually.

Secondly, A Question:
I had modified the nav menu in the file "Sources > Sub.php" This file was overwritten in the update. Can I simply overwrite this file with the previous version (that I had modified) without compromising security? I did try to just edit the new file, but was having difficultly. Dropping in the previous file works fine, just want to make sure this is not leaving some security hole open.

Thank You.

Dave, I don't know why it would have given you an error message like that...

As for subs.php...   Why would it have overwritten the file? The updates were to individual files, not to replace the whole thing.... unless you downloaded the update and overwrite the file on your own, manually...

However, no... you should not use the old version.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Dave Pitman

Quote from: Kindred on December 20, 2012, 04:08:54 PM


Dave, I don't know why it would have given you an error message like that...

As for subs.php...   Why would it have overwritten the file? The updates were to individual files, not to replace the whole thing.... unless you downloaded the update and overwrite the file on your own, manually...

However, no... you should not use the old version.

Thanks for your reply, Kindred.

First, the folder "Sourses" was part of the update package I downloaded from here: (the small package) http://download.simplemachines.org/index.php?thanks;filename=smf_2-0-3_update.zip

Your answer seems a little contradictory to me.

You're telling me that the file "Sub.php" was not a target of the security update, but that I should not use the version from v. 2.0.2

That is what seems contradictory?

MRM4

I have version 1.1.16 and am not able to update through the admin panel. When I try to, I get this error:

The package you tried to upload either is not a valid package or has become corrupted.

Any recommendations? Thanks.
 
An Error Has Occurred!
The package you tried to upload either is not a valid package or has become corrupted. [/t][/c][/t]

mashby

Subs.php wasn't part of the patch:
http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.3.tar.gz;smf_version=2.0.2
So, I'm not sure how your update affected that file, but you do mention you did it manually.

However, really, this is an announcement topic not meant for support. Maybe this topic should really be read-only, eh?
Always be a little kinder than necessary.
- James M. Barrie

Dave Pitman

#98
Quote from: merry mashby on December 20, 2012, 04:42:29 PM
I'm not sure how your update affected that file, but you do mention you did it manually.
Yes, manually updated, as I said above, with the package I linked to above. Which did include the "Sources" folder.

Quote from: merry mashby on December 20, 2012, 04:42:29 PM
However, really, this is an announcement topic not meant for support. Maybe this topic should really be read-only, eh?

Well, I don't really think this is a support question. It is a technical question relating to this update to determine if the file "Subs.php" can be used from v.2.0.2 without compromising the security update.  Looking at the file you linked to, it would appear that is is indeed fine to use the older Subs.php file.

If you are actually involved in the coding of the software, this will be a yes or no answer. If you are not, please, lets just wait for one of them to respond.

Thank You.

mashby

The file you linked to is the whole kit and kaboodle. If you look at the date of Subs.php in the Sources folder, you'll see it's dated 6/6/2011. If you used the file you linked to, you are essentially wiping out any mods/edits you've made since 2.0.2. If you look at the link I provided, you'll see the changes made from 2.0.2 to 2.0.3 of which Sources/Subs.php was not affected.

I don't have to be in the developer group to know this either so I hope you can appreciate what I've written.

Thank you.
Always be a little kinder than necessary.
- James M. Barrie

Advertisement: