Advertisement:

Author Topic: SMF 1.1.9 and 2.0 RC1-1 released  (Read 389634 times)

Offline Col

  • Sr. Member
  • ****
  • Posts: 964
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #200 on: May 26, 2009, 07:21:19 AM »
Hi Kindred,
 
Thanks for the reply.
 
Of course there is a distinct limit to the number of e-mails SMF can send out in a given amount of time - this is obvious to me. Is the limit 1 e-mail per 2 seconds or less? By publishing this notice, SMF are publishing this vulnerability to very many more people - it is inevitable that a few will enquire about the vulnerability, and some might use it, perhaps just for fun, on a SMF forum they don't like. Any kind of vulnerability should be kept as quiet as possible until there is a fix available, and then the fix published as wide and as speedily as possible. I just feel that 1 e-mail every 2 seconds or less is probably a lot slower than it need be - or am I missing something?
 
There are all sorts of reasons why I might not login to my forum. Sometimes I like break - not all forums are fun - some, like mine, tend to be stressful and hard work. However, like most people, I will continue to check my e-mail in case anything urgent pops up - like security vulnerabilities.
 
I was just surprised that it took four days for an e-mail to arrive about this. As it turns out, I had patched this vulnerability within a few hours of it being made available, but this would not have been the case if relying upon e-mail notifications of vulnerabilities. I think, if it is technically possible, e-mail notifications should be sent out more promptly than this. I assume it is possible since no one has stated that e-mails are being sent out at the upper limit of capacity (1 every 2 seconds or less, does seem slow to me).
 
This does not diminish all the hard work put in by the people at SMF. This is meant as feedback, as I think this an important issue.
 
I am not a coder, and have little knowledge of how servers function, so if it is not reasonably technically possible to send out these e-mails any more promptly, I unreservedly withdraw my comments and apologise for the distraction. If, however, it is very possible to send out these important notifications in a significantly shorter timeframe, I stand by my comments.
 
Thanks.

Offline Tristan Perry

  • SMF Hero
  • ******
  • Posts: 2,498
  • Gender: Male
    • Tristan Perry
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #201 on: May 26, 2009, 07:32:11 AM »
By publishing this notice, SMF are publishing this vulnerability to very many more people - it is inevitable that a few will enquire about the vulnerability, and some might use it, perhaps just for fun, on a SMF forum they don't like. Any kind of vulnerability should be kept as quiet as possible until there is a fix available, and then the fix published as wide and as speedily as possible. I just feel that 1 e-mail every 2 seconds or less is probably a lot slower than it need be - or am I missing something?
The vulnerability is published whichever way SMF publishes the fixes. When applying the patch, the code changes can be seen. The modified files are also linked to this thread (first post). So it's reasonably impossible to hide the vulnerability. :) As for e-mail sending:
 
I am not a coder, and have little knowledge of how servers function, so if it is not reasonably technically possible to send out these e-mails any more promptly, I unreservedly withdraw my comments and apologise for the distraction. If, however, it is very possible to send out these important notifications in a significantly shorter timeframe, I stand by my comments.
There's no distraction/need for apology :) It's just that sending out 170,000 is a major deal - trying to send them out in the space of, say, one day wouldn't be possible and would probably crash the server trying to do this.

Secondly, sending them out in such a quick space of time could be seen as spam (obviously they wouldn't be since SMF is reputable/well-known; however sending out 170,000 e-mails in a short space of time could be flagged by some poor spam blacklists).

I guess the main point(s) is that the vulnerability can't really be hidden (since SMF is open sourse) - and so there's no real need to try and get the e-mails out as quickly as possible.
« Last Edit: May 26, 2009, 07:37:31 AM by Tristan Perry »

Offline nwsw

  • Semi-Newbie
  • *
  • Posts: 30
    • NoteWorthy Software
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #202 on: May 26, 2009, 08:38:00 AM »
FYI: I used the smf_patch_1.0.17_1.1.9_2.0-RC1-1.zip patch to perform the update to our local server's working copy of SMF 1.1.8. The database update program has a bug in it which prevents the smfVersion varable from being updated.  It incorrectly adds two new variables, '0' and '1', to the smf_settings table, but fails to actually change the smfVersion variable.

