News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

SMF 1.1.9 and 2.0 RC1-1 released

Started by Compuart, May 20, 2009, 08:22:19 PM

Previous topic - Next topic

Col

Hi Kindred,

Thanks for the reply.

Of course there is a distinct limit to the number of e-mails SMF can send out in a given amount of time - this is obvious to me. Is the limit 1 e-mail per 2 seconds or less? By publishing this notice, SMF are publishing this vulnerability to very many more people - it is inevitable that a few will enquire about the vulnerability, and some might use it, perhaps just for fun, on a SMF forum they don't like. Any kind of vulnerability should be kept as quiet as possible until there is a fix available, and then the fix published as wide and as speedily as possible. I just feel that 1 e-mail every 2 seconds or less is probably a lot slower than it need be - or am I missing something?

There are all sorts of reasons why I might not login to my forum. Sometimes I like break - not all forums are fun - some, like mine, tend to be stressful and hard work. However, like most people, I will continue to check my e-mail in case anything urgent pops up - like security vulnerabilities.

I was just surprised that it took four days for an e-mail to arrive about this. As it turns out, I had patched this vulnerability within a few hours of it being made available, but this would not have been the case if relying upon e-mail notifications of vulnerabilities. I think, if it is technically possible, e-mail notifications should be sent out more promptly than this. I assume it is possible since no one has stated that e-mails are being sent out at the upper limit of capacity (1 every 2 seconds or less, does seem slow to me).

This does not diminish all the hard work put in by the people at SMF. This is meant as feedback, as I think this an important issue.

I am not a coder, and have little knowledge of how servers function, so if it is not reasonably technically possible to send out these e-mails any more promptly, I unreservedly withdraw my comments and apologise for the distraction. If, however, it is very possible to send out these important notifications in a significantly shorter timeframe, I stand by my comments.

Thanks.

Tristan Perry

#201
Quote from: Col on May 26, 2009, 07:21:19 AMBy publishing this notice, SMF are publishing this vulnerability to very many more people - it is inevitable that a few will enquire about the vulnerability, and some might use it, perhaps just for fun, on a SMF forum they don't like. Any kind of vulnerability should be kept as quiet as possible until there is a fix available, and then the fix published as wide and as speedily as possible. I just feel that 1 e-mail every 2 seconds or less is probably a lot slower than it need be - or am I missing something?
The vulnerability is published whichever way SMF publishes the fixes. When applying the patch, the code changes can be seen. The modified files are also linked to this thread (first post). So it's reasonably impossible to hide the vulnerability. :) As for e-mail sending:

Quote from: Col on May 26, 2009, 07:21:19 AM
I am not a coder, and have little knowledge of how servers function, so if it is not reasonably technically possible to send out these e-mails any more promptly, I unreservedly withdraw my comments and apologise for the distraction. If, however, it is very possible to send out these important notifications in a significantly shorter timeframe, I stand by my comments.
There's no distraction/need for apology :) It's just that sending out 170,000 is a major deal - trying to send them out in the space of, say, one day wouldn't be possible and would probably crash the server trying to do this.

Secondly, sending them out in such a quick space of time could be seen as spam (obviously they wouldn't be since SMF is reputable/well-known; however sending out 170,000 e-mails in a short space of time could be flagged by some poor spam blacklists).

I guess the main point(s) is that the vulnerability can't really be hidden (since SMF is open sourse) - and so there's no real need to try and get the e-mails out as quickly as possible.

nwsw

FYI: I used the smf_patch_1.0.17_1.1.9_2.0-RC1-1.zip patch to perform the update to our local server's working copy of SMF 1.1.8. The database update program has a bug in it which prevents the smfVersion varable from being updated.  It incorrectly adds two new variables, '0' and '1', to the smf_settings table, but fails to actually change the smfVersion variable.

Specifics:
The 'updateDatabase.php' program incorrectly uses the updateSettings function. The following line does not provide an associative array for the smfVersion assignment:

updateSettings(array('smfVersion', 'SMF ' . (isset($func['entity_fix']) ? '1.1.9' : '1.0.17')));


That line should be rewritten as an associative array:

updateSettings(array('smfVersion' =>  'SMF ' . (isset($func['entity_fix']) ? '1.1.9' : '1.0.17')));


The value of 'SMF 1.1.9' is also inconsistent with the fallback code that assigns '1.1.9' to the smfVersion (which makes more sense to me).

SoehnelS

Hello!

Thanks @all!


For users with problems I write my problems and solutions.
If it's the wrong place plese correct me - Thanks!

I've updated 1.1.8 -> 1.1.9 with manual update for the Display.php and the Subs-Post.php.

With the Display.php I've got an ugly error wich show me the column
"<looks like a hashvalue>" doesn't exists.

