This thread is for discussing the release of vBulletin 3.5.6.

Please use this thread to talk about things you like or installation experiences etc., but please do not use this thread to post troubleshooting queries or bug reports. These threads tend to grow very large and bug reports etc. tend to become lost and will not get attention from the support or development teams.

First. :)

Guess I'd better upgrade. :)

Second.
Thanks :)

Hello,

First i want to say that it is grate job ,then, i use vBulletin 3.5.2 and now i can't upgrading my vb

where can i find the pacth for vbulletin 3.5.2? i went to the member area and i didn't see it.

That's all
Best Regards

3.5.1 -> 3.5.2 patch (http://www.vbulletin.com/forum/showthread.php?t=166391)
3.5.2 -> 3.5.3 patch (http://www.vbulletin.com/forum/showthread.php?t=169997)
3.5.3 -> 3.5.4 patch (http://www.vbulletin.com/forum/showpost.php?p=1079053&postcount=3)
3.5.4 -> 3.5.5 patch (http://www.vbulletin.com/forum/showpost.php?p=1177756&postcount=3)
3.5.5 -> 3.5.6 patch (http://www.vbulletin.com/forum/showpost.php?p=1247454&postcount=2)

Note if you install all these patches you are STILL RUNNING vBULLETIN 3.5.1 or whatever version you had before. You are only fixing security problems. There are HUNDREDS of changes between each version that you are not getting!

Find yourself a weekend or week that you can dedicate to doing a proper upgrade to 3.6.x when you can! Be ready to migrate/merge/change dozens of templates to include all the improvements and changes in 3.6.x otherwise you will have a very unpleasant time. You cannot simply shove a 3.5.x style into 3.6.x and keep going. It won't work.

We do not advise only applying patches, except when you are running the latest release. Applying patches for multiple versions can lead to unexpected behaviour and we can not support it.

As mentioned there have been many changes and bug fixes since vB 3.5.2.

I understand that .

Thankyou

Will you provide a product-xml to close the security hole?

Will you provide a product-xml to close the security hole?
That's not possible.

We do not advise only applying patches, except when you are running the latest release. Applying patches for multiple versions can lead to unexpected behaviour and we can not support it.

As mentioned there have been many changes and bug fixes since vB 3.5.2.
I guess I will be a guinea pig then.

I will upgrade to 3.6.x soon.

If there is a security issue that forms an immediate threat to our customers, we will release a patch to fix that. There are however more security related changes.

A nice example is the introduction of the HttpOnly cookies with vBulletin 3.5.5. This is done to improve the security, but is not released as a patch, and you will only benefit from this change if you upgrade to 3.5.5.

About applying a patch on a release older then the previous: In between versions there are also database changes. If we release a patch as a replacement file for your current (latest) version, then we have checked that there are no conflicts in the file with the database version of the latest release. We can not assure that for older releases.

If there is a security issue that forms an immediate threat to our customers, we will release a patch to fix that. There are however more security related changes.

A nice example is the introduction of the HttpOnly cookies with vBulletin 3.5.5. This is done to improve the security, but is not released as a patch, and you will only benefit from this change if you upgrade to 3.5.5.

About applying a patch on a release older then the previous: In between versions there are also database changes. If we release a patch as a replacement file for your current (latest) version, then we have checked that there are no conflicts in the file with the database version of the latest release. We can not assure that for older releases.
Does this apply to 3.5.4 ? If so, what patch must be applied? I'm not ready for 3.6.3 yet.

You can't get the HttpOnly by patching. HttpOnly doesn't fix a specific security flaw but makes security flaws less likely.

The patches for imminent security threats for 3.5.4 and 3.5.5 have already been posted.

OK thanks feldon23. I've just upgraded to 3.5.6 to prevent anything going wrong.

Will you provide a product-xml to close the security hole?


That's not possible.


Then is this class_image.php replacement a patch for 3.5.x , or only 3.5.5?


When was the last time class_image.php was modified before this?


The class_image.php file I am replacing is from 3.5.1

We have applied all security patches related since then, but since this isn't able to be released as a plugin, there could potentially be a problem if the class_image.php file was changed since 3.5.1 - 3.5.5, since we may not have the other file(s) required to support those changes.


(We've got a lot of custom modifications, so I'm waiting a bit for the 3.6.x to stablize before we upgrade to that.)

I'm sure we're not the only people in this situation & I don't expect you guys to be able to support every situation... especially people in situations like ours.

But it would be good to have a little more information about the history of changes to this file since 3.5.1 if at all possible.


Here are the diffs that I have between the 3.5.1 version (ORIGINAL) and the 3.5.5 patch version (NEW).....



removed.... I was going to post it, but I realized it's viewable to the public & that might not be cool.Anything in there that might cause problems for people running 3.5.1?

If the file hasn't changed since 3.5.1 we should be in good shape :)

A nice example is the introduction of the HttpOnly cookies with vBulletin 3.5.5. This is done to improve the security, but is not released as a patch, and you will only benefit from this change if you upgrade to 3.5.5.

