New security patch required?

**miketrin** · Wed 17 Dec '14, 7:57am

I'd like to know too. I've never used CMS or the Blog and have them disabled.

**Silviu** · Fri 19 Dec '14, 1:44am

Bump for an answer, I think there are a lot of forum admins in this situation.

**Mark.B** · Fri 19 Dec '14, 2:00am

The recently released 4.2.2 Patch Level 3 is only really essential for those with the CMS. Although it won't do any harm if you did upload it.
Note that for users already running 4.2.2 it is NOT an upgrade - it's just a patch file.
If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.

**Mark.B** · Fri 19 Dec '14, 2:02am

Originally posted by miketrin

I'd like to know too. I've never used CMS or the Blog and have them disabled.

There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.

**Silviu** · Fri 19 Dec '14, 10:15pm

Originally posted by Mark.B

There's a big difference between NOT HAVING the cms (as in, the old "Forum Only" vB4 license), and simply having it disabled.
In your case, if you are running 4.2.2 you should apply the patch. If you are running an earlier version than 4.2.2, you should carry out a full upgrade.

And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

**donald1234** · Sat 20 Dec '14, 12:45am

There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2

**Silviu** · Sat 20 Dec '14, 1:24am

Originally posted by donald1234

There is no difference between 4.2.1 and 4.2.2 except the latters ability to work on PHP 5.4 so there are no reasons not to upgrade from 4.2.1 to 4.2.2

Please read more carefully, I said 4.1 branch (the latest being 4.1.12 PL4), not 4.2.1.

**Mark.B** · Sat 20 Dec '14, 1:30am

Originally posted by Silviu

And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.

The vast majority of plugins for 4.1 will work with 4.2. The few that don't tend to be related to the navbar, which changed in 4.2. Most such navbar plugins are now unnecessary anyway due to the new navbar manager. Others fail because they aren't compatible with later versions of php, but if you have that issue you cannot stay on 4.1 anyhow.

**donald1234** · Sat 20 Dec '14, 1:31am

Sorry, I have had my coffee now.

**Wayne Luke** · Sat 20 Dec '14, 8:02am

Originally posted by Silviu

And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

There is always a risk running outdated software. Especially software that isn't receiving active development and only security fixes.

**Paul M** · Mon 22 Dec '14, 8:52am

Originally posted by Jennifer2010

If I'm not using publishing suite (just forum) do I have to upgrade?

Originally posted by miketrin

I'd like to know too. I've never used CMS or the Blog and have them disabled.

If you have the CMS installed, then yes you should apply the PL3 fix, regarless of whether you have it enabled or not.

Originally posted by Silviu

And if someone remained on the 4.1 branch because certain plugins are broken by 4.2.x, now they have to choose between screwing their users over / hiring a developer to fix the plugins / wasting hours of dev time to find workarounds or risk being hacked?

Well thats your choice, if you choose to stay on 4.1 you have to face the consequences.

In this case, the two updated cms files have remained largely unchanged across 4.x versions.
I believe that you could upload the fixed 4.2 versions without them causing any obvious issues.
However, you do that at your own risk as I havent checked this, especially as "4.1" actually has 13 sub versions (4.1.0 - 4.1.12).

**airgunner** · Thu 8 Jan '15, 11:16pm

Originally posted by Mark.B

If however you are running a lower version of vb4 than 4.2.2 then you MUST carry out a FULL upgrade to 4.2.2 PL3. This involves downloading the full package and running the upgrade script.

I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

A link to the 4.2.2 upgrade package would be great.

**Mark.B** · Thu 8 Jan '15, 11:37pm

Originally posted by airgunner

I have been searching everywhere looking for a 4.2.2 upgrade (I am running 4.1.8) in order to apply the new security patch- where can I find it? In my account, when I click on "Upgrade/Renew" I am only given the option of paying to upgrade to v5 products.

A link to the 4.2.2 upgrade package would be great.

You don't need to buy the upgrade, you have a vB4 license so it's already included on your account.

Just go to the members area (https://members.vbulletin.com) and click the download link on the right.

**munkfish** · Fri 9 Jan '15, 7:24am

Originally posted by Mark.B

We don't support obsolete versions of the software, and neither do most software companies, they will tell you to upgrade. We support the latest version of each branch - 3.8.8, 4.2.2 and 5.1.4. We;'ve always made this clear when installing plugins.

We are currently on 4.1.10pl3 - each time a new security announcement was made in the past, previously vbulletin always released a patch level update for our minor version 4.1.10. There were 3 of these patch level updates, hence we're on 4.1.10pl3 now. However for this latest security announcement there has been no PL update for 4.1.10 (or any other version of 4 apart from 4.2.2).

When did the policy of providing security patch level updates for previous version of v4 stop? Is there a link to the announcement?

If there are no plans to provide patch level updates for earlier versions - and it appears this is the case based on the comments by the lead devs in this thread and other similar threads from today - would someone please be kind enough to indicate how we would manually patch our older 4.1.10pl3 version? Do we do this by diffing the stock 4.2.2 against the patched version and then manually locate the affected code in our 4.1.10pl3 codebase and affect a patch? (edit: I can't see that this will work since the 4.2.2pl4 patch presumably has all of the patches from pl1 to pl4 rolled into one?)

Thanks.

vBulletin 4 End of Life

New security patch required?

New security patch required?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment