This thread is for discussing the release of vBulletin 3.5.7.

Please use this thread to talk about things you like or installation experiences etc., but please do not use this thread to post troubleshooting queries or bug reports. These threads tend to grow very large and bug reports etc. tend to become lost and will not get attention from the support or development teams.

For reporting bugs, please use the appropriate bug tracker (http://www.vbulletin.com/forum/bugs35.php).

This thread is for discussing the release of vBulletin 3.5.7.

Please use this thread to talk about things you like or installation experiences etc., but please do not use this thread to post troubleshooting queries or bug reports. These threads tend to grow very large and bug reports etc. tend to become lost and will not get attention from the support or development teams.

For reporting bugs, please use the appropriate bug tracker (http://www.vbulletin.com/forum/bugs35.php).
Thanks I will Update it soon
;)

I'm on 3.52 and 3.61. If I apply the patch will my forum still run correctly (as these are older versions, I don't want to overwrite the files and have it stop working).

admincp/index.php
includes/adminfunctions_template.php
includes/class_core.php
install/ - all of it

In my 3.5.7 patch download I only see admincp/index.php

You have listed the above files changed since 3.5.6

Please advise.

If you want 3.5.7, upgrade to 3.5.7.
If you want the patch (which fixes 1 security problem and is NOT an upgrade), use that.

I'm using vb3.5.5 with 3.5.6 patch. So what patch I should download now ?

You can try using the patch linked in the announcement thread, but we can't guarantee that it'll work.
You'd be best of doing a full upgrade.

I use 3.5.3 and have been running my site alone for about a year. But I did not do the install of vbulletin and have no clue what Im doing to either patch my version let alone A full upgrade. I downloaded the patch for 3.5.3 and have a sendmessage.php sitting alone & I also have a folder named includes with functions.php file in it. Do I just overwrite my files with these?
I am sorry If I wasnt suppost to babble on this thread, but I need help...please advise....

The patch file I downloaded this morning (Saturday) for 3.5.4 has only two files in it and they are:

attachments.php
functions.php
That doesn't sound correct since your list of changed files are completely different than those two. You list:

admincp/index.php
includes/adminfunctions_template.php
includes/class_core.php
install/ - all of it
Is the patch file correct for 3.5.4?? I downloaded it twice from the page you link to in the announcement but got the same thing each time.

Thanks for your help.
Paul Green

The patch file I downloaded this morning (Saturday) for 3.5.4 has only two files in it and they are:
attachments.php
functions.phpThat doesn't sound correct since your list of changed files are completely different than those two. You list:
admincp/index.php
includes/adminfunctions_template.php
includes/class_core.php
install/ - all of it Is the patch file correct for 3.5.4?? I downloaded it twice from the page you link to in the announcement but got the same thing each time.

Thanks for your help.
Paul Green
Patch or Upgrade, your choice. Patch does NOT get you to 3.5.7.

Patch or Upgrade, your choice. Patch does NOT get you to 3.5.7.

Your response confused me. I'm looking for the patch only. Not the upgrade. I'm asking if the two files in the patch that I downloaded are the correct files. That's all.

It seems to me that the announcement listed different files FOR THE PATCH than what I downloaded and I'm asking if the patch file is correct.

Thanks
Paul

The list of changed files is a list of files that have changed between 3.5.6 and 3.5.7.

The list of patched files is the list of files that you must upload to go from 3.5.6 to 3.5.6 patched.

If you want to get to 3.5.7, you must download the complete vBulletin package which changes all the files listed in the announcement.

If you want to get 3.5.6 patched, download the patch and install.

This question gets asked several times each time there is a new release. Unfortunately I have yet to find a way to explain it that answers the question for everyone. The announcements have gotten more and more explicit about the Patch not being an Upgrade to no avail.

This question gets asked several times each time there is a new release. Unfortunately I have yet to find a way to explain it that answers the question for everyone. The announcements have gotten more and more explicit about the Patch not being an Upgrade to no avail.

How about confirming that:
attachments.php
functions.phpare the proper two files for the patch?

That is all that I am asking. Nothing else.

As I've said. I'm not looking for an upgrade. Don't want to download the upgrade. I'm not seeking to upgrade. All I'm asking is if the two files in my download patch for 3.5.4 are the correct files.

I wouldn't even worry about it if I hadn't seen other files listed as "changed" files in the same announcement thread as the one pointing to the various patch files.

The patch file I downloaded this morning (Saturday) for 3.5.4 has only two files in it and they are:

attachments.php
functions.php
That doesn't sound correct since your list of changed files are completely different than those two. You list:

admincp/index.php
includes/adminfunctions_template.php
includes/class_core.php
install/ - all of it
Is the patch file correct for 3.5.4?? I downloaded it twice from the page you link to in the announcement but got the same thing each time.

Thanks for your help.
Paul Green


There is either a problem with the announcement from Kier or the patch is wrong...which is it?

It clearly states on the announcement page the changed files since 3.5.6. One has to assume the patch includes only those files..instead the patch 3.5.6 has only 1 file in it.

This is the confusion to the members and we simply ask for clarification.

This is the confusion to the members and we simply ask for clarification.

YES! Thank you. That is all we are asking.

So???? What files should be in the patch? Everything stated makes it sound like at the very least admincp/index.php should be in the patch. Yet it's not.

Why does the patch have only functions.php and attachments.php files if the exploit is in the admin routines?

I wouldn't even worry about it if I hadn't seen other files listed as "changed" files in the same announcement thread as the one pointing to the various patch files.The list of files changed from 3.5.6 to 3.5.7 is for people who have heavily modified the source files of vBulletin who nonetheless wish to do a proper upgrade. There are several bugs fixed from 3.5.6 to 3.5.7. Most incremental releases like 3.5.6 to 3.5.7 result in changes to dozens of PHP files.

The patch contains just the files required to close the minor security hole in 3.5.6. Most patches have 1-2 files.

Maybe there needs to be separate announcements since it confuses people?

Feldon that's nice of you to comment but since you are not part of the support team it's not very helpful. Maybe you should read the announcement again. Kier states what files are changed since 3.5.6 to 3.5.7 yet the patch I downloaded in my 3.5.6 patch only has 1 file. Others of course see similar issues with their 3.5.4 or 3.5.5 downloads.

When a team member tells me their are 4 changed files and in my patch there is only one I become concerned. Mistakes happen and it's either the patch or Kier needs to better clarify the files we need.

It clearly states on the announcement page the changed files since 3.5.6.
That is correct. If you are upgrading from 3.5.6 to 3.5.7, that is a list of the files that changed between these two full versions. These files are NOT contained in the patch, because patching is not the same as upgrading. This list of files is provided as a courtesy to those few vBulletin users who are manually upgrading by replacing certain files and not others. If you are patching, you can safely ignore the list of changed files.
One has to assume the patch includes only those files
Not a good assumption since the patch and the upgrade have nothing to do with each other.

Perhaps the list of changed files needs to have a big disclaimer above it "This list of files is for the ~1% of vBulletin users who upgrade manually and want to know which files have changed between the two versions. If you are completely upgrading your forum, ignore this list and upload ALL the files except the images folder. If you are patching your forum, ignore this list and upload the files contained in the patch. Basically, unless you have a darn good reason, ignore this list! ;)"

I have pointed out where Jelsoft is not good at communicating such as certain error messages and not creating a taskflow for handling moderated users, attachments, threads, posts, etc. But I think they have done a good job trying to clarify the purpose of each part of their announcements. The announcements have, in my opinion, gotten better and better with each subsequent release.

The patch file I downloaded this morning (Saturday) for 3.5.4 has only two files in it and they are:
attachments.php
functions.phpThis thread discusses the security update in 3.5.7. Please read the 3.5.5 announcement for instructions on what you need to do to patch your 3.5.4.

It is not officially supported to use multiple subsequent patches, but I am successfully using patches this way and you should be able to do the same. So in your case, you would need to apply the 3.5.5, 3.5.6, and 3.5.7 patches to your 3.5.4 installation to be secure. Your forum will still have a version number of 3.5.4.

Since I didn't get an answer on this, I decided to have a full upgrade professionally done by the vbulletin Team...So disregard my post ....wait, you already did......

I use 3.5.3 and have been running my site alone for about a year. But I did not do the install of vbulletin and have no clue what Im doing to either patch my version let alone A full upgrade.
To do a full upgrade, you download a fresh package of vBulletin 3.5.7, upload all the files (Except the images folder) to your website's forum directory, replacing all the existing files. Then if your forum is:
http://www.blindeddie.com/forum/
then to upgrade you visit
http://www.blindeddie.com/forum/install/upgrade.php
and follow the steps.

Upload the files, then run the upgrade script.

I downloaded the patch for 3.5.3 and have a sendmessage.php sitting alone & I also have a folder named includes with functions.php file in it. Do I just overwrite my files with these?

sendmessage.php replaces your sendmessage.php file on your forum.

includes/functions.php replaces the functions.php file inside the includes folder on your forum.

You'll need to use an FTP program like FileZilla, CuteFTP, or WS_FTP to do these replacements. Your forum will still register as 3.5.3, you'll simply have the security update that was included in the 3.5.4 release. There are other patches you'll need to install to be fully secured.

Since I didn't get an answer on this, I decided to have a full upgrade professionally done by the vbulletin Team...So disregard my post ....wait, you already did......
Any support personnel located in the U.S. are taking advantage of the Thanksgiving holiday.

Any support personnel located elsewhere may or may not be able to respond on a Saturday.

For priority support, please login to your Member's Area and click "Contact Support".

Troubleshooting problems are best posted in the "Troubleshooting" or "Installation/Upgrade" forum.

I'm not *officially* a member of the vB Support team here but perhaps I can shed some light.

The patch contains 'what you need to change in order to not have the XSS flaw apparent'.

The 'changed files' include not only that fix, but presumably more of them.

Thank you:cool: :cool: