PHPBB Update

In this forum you can write about anything that does not fit in other forums.
This includes generic Oric talkings and things that are totaly unrelated but want to share with people here :)
Post Reply
User avatar
Dbug
Site Admin
Posts: 3018
Joined: Fri Jan 06, 2006 10:00 pm
Location: Oslo, Norway
Contact:

PHPBB Update

Post by Dbug » Sun Nov 10, 2019 11:39 am

Since there was some connectivity issues, I did some maintenance on the server, including updating phpbb to the very latest version (it looks like they fixed some security and authentication issues, so maybe that will help.
Greetings everyone,

Today we’re announcing the release of phpBB 3.2.8. This release is dedicated to the memory of Maria Wilhelmina Theodora 'Marian' Verhoog-Wienk [08 October 1958 - 18 September 2019], who you may know as marian0810. Rust in vrede, Marian.

This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions.

Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively.
In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108.

For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively.

The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions.
Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up.

In order to help the support team in assessing issues in phpBB, we have now disabled the uninstallation of prosilver. Prosilver can however still be deactivated.

The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.8 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15090

The packages can be downloaded from our downloads page.

The development team thanks everyone who contributed code to this release: 3D-I, Dark❶, Jakub Senko, mrgoldy, rxu, Christian Schnegelberger, EA117, kasimi, JoshyPHP, Casey Peel, Nekstati, Nuno Lopes, cclauss, espipj, kinerity

If you have any questions or comments, we'll be happy to address them in the discussion topic.

- The phpBB Team
Obviously an update of phpbb is never safe, and this was proved once again by having the server kick me out with an Error 500... which after looking at the logs was apparently caused by the MediaEmbed extension, so I updated that one as well
### 1.1.1 - 2019-06-13

- Fixed an issue that could cause some boards to have a fatal PHP error.
- Internal code updates and language pack corrections (Arabic, French, Italian).
- Updated site: clyp.it
- Added site: allocine.fr

### 1.1.0 - 2019-04-29

- Implemented a new feature allowing users to add new media sites or update
existing site definitions by dropping simple YAML files into the extension.
These will be available through our support forum, as well as documentation
on adding and creating new site YAML files for MediaEmbed.
- Added new media sites using the new YAML implementation:
- Clyp.it
- CodePen
- DotSub
- Ebaum's World
- ModDB
- OK.ru
- SchoolTube
- Snotr
- VideoPress
- Added language packs:
- Arabic
- Brazilian Portuguese
- Chinese
- Czech
- Danish
- Estonian
- French
- German
- Italian
- Polish
- Spanish (casual)
- Turkish

### 1.0.4 - 2019-03-12

- Fixed another issue that could break future versions of phpBB (3.2.6 or newer)

### 1.0.3 - 2019-01-03

- Fixed an issue that could break future versions of phpBB (3.2.6 or newer)

### 1.0.2 - 2018-06-25

- Added a global setting to enable or disable the conversion of plain URLs into embedded content.
- Added a forum based permission, allowing control over who can post embedded content in specific forums.
- Added a user based private messages permission, allowing control over who can post embedded content in their private messages.
- Fixed an issue where embedded content could still be posted by users who did not have permission to use BBCodes in a specific forum.
- Fixed an issue where embedded content could still be posted even though the Disable BBCode option was checked in the post editor.
- When users disable the option to automatically parse URLs in their post, plain URLs will no longer be converted to embedded content either.

### 1.0.1 - 2017-08-04

- Minor code improvements and updates
- Added Dutch language pack
- Added Russian language pack
- Added Spanish language pack

### 1.0.0 - 2017-01-14

- First release
As usual, please signal anything wonky or not working.

Post Reply