Seems like we're going to need to upgrade to 3.6.x sooner than later :rolleyes:

It looks like there are a lot of code modifications in includes/class_image.php from 3.5.1 -> 3.5.6 which might cause problems if you try to just drop the 3.5.6 file on top of a 3.5.1 forum.

Looking at the patch, it appears that lines 209 - 239, 655 - 658, and 1649-1652 are the most important ones and perhaps people can integrate just those 3 sets of changes to their own files?

Of course there are NO guarantees that this will be safe and 100% secure. It really is preferable to upgrade to a newer version of the software.

jeremycs, he is saying that if you upgrade (rather than patch) to 3.5.6, you are fully secure.

jeremycs, he is saying that if you upgrade (rather than patch) to 3.5.6, you are fully secure.

Right, I completely understand. We just can't upgrade yet.

But I'm going to have to look into going either to 3.5.6 or 3.6.x asap I guess.

big fun. :rolleyes:

3.6.x is in my near future. $30 for vB and $40 for PhotoPost to upgrade my vBAdvanced Gallery.

3.5.1 -> 3.5.2 patch (http://www.vbulletin.com/forum/showthread.php?t=166391)
3.5.2 -> 3.5.3 patch (http://www.vbulletin.com/forum/showthread.php?t=169997)
3.5.3 -> 3.5.4 patch (http://www.vbulletin.com/forum/showpost.php?p=1079053&postcount=3)
3.5.4 -> 3.5.5 patch (http://www.vbulletin.com/forum/showpost.php?p=1177756&postcount=3)
3.5.5 -> 3.5.6 patch (http://www.vbulletin.com/forum/showpost.php?p=1247454&postcount=2)


NOTE: Even if you do this, you STILL may have problems using the class_image.php file on a version < 3.5.5 if the class_image.php file has changed at all since 3.5.1

We have all of those security patches applied already.


VBULLETIN TEAM: Is there any possible way for you to issue this in a way that it doesn't force people to upgrade? This sort of breaks the patch/xml history listed above -- where you could apply security patches to older versions without potentially breaking your forum.

I understand where you guys are coming from though... you can only support so many versions before people are going to be forced to upgrade to something more current.

But since the problem/fix is only in one file (class_image.php) I wouldn't think it would be that difficult to ensure that it will work with whatever version the people are running.

I'm using vB 3.5.5 + many hacks. Should I remove all hack before running the patch ??

I'm using vB 3.5.5 + many hacks. Should I remove all hack before running the patch ??
1) Backup
2) Install patch.

I would expect no problems.

Hi

some what confused my forum is vBulletin Version 3.5.4

which patch I am suppost to use

please give me adirect link

You should upgrade to 3.5.6; but nonetheless, the patch released is here: http://www.vbulletin.com/forum/showthread.php?p=1247454#post1247454

Do I need to turn off my board while running the patch ??

The patch is 1 file. It takes 5 seconds to upload it. No need to shut the forum.

I am running 3.5.4 and I am running quite a few hacks such as vbPlaza and vbPager along with many others. If I did the 3.5.6 full and complete update, would I lose those hacks or would the hacks would not be functional in some aspects or at all?

I am running 3.5.4 and I am running quite a few hacks such as vbPlaza and vbPager along with many others. If I did the 3.5.6 full and complete update, would I lose those hacks or would the hacks would not be functional in some aspects or at all?Depends if you need to edit php files. If you do, then they won't work until you edit them.

I typically make all of my edits before overwriting my files.
I keep a log which files and templates need to be edited.

Do I need to turn off my board while running the patch ??

Just replace the new file over the old one

buyur
??????????????

I just accidentally applied the 3.0xx series patch to my 3.5.4 installation. The forum was active for about 5 minutes before I realized it. I've closed the forum and re uploaded the original files, and the new correct patch. Am I gonna have any database damage from this stupid error?

you shouldn't do, you replaced the wrong file with the right one, plus adding this patch file won't make any major alterations to the db just A few vbulletin files (if that)

if you get any CRAAAAAZY errors, post in the help forum :)

Thanks. I went ahead and made a local backup using mysqldump just incase anyways.

just replacing the file mentioned just serves the casue rite

i dont like this version
=P

i dont like this version
=P:confused:
Compared to which version?

Just a quick question...

I have been getting donations from my members so I can have VB do the upgrade because I am absolutely clueless on how to do it myself and before I spend the money can someone please tell me if another version (3.6.4 or whatever) is in the makes? I have one shot at an upgrade so I want to make sure I am getting the latest version possible. :o

Thanks for the help!

Cori

A new version will be released if there are critical updates, there is no way we can give you a date in advance.

ok, thanks Marco! :) Just thought I would check hehe

Well I just went into the members area to download the 3.5.6 FULL but all it is showing me is 3.5.4 which I am currently running. Am I missing something?

Well I just went into the members area to download the 3.5.6 FULL but all it is showing me is 3.5.4 which I am currently running. Am I missing something?
Did you check to see if your license had expired?

Well I just went into the members area to download the 3.5.6 FULL but all it is showing me is 3.5.4 which I am currently running. Am I missing something?
Please post in the appropriate support forum.