(vBulletin 3.7.1 Patch Level 2) Secure?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • evoir
    Senior Member
    • Apr 2000
    • 425

    (vBulletin 3.7.1 Patch Level 2) Secure?

    Hi,

    We have a vbulletin that is running (vBulletin 3.7.1 Patch Level 2) and wanted to find out if this version includes all the security patches, or are there vulnerabilities running an older version of the software? We are fine with the version we have, but want to be sure we are not leaving ourselves open to hacking etc... its a site with sensitive information about children at a school... and parents are concerned.

    Thanks!
  • Ace
    Senior Member
    • Apr 2004
    • 4051
    • 4.2.X

    #2
    Considering that 3.7.1PL2 is about 6 releases behind the current -

    No. It does not contain all of the fixes/security fixes that the latest version does.

    Yes - you should be running the latest.
    My Live vB5 Site - NZEating.com
    vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

    Comment

    • evoir
      Senior Member
      • Apr 2000
      • 425

      #3
      I'd like to hear from VB staff, if possible. As I understand it, the patches are to keep older versions secure. I would suspect that newer versions have more securioty fixes because they have more features, different code etc. But, am looking for a definitive answer here. Thanks!

      Comment

      • Ace
        Senior Member
        • Apr 2004
        • 4051
        • 4.2.X

        #4
        Best of luck getting a Staff Member to confirm/describe any security holes in a version that old.

        *edit* The fixes for later versions do not get bundled into older versions. That was your question? Something about 'wanted to find out if this version includes all the security patches'?
        My Live vB5 Site - NZEating.com
        vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

        Comment

        • evoir
          Senior Member
          • Apr 2000
          • 425

          #5
          My question was: do the security patches get released in an effort to keep older versions secure? Is that the goal? Not looking for a list of vulnerabilities... just want to know what the overall practice is.

          Comment

          • Reeve of Shinra
            Senior Member
            • Sep 2001
            • 4325
            • 4.0.0

            #6
            Security patches are released when the "fix" is simple- ie: change line 151 from x to y.

            A full upgrade (3.8.x) is usually released when their are a number of impacted files, database changes or if the staff have other updates they want to roll out at the same time. To say it another way, the patch files are for customer convenience only when the team can accomodate it.

            While the vb team has released fixes for vulnerabilities found in older, end of life, versions like the 3.7 branch -- it really was bien done as a courtesy and because it didn't require the team to invest a lot of resources toward it given the overall similarity in the code between branches and the fact that the devs were just that familiar with the code that they knew what and where for everything. A lot of devs left. A lot of new devs are on board. The focus is deffinitely on vb4 at this point. While I can't say anythingfor sure - I would not expect security fixes for 3.7 and below. You should upgrade to 3.8.5 at the minimum and, as that is nearing eol, consider vb4
            Plan, Do, Check, Act!

            Comment

            • goyo
              Senior Member
              • Dec 2002
              • 304
              • 3.8.11

              #7
              Originally posted by evoir
              My question was: do the security patches get released in an effort to keep older versions secure? Is that the goal? Not looking for a list of vulnerabilities... just want to know what the overall practice is.
              3.7.1 PL2 IS NOT SECURE by any measure as there was even 3.7.6 in the same branch...

              But 3.7.x EOL'd:


              Most likely same goes for 3.8.x when 4.1 appears...

              If you know PHP and know how to secure your server / patch the script and don't want receive support it's your responsibility (some boards still running 3.7 or even earlier) otherwise I wouldn't recommend...

              Comment

              Related Topics

              Collapse

              • William Thomas Jr
                Are updates necessary?
                by William Thomas Jr
                I'm just curious as to whether Vb 5 updates are necessary. My forum is pretty much done in its current version 5.1.9. I realize that if new features are offered then I will not have them. My question...
                Wed 21 Oct '15, 1:02pm
              • sparkybp
                Security updates
                by sparkybp
                hi there, i just installed bulletin 5.1.1 and in the admincp i noticed some news feeds suggesting security patches to be installed. must i still do this if my version of bulletin is newer then the newest...
                Wed 14 May '14, 9:27am
              Working...