Will the development of SMF continue ? (Especially 2.0 Final)

[Kill Em All]

There is nothing to worry about, the devs are working real hard and many bugs will be patched I'm sure.

[Nibogo]

Personally, I have been very busy with university-related things for the last few months. That and some other things made me take a short break from SMF.

Starting this week, however, I have found time to resume my work on this project again. I fully intend to finish what I started working on (2.0), so please trust me when I say 2.0 RC3 will see the light soon.

Great! Thanks Aaron keep up the nice job

[Owdy]

There is nothing to worry about

Nothing? Dude, there are several holes in RC2, yes, if you are admin, you should be worryed. I stopped waiting and converted to another software.

[Kill Em All]

Yes, there are some security holes in RC2, but the developers are fully aware of them and have addressed them for RC3. I can guarantee you that no matter which software you switched to, it still have several security holes itself.

Anyways, good luck with your new forum.

[Owdy]

Yes, there are some security holes in RC2, but the developers are fully aware of them and have addressed them for RC3.

Sure they are, but that arent helping if RC3 isnt released. It was supposed to be released before Christmas. RC2 was released 3 months ago.

I can guarantee you that no matter which software you switched to, it still have several security holes itself.

Indeed, but point is how fast they are fixed after they have been pointed out.

Anyways, good luck with your new forum.

Thank you. Good luck to SMF too.

[Arantor]

It would also seem from the way recent posts were mentioned that not all of the holes have actually been fixed in RC3 yet.

[Nao 尚]

Could someone point me to the exploit examples then, so that I can fix my forum myself?

[YogiBear]

The point is how clickable avatars (as in RC3) can be more important that fixing security problems eludes me.

[Trekkie101]

IIRC you need to be logged into the admin panel, and click a link, or copy some stuff into the input boxes to take any effect.

As you can see by us running it on this site, there are no critical exploits that are seriously going to harm your forum. Also the ones mentioned will be fixed soon

Edit: Also, there have been security fixes commit so far

[青山 素子]

I think Trekkie101 was trying to say, in short, all the public-facing vulnerabilities have been patched. There are some that require an admin to do them, but those will probably be patched in short time.

[Kill Em All]

The point is how clickable avatars (as in RC3) can be more important that fixing security problems eludes me.

I'm sorry, but I found this quite funny, even though there isn't a big hole in security.

I can tell you this, I think considering that there hasn't really been anything solid being reported that SMF was completely at fault for a security breach is pretty much saying that SMF 2.0 RC2 is quite secure and that user's don't have much to worry about, then RC3 will just be even more secure.

[Arantor]

KEA: Oh really?

Let's see, there's all the stuff that was fixed in 1.1.11, plus at least one unpatched XSS hole that I know of*, but you have to be in the admin panel as an admin to exploit it.

* Unpatched in RC2, I suspect it's been fixed by now.

I guess you also don't know of the program underway by a third party to aggressively find holes in SMF.

[Kill Em All]

I don't go out of my way to find holes in SMF. I'm also a developer of nothing, I never did development, and I have no idea how development works. (just being honest, I expect someone taking a shot at that comment.)

I do know however that the developers of SMF are going out of their way to fix as many bugs(including security holes) before releasing RC3. Yes you can say that RC3 was suppose to be out christmas time, and it wasn't, why, I don't know, but I'm sure the devs have a very good reason(s). I can't speak for everyone, but I rather have RC3 working smoothly instead of being rushed out, which is obviously what the devs are not doing unlike some that might.

Sorry if I offended anyone with the above post(s).

[Antechinus]

I think Trekkie101 was trying to say, in short, all the public-facing vulnerabilities have been patched. There are some that require an admin to do them, but those will probably be patched in short time.

Well according to Aaron (who can usually be relied on to know what he is talking about) all known vulnerabilities will be fixed in the public RC3.

[Bancherd]

I think Trekkie101 was trying to say, in short, all the public-facing vulnerabilities have been patched. There are some that require an admin to do them, but those will probably be patched in short time.

Well according to Aaron (who can usually be relied on to know what he is talking about) all known vulnerabilities will be fixed in the public RC3.

Great!  I am eagerly waiting  to resume my work on upgrading my public forum from 1.1.11 , so I could use the new portal software and some other great mods.

After all the dirty laundry floating around, this is quite reassuring.

Thanks for the hard work, guys and gals.   

[Boxerforum]

Important question: can someone (Aaron?) confirm that RC3 will fix all known security issues with 2.0?

That is the case, yes.

That's great news Aäron 

[Methylis]

About time.


We're looking at, what... three months? An unacceptably long time for security fixes in an internet–facing application. Except, still no published patch as of the time of writing, even now. What happened to 2.1?


Can we please have a stated upper bound on the length of time it takes to patch security vulnerabilities from report to published patch in days (and you should never delay security updates for non-Charter members), and a stated upper bound on the length of time it takes to patch security vulnerabilities from public disclosure to published patch in hours?

Frankly, weeks is too long. Days is too long in some cases. 3 months from public disclosure is lacking all reasonable sense of urgency regarding your users' security—to the extent that unless a firm commitment to patching security vulnerabilities of released versions in a timely manner can be made, I wholeheartedly support the full public disclosure of all discovered security vulnerabilities in SMF 1.x and 2.x so that at least administrators can be aware and put in place appropriate safeguards, possibly make internal code changes or workarounds, remain vigilant against attack and keep regular backups, or if appropriate migrate.


(And ask the phpBB team about the Santy worm for why they stopped putting version numbers in their copyright statement.)


Should third-parties be making determined attempts to find security bugs, you should welcome that as a challenge to respond to, one that ultimately improves the software. It will come out the other end with less bugs, which is always a good thing; providing, that is, you are able to respond in a timely manner.
Once 2.0 goes live I would suggest that I would find internal report -> published patch should take no longer than 30 days, and public disclosure -> published patch should in no case take longer than 72 hours. Security bugs are critical issues; emergencies that override all other priorities (including funding status or any internal politics). They should always be treated as such.
It is often possible to combine unrelated bugs to construct more severe chains of vulnerabilities, so don't ignore a security bug just because it seems minor as you may find that a combination of bugs allows an exploit to become dangerous. (By way of example, one of the XSS bugs combined with the administrator bug could be a severe risk when the administrator visits the forum, gets hit with the XSS bug, and the script in that XSS executes the administrator bug, executing arbitary code on the server.)

[MultiformeIngegno]

After RC3 will we see a RC4 or the gold one?

[catfished]

After RC3 will we see a RC4 or the gold one?

I have no idea but I sure hope it's the gold.

[青山 素子]

I'm not currently familiar with the development progress, but I wouldn't be surprised if there is an RC4 for last-minute cleanup, with a stable release a month after.