vBulletin Security Patch for 4.X and 3.X

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • IB Adrian
    Former Senior Operations Manager
    • Jul 2008
    • 1688
    • 3.6.x

    vBulletin Security Patch for 4.X and 3.X

    Yahoo YUI Security Exploit

    We have been notified of a potential, but unconfirmed exploit in vBulletin 3 and 4 (all versions) via the Yahoo YUI component library.
    To rectify this issue we have released a patch for the latest version of vBulletin 3 and vBulletin 4, vBulletin 3.8.7 and vBulletin 4.1.3. Forthcoming vBulletin 4.1.4 will not be affected.
    As such, we have released:
    • vBulletin Publishing Suite 4.1.3 PL1
    • vBulletin Forum Classic 4.1.3 PL1
    • vBulletin Forum Classic 3.8.7 PL1



    Upgrade Process for 3.8.7
    #1 Download the Patch from the Members Area. Extract and upload file(s), there is no upgrade script. Make the following change in the AdminCP:
    #2 In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.

    As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

    You can access all available patches from the Members Area: http://members.vbulletin.com/patches.php

    New installations/upgrades
    If you are upgrading your site, or installing a new copy of our software, the latest software packages include the patch. These can be downloaded from your Members Area



    To manually fix versions prior to vBulletin 4.1.3 and 3.8.7
    1. Edit one line in class_core.php file located in /includes/class_core.php ; find the following line “define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle” ; replace this line with “define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle”
    2. In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.
    Last edited by Steve Machol; Wed 1 Jun '11, 7:36am.
    Adrian
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...