Specifics:
The 'updateDatabase.php' program incorrectly uses the updateSettings function. The following line does not provide an associative array for the smfVersion assignment:

Code: [Select]
updateSettings(array('smfVersion', 'SMF ' . (isset($func['entity_fix']) ? '1.1.9' : '1.0.17')));

That line should be rewritten as an associative array:

Code: [Select]
updateSettings(array('smfVersion' =>  'SMF ' . (isset($func['entity_fix']) ? '1.1.9' : '1.0.17')));

The value of 'SMF 1.1.9' is also inconsistent with the fallback code that assigns '1.1.9' to the smfVersion (which makes more sense to me).

Offline SoehnelS

  • Newbie
  • *
  • Posts: 7
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #203 on: May 26, 2009, 11:17:06 AM »
Hello!

Thanks @all!


For users with problems I write my problems and solutions.
If it's the wrong place plese correct me - Thanks!

I've updated 1.1.8 -> 1.1.9 with manual update for the Display.php and the Subs-Post.php.

With the Display.php I've got an ugly error wich show me the column
"<looks like a hashvalue>" doesn't exists.

After some checking files I found the Problem:
In the old Display.php the releatRRRed Query looks (Line 964):
Code: [Select]
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.sizethe new one (original Line 958):
Code: [Select]
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash
So the following statement gives an hash instead  the filesize (Line 975):
Code: [Select]
list ($real_filename, $ID_ATTACH, $attachmentType, $size) = mysql_fetch_row($request);
I changed the query:
Code: [Select]
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash, a.sizeand the statement:
Code: [Select]
list ($real_filename, $ID_ATTACH, $attachmentType, $file_hash, $size) = mysql_fetch_row($request);
relevant Packages:
Attachments Download Permission
Attachments Mod

hth
Sven

Offline feline

  • SMF Hero
  • ******
  • Posts: 1,638
  • Gender: Female
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #204 on: May 26, 2009, 02:14:34 PM »
I think, there is a Bug in the upgrade for SMF2.0 if you are using multiple directorys.
See my post: http://www.simplemachines.org/community/index.php?topic=313229.msg2078430#msg2078430

Fel

Offline nedla

  • Semi-Newbie
  • *
  • Posts: 16
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #205 on: May 26, 2009, 03:37:59 PM »
nice work guys,, bring on the curve theme

Offline Hunnenkoenig

  • Semi-Newbie
  • *
  • Posts: 43
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #206 on: May 26, 2009, 05:12:38 PM »
Is there a demo site for SMF 2.0?
Or a feature list?

Why is it better than 1xx?

kat

  • Guest
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #207 on: May 26, 2009, 05:55:28 PM »
I guess this is the demo site, as it's running v2.

It's only a release candidate, though.

It's not yet recommended for working fora.

Offline metallica48423

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,842
  • Gender: Male
  • Professional Multislacker!
    • Zentendo
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #208 on: May 26, 2009, 08:50:34 PM »
We actually suspect there is a slight bug in email sending affecting the send rate.  Once we found out that it was sending much slower than it should have been, we started pushing the queue manually. 

Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

Quote
Microsoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"

Useful Links:
Online Manual!
How to Help us Help you   
Search
Settings Repair Tool
     

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,073
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #209 on: May 26, 2009, 09:56:04 PM »
Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.

Don't forget that many major ISPs will rate-limit incoming mail from individual servers. Yahoo! is particularly bad about it, sometimes enforcing less than 100 messages an hour as a maximum.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline noelchiew

  • Jr. Member
  • **
  • Posts: 138
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #210 on: May 26, 2009, 11:25:06 PM »
Sorry just a quick general question, after each update, is it ok to delete the old update packages? I have a list of update packages in my package manager list from 1.1.4 to 1.1.8 and I'm wondering if it is safe to do so or should I leave it there.
Sorry can't help but wonder iwhether my post was accidentally overlooked in the midst of all these discussion :) Appreciate it!

