Ashley Busby
Mon 22nd Oct '07, 8:27am
18th October 2007
* vBulletin 3.6.8 Patch Level 1 Released
* Patch Levels Explained
* Your License Information
* Contact Us
------- VBULLETIN 3.6.8 Patch Level 1 RELEASED --------------------
Yesterday morning (October 17th 2007) a security issue was reported to the vBulletin team. After investigating the report's claims, it was discovered that the 3.6.8 code does indeed include a flaw that could lead to a cross-site-scripting (XSS) exploit.
Subsequently, a new vBulletin version was prepared and released yesterday afternoon. This version is vBulletin 3.6.8 Patch Level 1 and includes only the fix for the security flaw.
We recommend that all customers running vBulletin 3.6.8 download the new version and upgrade as soon as possible.
The XSS problem can be resolved in either of these ways:
Patch: Download a patch file discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to the 3.6.8 Patch Level 1 announcement thread:
http://www.vbulletin.com/forum/showthread.php?t=245972
Full Package: Alternatively you can download the full package in the vBulletin Members Area and again upload the affected files mentioned in the announcement thread.
------- PATCH LEVELS EXPLAINED --------------------------
In order for the vBulletin team to react even more quickly to the discovery of security flaws, recent versions of vBulletin include a new system that allows the release of special security patch versions, which do nothing except fix the security problem.
This system allows a version number such as 1.0.4 to be altered to 1.0.4 PL1 (PL = Patch Level) so administrators can be sure that they are running the most up-to-date code and are no longer vulnerable to known security problems.
To make use of this system, vBulletin releases that include only security flaws will contain *only* the fixed file(s) plus a new version number file, allowing administrators to simply upload the new files without having to run an upgrade script.
A patch level release contains fixes for only the most critical issues in the previous release. In this case, this means the only changes are to address a security issue.
It is designed to be installed directly over top of your 3.6.8 installation, with no other action. You do not need to run any upgrade scripts.
-------------------- CONTACT US --------------------------
Please do not respond to this email directly. We will not receive your response. Please use the links below.
Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/go/techsupport
For all other queries, please visit this page:
http://www.vbulletin.com/go/contact
* vBulletin 3.6.8 Patch Level 1 Released
* Patch Levels Explained
* Your License Information
* Contact Us
------- VBULLETIN 3.6.8 Patch Level 1 RELEASED --------------------
Yesterday morning (October 17th 2007) a security issue was reported to the vBulletin team. After investigating the report's claims, it was discovered that the 3.6.8 code does indeed include a flaw that could lead to a cross-site-scripting (XSS) exploit.
Subsequently, a new vBulletin version was prepared and released yesterday afternoon. This version is vBulletin 3.6.8 Patch Level 1 and includes only the fix for the security flaw.
We recommend that all customers running vBulletin 3.6.8 download the new version and upgrade as soon as possible.
The XSS problem can be resolved in either of these ways:
Patch: Download a patch file discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to the 3.6.8 Patch Level 1 announcement thread:
http://www.vbulletin.com/forum/showthread.php?t=245972
Full Package: Alternatively you can download the full package in the vBulletin Members Area and again upload the affected files mentioned in the announcement thread.
------- PATCH LEVELS EXPLAINED --------------------------
In order for the vBulletin team to react even more quickly to the discovery of security flaws, recent versions of vBulletin include a new system that allows the release of special security patch versions, which do nothing except fix the security problem.
This system allows a version number such as 1.0.4 to be altered to 1.0.4 PL1 (PL = Patch Level) so administrators can be sure that they are running the most up-to-date code and are no longer vulnerable to known security problems.
To make use of this system, vBulletin releases that include only security flaws will contain *only* the fixed file(s) plus a new version number file, allowing administrators to simply upload the new files without having to run an upgrade script.
A patch level release contains fixes for only the most critical issues in the previous release. In this case, this means the only changes are to address a security issue.
It is designed to be installed directly over top of your 3.6.8 installation, with no other action. You do not need to run any upgrade scripts.
-------------------- CONTACT US --------------------------
Please do not respond to this email directly. We will not receive your response. Please use the links below.
Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/go/techsupport
For all other queries, please visit this page:
http://www.vbulletin.com/go/contact