phpBB 3.0.7-PL1 released

Hi everyone,

We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn’t noticed during testing and has only surfaced a week after the release of 3.0.7.

We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:

– Feeds are enabled
– Any of the posts or topics feeds are enabled
– The unauthorised user – or one of the groups they are a member of – has forum permissions set on a private forum
– If you have excluded a forum from the list of forums that provide feeds, it is unaffected

The fix for the issue is a single line change inside of feed.php, line 525 has changed from:

$forum_ids = array_keys($auth->acl_getf(‘f_read’));

to:

$forum_ids = array_keys($auth->acl_getf(‘f_read’, true));

There were no other changes, in particular neither style nor language changes.

The original announcement is located at:
http://www.phpbb.com/community/viewtopic.php?f=14&t=

*Installation instructions*

A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. You can find a list of requirements on our Downloads page:
http://www.phpbb.com/support/documents.php?mode=install&version=3#require

*Security*

If you find any security issues please report them to our security tracker:
http://www.phpbb.com/security/

*Available packages*

If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the “changed files only” or “patch” method for updating.

Full Package: Full phpBB 3 source code and english language files.

Automatic Update Package: Update package for the automatic updater, contains changes from previous release to this release.

Changed Files Only: Complete files, but only those that were changed since previous releases of phpBB 3. This archive contains changed files for every previous release.

Patch Files: This file contains diffs against the previous phpBB 3 release, which can be applied with the patch utility.

Select the package most suitable for you. We recommend the following methods depending on your situation:

– For new installations you should use the Full Package
– For updates of boards without modifications you can use the Automatic Update Package (guided update) or the Changed Files Only package (manual update).
– For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package.
– Style Authors and Translators may use the Code Changes Package to update their styles or language packs.
– International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users with problematic conflicts during their update process or to help them update code sections.
– If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations.

*Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!*

*Download Locations*

The download is of course available on our downloads page:
http://www.phpbb.com/downloads/

Our release archive provides all packages we build. If you do not find your desired package you can probably find it in the release archive.
http://www.phpbb.com/files/archive/

These are the files with their md5 sums:

phpBB-3.0.7-PL1.zip
md5sum: 1125b615e13a5bb8787afab58a27c627
phpBB-3.0.7-PL1.tar.bz2
md5sum: 67570654462c442c29080007c0af1e1b
phpBB-3.0.7-PL1-patch.zip
md5sum: 44d163c6f945207f666b4b8ecbf179b8
phpBB-3.0.7-PL1-patch.tar.bz2
md5sum: 4d611e1160599835ff48fc6454bf85e0
phpBB-3.0.7-PL1-files.zip
md5sum: 579f5685cc37c69dd6ce023b46ce2593
phpBB-3.0.7-PL1-files.tar.bz2
md5sum: 2779984411598d919a6a1e6adc35894d
phpBB-3.0.7_to_3.0.7-PL1.zip
md5sum: e135fd3b43c17c0bdc69f3fc246e6524
phpBB-3.0.7_to_3.0.7-PL1.tar.bz2
md5sum: 589d21934c14a6517583316659f0225f
phpBB-3.0.6_to_3.0.7-PL1.zip
md5sum: b93e31c7930ace5af89d9804b55d8c66
phpBB-3.0.6_to_3.0.7-PL1.tar.bz2
md5sum: cf9b3a42872be8afcddb42648a390861

*Download & Documentation*

phpBB Downloads – http://www.phpbb.com/downloads/
phpBB Projects page @ ohloh – http://www.ohloh.net/projects/phpbb
phpBB 3 Documentation – http://www.phpbb.com/support/documentation/3.0/
phpBB 3 support forum – http://www.phpbb.com/phpBB/viewforum.php?f=46
phpBB 3 bug tracker – http://www.phpbb.com/bugs/phpbb3/
phpBB Code Forge – http://code.phpbb.com/
phpBB Code Wiki – http://wiki.phpbb.com/

Comments are closed.