vBulletin 3.6.7 Released

vBulletin 3.6.7

As much as we hate to spring another upgrade on you all so soon after the release of vBulletin 3.6.6, an XSS flaw was identified today and in order to maintain our commitment to fix security problems as soon as we become aware of them, we have to release 3.6.7 and a patch for older versions.

All versions of vBulletin 3.6 prior to 3.6.7 are vulnerable to the XSS. vBulletin 3.5.x and 3.0.x are not affected.

To minimize the pain of another upgrade, there are no changed templates since 3.6.6 and no database schema changes, so the upgrade should be as simple and quick as possible.

Since we have fixed several bugs since vBulletin 3.6.6 was released, these fixes are also incorporated in this version and include amongst others:
RTL support for date picker popup (http://www.vbulletin.com/forum/project.php?issueid=22020)
Fixed HTML for archive forum lists (http://www.vbulletin.com/forum/project.php?issueid=22008)
MySQL error while merging users fixed (http://www.vbulletin.com/forum/project.php?issueid=22031)
Smilie parsing error fixed (http://www.vbulletin.com/forum/project.php?issueid=22015)
PHP 5.0.5 errors fixed (http://www.vbulletin.com/forum/project.php?issueid=22035)
Hard-coded image paths fixed (http://www.vbulletin.com/forum/project.php?issueid=22021)A complete list of bugs fixed in the 3.6 branch is available in the project manager (http://www.vbulletin.com/forum/project.php?s=&do=issuelist&projectid=6&sortfield=lastpost&sortorder=&issuetypeid=bug&appliesgroupid=7&issuestatusid=4).

Please accept our apologies for bringing out a new version just days after the previous release. We're sorry.

Fixing the XSS Bug

The XSS problem can be resolved in one of three ways.
Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.6.7 package from the vBulletin Members' Area (http://members.vbulletin.com) and following the regular upgrade instructions (http://www.vbulletin.com/docs/html/upgrade?manualversion=30607500). This is the only option that will not only fix the XSS issue, but will also apply all the bug fixes made since the release of 3.6.6.
Patch: A second option is to download the patch files either in the Members' Area (http://members.vbulletin.com/patches.php) or attached to this thread and upload them to your web server, overwriting the existing files.
Patch file: 366_patch.zip
Plugin: The plugin system built into vBulletin 3.6 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here (http://www.vbulletin.com/docs/html/import_product?manualversion=30607500).
Plugin File: vb_calendar366_css_fix_plugin.xmlPlease note the following:
The plugin can be used with any previous version of vBulletin 3.6
The patch can only be applied to vBulletin 3.6.4, 3.6.5 or 3.6.6
You may perform a full upgrade to vBulletin 3.6.7 from any previous version of vBulletin 3.

Attached Files http://www.vbulletin.com/forum/images/attach/zip.gif 366_patch.zip (http://www.vbulletin.com/forum/attachment.php?attachmentid=22809&d=1179245791) (13.6 KB) http://www.vbulletin.com/forum/images/attach/xml.gif vb_calendar366_xss_fix_plugin.xml (http://www.vbulletin.com/forum/attachment.php?attachmentid=22810&d=1179245791) (695 Bytes)


More... (http://www.vbulletin.com/forum/showthread.php?t=229950&goto=newpost)

goooooooooooooood grief......... :rolleyes:
well, at least this one should be painless.

Yippee Skippy...

Now there's a surprise :eek: :mad: :D

Now there's a surprise :eek: :mad: :Dor not....

Told ya so... :)

Im still hanging tight. I wouldnt be suprised to find another release within 2 weeks.

:tongue: - for once, I'm glad you were right.

At least there's no template edits in this one. Upgrade should be painless.



Please God - let it be painless...

Got the notice, downloaded the plugin, uploaded with the product manager.

Mission accomplished as quick as I typed this post.

NBD.

You could always just upload the patch for now (use the plugin version).



(Edit: Note to self: must type faster ....)

I did the full upgrade on Top vB. I figured I may as well since 3.6.6 was so painful, lol.
Went smooth as a baby's butt.... :yes:


O/T - good seeing you here this often Paul :)

(Edit: Note to self: must type faster ....)
Let's call it a draw :cheers:

the vb sites are down again.... :(

they came up, but they're down now, again

The staff are aware and working on it. :)

I'm sure they are. I'm just bored and have nothing better to do than report... :p


NOT

Of course I've already announced to my members I would have my forum down during this time frame. Not much I can do until I can download the package from .com is there?

Oh well, no sense fashing over something I've no control over. I suspect the folks at .com are more put off about it than I am anyway. :hiding:

Hey Peggy, what's for supper?

Of course I've already announced to my members I would have my forum down during this time frame. Not much I can do until I can download the package from .com is there?

Oh well, no sense fashing over something I've no control over. I suspect the folks at .com are more put off about it than I am anyway. :hiding:

Hey Peggy, what's for supper?
Fried chicken, wild rice, snap beans, drop biscuits, and apple strudels.
How long will it take you to get here? :frog:

Oh well, I'm glad I grabbed my download on the right time, my forum is upgraded.

Way too quick

Thought I'd grab myself the full download and upgrade while things are quiet, vB sites are still down. Such is life.

I have the temporary plugin if anyone wants it.

That's me, with both forums fully upgraded. Again. For today, anyway. Everyone be sure to get plenty of rest tonight, no telling what upgrade surprises tomorrow may hold. :biggrin:

If they release another one tomorrow, we'll upgrade with a smile :D

whats the point in releasing the upgrade due to security problems and then now we cant download it to sort it!!!

I've just had a quick look and vb.com seems to be up and running.

i get

Site currently unavailable

The Jelsoft site you are requesting is currently not available.
Please check back later.

when trying to download

Aah. So it's the download manager that's having issues. I just checked the home page and forum. Sorry.

whats the point in releasing the upgrade due to security problems and then now we cant download it to sort it!!!
They have problems just like any other site. Please be patient. :)

whats the point in releasing the upgrade due to security problems and then now we cant download it to sort it!!!
As I mentioned earlier, if you're feeling frustrated, how do you suppose the folks at Jelsoft felt?

I have never been confused for possessing much patience, but there are times when I realize there's nothing to be gained in getting upset over a situation out of my control.

im not feeling frustrated i just dont see the point!

im not feeling frustrated i just dont see the point!
Things happen, UK. They released the upgrade, then their server went down.
That's hardly something they have control over. :)

just voicing my opinion, never said they had control over it

Ok, my admin U235 just installed the upgrade, but something freaked out the skin on my site.

Some black portions of the skin turned blue, some turned white, and others didn't change.

It's a very minor problem, but I'd like to get it fixed, if possible. Do I need to install a different skin, or just change this one?

Gotta go to class. I'll be back later to check this. thanks :)

I'm trying to remember how your board looked before, but at a guess those were the underlying colours that were covered by fill images. Check path settings to those image files although if these were set correctly in the styles css and not hardwired into the templates they should not have been affected.

I'm trying to remember how your board looked before, but at a guess those were the underlying colours that were covered by fill images. Check path settings to those image files although if these were set correctly in the styles css and not hardwired into the templates they should not have been affected.

Well, my host (sorta) reset the colors, but I'm going to do some work tonight, see if I can't fix it.

Anyways, I'll check that stuff out. Thanks :)

I am just getting back from a Vegas vacation (woohoo) and find two upgrades. Quick question. Is there a patch to cover from 3.6.5 to 3.6.7 (not just 3.6.6) that only covers the necessary security updates and skips the templates and other stuff for now?

-Raymond

Welcome back Raymond. It seems there is a patch to cover the security aspects on vB.com here (http://www.vbulletin.com/forum/showpost.php?p=1355810&postcount=6). You import the relevant xml file as a product.

Question though - If you own a poker forum site does a trip to Vegas count as a vacation or research?

Question though - If you own a poker forum site does a trip to Vegas count as a vacation or research?
LOL @ Dave :giggle:

Just my tax efficient mind ticking over...

Question though - If you own a poker forum site does a trip to Vegas count as a vacation or research?

I suppose it would need to be a registered business to make it a company expense.

For all the time I spent playing poker though, I did best on Roulette Red.

I like to slap a $100 on there every time I walk by. I did unusually short term well on those. :D

-Raymond

2 things, firstly where can I find the differences between this new version and older ones.

secondly the demo on vbulletin.com is 3.6.5, where can I use a demo of 3.6.7 ?

Thanks!

Hi Swerve,

The changes in 3.6.6 are listed in THIS THREAD (http://www.vbulletin.com/forum/showthread.php?t=229448)

The file changes made in 3.6.7 are listed HERE (http://www.vbulletin.com/forum/showpost.php?p=1355029&postcount=3).

Is this what you were looking for?

Thanks Mike, but what I'm really after is a live demo of 3.6.7

Many thanks.

There are no major functional changes between 3.6.5 and 3.6.7, most changes where done in preparation for the new add-ons from Jelsoft. So essentially what you see on the 3.6.5 demo it's what you get on 3.6.7.

The only demo I know is from the official site. If you are after any particular functionality that you don't see right away just ask and we might know where to look.

Right, I was wondering if there were any visible changes in the AdminCP.

None that I've come across so far.

Swerve, the only visible difference I am aware of is the ACP calendar pop-up, described here (http://www.vbulletin.com/forum/showthread.php?t=229448). Other than that, everything else looks and feels the same as it did.

I haven't even found that yet, lol

I haven't even found that yet, lol
That's because you've been spending all your time fixing things. :biggrin:

(I can relate - I updated my vBA this morning and it only took me two hours to fix what I broke. :witsend: So don't feel lonely.)

If you look in the ACP for places with date entries, you will find the new calendar.

just upgraded to this version from 3.6.4. no issues i see. for now i am sticking with the older vba till i get time to mess with it.

Oddly enough, I've upgraded 4 clients' forums, with no issues at all.
Go figure... :rolleyes:

favorite smilies hack got broke, and i dont have a good editor here at work to edit a php file.......it'll have to wait till i get home :(

hey that new vba, 3.0 or w/e

does it have alot of new features? or?

dunno Chase, I haven't even looked at it yet.

I've upgraded the vBA on one of my forums, but have yet to take the time to sit down and play with it.