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,737
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #211 on: May 27, 2009, 02:16:28 AM »
You can delete them, as if you ever needed them - you could still get them from the archives here ;) Personally though, I'd recommend keeping the latest update, just in case.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline noelchiew

  • Jr. Member
  • **
  • Posts: 138
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #212 on: May 27, 2009, 02:38:23 AM »
Ok that was what I thought too but needed confirmation. Thanks! :)

Offline Hunnenkoenig

  • Semi-Newbie
  • *
  • Posts: 43
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #213 on: May 27, 2009, 04:19:57 AM »
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,737
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #214 on: May 27, 2009, 04:25:42 AM »
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)
It will be bringing out a completely new theme, and some other layout changes as well, but nothing I'd call major for the user point of view, apart from the mentioned new theme ;)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Tristan Perry

  • SMF Hero
  • ******
  • Posts: 2,498
  • Gender: Male
    • Tristan Perry
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #215 on: May 27, 2009, 04:26:27 AM »
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)
Well, actually:

Introducing the (upcoming) new default SMF theme - Curve!

;D

This site is running on 2.0, however the new theme Curve hasn't been released to the public yet (it's still being worked upon and beta tested)

Check out some of the past announcements for new features that are upcoming in 2.0 :)

Offline aED

  • Sr. Member
  • ****
  • Posts: 980
  • Gender: Male
    • Free internet UBT/FBT - Opera Mini
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #216 on: May 27, 2009, 04:56:40 AM »
Hey is that a spam post?

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,737
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #217 on: May 27, 2009, 05:04:03 AM »
Hey is that a spam post?
Yeah, they were. :)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Col

  • Sr. Member
  • ****
  • Posts: 964
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #218 on: May 27, 2009, 06:46:34 AM »
We actually suspect there is a slight bug in email sending affecting the send rate.  Once we found out that it was sending much slower than it should have been, we started pushing the queue manually. 

Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.

It did seem slow to me.
 
From my reading around, it appeared reasonably technically possible to send out mail at a significantly higher rate, but I also note Motoko-chan's point about some ISPs (particularly webmail provideres) that impose limits, usually in the most unintelligent manner. I'm sure there must be a ridiculous number of notifications sent out from a forum the size of this place too.
 
Thanks for the explanation and update.

Offline SabreOfParadise

  • Semi-Newbie
  • *
  • Posts: 98
Re: SMF 1.1.9 and 2.0 RC1-1 released
« Reply #219 on: May 27, 2009, 10:00:07 AM »
On my prod forum the update failed when using the Package Manager: No error occured, but the files were not updated and also nothing in the database.
It worked on my local test forum but I wasn't forced to use FTP there (why FTP? -> It's old and unsecure). If anything is wrong with my FTP settings I would expect an error message in SMF.

Ok, so I tried the file "modified_1-1-8_1-1-9.zip", but missed the "update.php" file. Then tried to use the "updateDatabase.php" from the patch package, but it didn't seem to do anything (blank page).

Now I'm confused if my SMF is correctly on version 1.1.9 or not.

The Administration Center says:
Quote
Forum version: SMF 1.1.9
Current SMF version: SMF 1.1.9
(more detailed)

If I click on "more detailed" the only template marked in red is:
index.german.php   1.1.5   1.1.9
[Edit: This is a template from a language pack, so no surprise here]

Curiously there is another template in another version than the "Current Version":
index.template.php   1.1.5 (Your Version)   1.1 (Current)

I have to say: I'm coming from phpBB 2 and this was my first SMF update, but the updates and corresponding documentation were easier with phpBB. The only downside were the time consuming manual adjustments for the different mods (which are already included in SMF 1.1.8 like sub forums, RSS support [doesn't really work currently at this forum] and attachments). But this SMF update took more time anyway (e.g. because I had to setup an FTP server).