After some checking files I found the Problem:
In the old Display.php the releatRRRed Query looks (Line 964):
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.size
the new one (original Line 958):
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash

So the following statement gives an hash instead  the filesize (Line 975):
list ($real_filename, $ID_ATTACH, $attachmentType, $size) = mysql_fetch_row($request);

I changed the query:
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash, a.size
and the statement:
list ($real_filename, $ID_ATTACH, $attachmentType, $file_hash, $size) = mysql_fetch_row($request);

relevant Packages:
Attachments Download Permission
Attachments Mod

hth
Sven

feline

I think, there is a Bug in the upgrade for SMF2.0 if you are using multiple directorys.
See my post: http://www.simplemachines.org/community/index.php?topic=313229.msg2078430#msg2078430

Fel

nedla

nice work guys,, bring on the curve theme

Hunnenkoenig

Is there a demo site for SMF 2.0?
Or a feature list?

Why is it better than 1xx?

kat

I guess this is the demo site, as it's running v2.

It's only a release candidate, though.

It's not yet recommended for working fora.

metallica48423

We actually suspect there is a slight bug in email sending affecting the send rate.  Once we found out that it was sending much slower than it should have been, we started pushing the queue manually. 

Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

青山 素子

Quote from: metallica48423 on May 26, 2009, 08:50:34 PM
Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.

Don't forget that many major ISPs will rate-limit incoming mail from individual servers. Yahoo! is particularly bad about it, sometimes enforcing less than 100 messages an hour as a maximum.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


noelchiew

Quote from: noelchiew on May 26, 2009, 03:04:05 AM
Sorry just a quick general question, after each update, is it ok to delete the old update packages? I have a list of update packages in my package manager list from 1.1.4 to 1.1.8 and I'm wondering if it is safe to do so or should I leave it there.
Sorry can't help but wonder iwhether my post was accidentally overlooked in the midst of all these discussion :) Appreciate it!

Aleksi "Lex" Kilpinen

You can delete them, as if you ever needed them - you could still get them from the archives here ;) Personally though, I'd recommend keeping the latest update, just in case.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

noelchiew

Ok that was what I thought too but needed confirmation. Thanks! :)

Hunnenkoenig

Quote from: Kat on May 26, 2009, 05:55:28 PM
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)

Aleksi "Lex" Kilpinen

Quote from: Hunnenkoenig on May 27, 2009, 04:19:57 AM
Quote from: Kat on May 26, 2009, 05:55:28 PM
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)
It will be bringing out a completely new theme, and some other layout changes as well, but nothing I'd call major for the user point of view, apart from the mentioned new theme ;)
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Tristan Perry

Quote from: Hunnenkoenig on May 27, 2009, 04:19:57 AM
Quote from: Kat on May 26, 2009, 05:55:28 PM
I guess this is the demo site, as it's running v2.

Ah ok, I didn't pay attention. Thanks.
So I think, it doesn't have big changes in appearance :-)
Well, actually:

Introducing the (upcoming) new default SMF theme - Curve!

;D

This site is running on 2.0, however the new theme Curve hasn't been released to the public yet (it's still being worked upon and beta tested)

Check out some of the past announcements for new features that are upcoming in 2.0 :)

aED


Aleksi "Lex" Kilpinen

Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Col

Quote from: metallica48423 on May 26, 2009, 08:50:34 PM
We actually suspect there is a slight bug in email sending affecting the send rate.  Once we found out that it was sending much slower than it should have been, we started pushing the queue manually. 

Either way, we anticipate that it will take anywhere from 6 hours to 2 days depending on server loads, hits, and such, to actually send out the 170,000 emails, also accounting for all of the email notifications that go out in addition to these (which are on a scheduled task), it's quite a significant job.

It did seem slow to me.

From my reading around, it appeared reasonably technically possible to send out mail at a significantly higher rate, but I also note Motoko-chan's point about some ISPs (particularly webmail provideres) that impose limits, usually in the most unintelligent manner. I'm sure there must be a ridiculous number of notifications sent out from a forum the size of this place too.

Thanks for the explanation and update.

SabreOfParadise

On my prod forum the update failed when using the Package Manager: No error occured, but the files were not updated and also nothing in the database.
It worked on my local test forum but I wasn't forced to use FTP there (why FTP? -> It's old and unsecure). If anything is wrong with my FTP settings I would expect an error message in SMF.

Ok, so I tried the file "modified_1-1-8_1-1-9.zip", but missed the "update.php" file. Then tried to use the "updateDatabase.php" from the patch package, but it didn't seem to do anything (blank page).

Now I'm confused if my SMF is correctly on version 1.1.9 or not.

The Administration Center says:
QuoteForum version: SMF 1.1.9
Current SMF version: SMF 1.1.9
(more detailed)

If I click on "more detailed" the only template marked in red is:
index.german.php   1.1.5   1.1.9
[Edit: This is a template from a language pack, so no surprise here]

Curiously there is another template in another version than the "Current Version":
index.template.php   1.1.5 (Your Version)   1.1 (Current)

I have to say: I'm coming from phpBB 2 and this was my first SMF update, but the updates and corresponding documentation were easier with phpBB. The only downside were the time consuming manual adjustments for the different mods (which are already included in SMF 1.1.8 like sub forums, RSS support [doesn't really work currently at this forum] and attachments). But this SMF update took more time anyway (e.g. because I had to setup an FTP server).


Advertisement: