GRRR Squad Forum

I've added a MOD that will post the security/patch alerts as an addition/post within this thread. The reason for this is that logging into the Admin control panel is not as frequent as reading Threads and Posts.

I don't want to be in a situation where a clear security threat has been identified, a patch applied and we sit for a week without noticing and then suddenly get hit by exploit bots and what have you.

So the Mod will be posting here whenever there is an update.

#185

vBulletin 4.2.2 is Now Available!

Today we're announcing the availability of vBulletin 4.2.2. If you have an active vBulletin license, you can download your copy of vBulletin 4.2.2 from the vBulletin Customer Area at: https://members.vbulletin.com

Read more here



[url]http://[/url]

#184

During testing of vBulletin 4.2.2 a potential xss exploit was found by our QA team in the Forum Runner application.

This issue is fixed in vB4.2.2 & we have released PL updates for 4.2.1, 4.2.0 & 4.1.12.

vBulletin 4.2.1 PL1
vBulletin 4.2.0 PL4
vBulletin 4.1.12 PL4

Note that this only affects the included Forum Runner application, not the main vB4 Forum or Suite.

If you are not using the Forum Runner application on your forum, you will not be affected by this issue.

To patch your forum you can do one of three things.

1. Download the relevant patch for you version, unzip it, and upload the patch files to your server.
2. Download the latest full version of vB4.2.x, unzip and upload the files, and upgrade your forum to the latest version (delete the install folder afterwards).
3. Download the full set of files for your current version, unzip and upload the files to replace all the files on your server (delete the install folder afterwards).



[url]http://[/url]

#183

vBulletin 5.0.5 is Now Available!

Today we're announcing the availability of vBulletin 5 Connect v5.0.5.
If you have an active vBulletin license, you can download your copy of vBulletin 5.0.5 from the vBulletin Customer Area at: https://members.vbulletin.com

Read more here



http://www.vbulletin.com/go/505

#182

A data integrity exploit has been discovered in vBulletin 5. This exploit was discovered by our Quality Assurance team. The issue affects all versions of vBulletin 5 Connect, including 5.0.0, 5.0.1, 5.0.2, 5.0.3, and 5.0.4. We have released security patches for all versions and they are available immediately. It is recommended that you upload the patches to your server immediately.

You can download the patch for your version here: http://members.vbulletin.com/patches.php

Please install the patch immediately. Installing the Patch

• Download the patch from https://members.vbulletin.com/patches.php.
• Extract the vBulletin patches files from the Zip file.
• Upload the patch files to your server, overwriting the old files.

For additional instructions please see the online documentation at: Upgrade to a Patch Level

Please visit the support forums if you have any questions.



http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

#181

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X - /install/
5.X - /core/install


After deleting these directories your sites can not be affected by the issues were currently investigating.

vBulletin 3.X and earlier versions of 4.X would not be affected by these issues. However if you want the best security precautions, you should delete your install directory as well.



http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

!! Please note that the following (above) is the initial run of the check for updates - these have all been applied and are now done !!

#186


It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue. Their recommendation is to remove the file from your server. We recommend that you replace this with an empty file of the same name (attached). What this will do is force vBulletin to use a fallback javascript based uploader which is already provided in your system.
See: http://yuilibrary.com/support/20131111-vulnerability/

The vulnerable file is also present in the vBulletin 5 download package though not used by the vBulletin 5 front-end. We recommend that you delete the file and replace it with the attached file.

We have also updated all download packages for vBulletin 4.X and 5.X with the new empty file.

To resolve this issue take the following steps:

• Delete uploader.swf located in clientscript/yui/uploader/assets or /core/clientscript/yui/uploader/assets
• Replace it with the attached file.
• Alternatively, you can download the vBulletin package for your version and replace it from that download.

Note: We will not be fixing the vulnerability in the SWF file directly nor do we plan to take any other action on this issue at this time.



http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4014388-yui-security-issue-found-in-uploader-swf

#187

A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5. The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.

Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately via http://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.

All patches can be found at http://members.vbulletin.com/patches.php
This includes:
vBulletin 5.0.5 PL1
vBulletin 4.2.2 PL1
vBulletin 3.8.7 PL3
vBulletin 3.8.7 MAPI

You can find DIFF Patches for other versions here:
http://www.vbulletin.com/forum/node/4024547



http://www.vbulletin.com/forum/node/4024547

#188

vBulletin 5.1.2 is Now Available!

Today we're announcing the availability of vBulletin 5 Connect v5.1.2.
If you have an active vBulletin 5 license, you can download your copy of vBulletin 5.1.2 from the vBulletin Customer Area at: https://members.vbulletin.com

Read more here



[url]http://[/url]