vBulletin 3.7.0 Release Candidate 4

vBulletin 3.7.0
Release Candidate 4
Yeah, we know...

THIS IS PRE-RELEASE SOFTWARE.
IT IS UNSUPPORTED.

If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.

We recommend that all customers upgrade as soon as possible.
Customers running 3.7.x should upgrade to 3.7.0 RC4.
Customers running 3.6.9 or earlier should upgrade to 3.6.10.

To all those who have been expecting to download vBulletin 3.7.0 'Gold' this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.

If testing of this release candidate goes well, we will once again be looking at a stable release next week.

PHP and MySQL Recommendations

We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

What does Release Candidate mean?

Release Candidate, or RC for short, means that we believe vBulletin 3.7 will be ready to be declared a "stable" and "supported" supported release once it has undergone some final testing. The only known bugs that may remain are trivial.

RCs will be released until only trivial bugs are being fixed. Once this happens, the next stage is to move on to "gold" or, as it's officially known, 3.7.0.

This is still pre-release software. If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, do not install this version but rather wait for the final, 3.7.0 version.

Customers should bear in mind that this is a release candidate, not a certified 'stable' release so the following caveats apply:

• Pre-release software is unsupported and you install beta and RC versions at your own risk.
• Some minor bugs remain unresolved at this time, so pre-release software should not be deployed on production sites.
• You should always back up your database fully before attempting to install pre-release software.
• If you choose to install this version, you should be aware that we plan to release new RC versions in rapid succession as bugs are fixed and holes are plugged. Do not install this RC version if you are not willing or able to keep up-to-date with new releases.
• The ImpEx import system does not support the 3.7 code yet, and will not support it until the release of 3.7.0 (stable).

More...

This is funny Stable version is going to be Rc4

Safety first...lol

I'd prefer saftey alright. Well, time for me to do a backup and upgrade. This is already a long day and to end it i'll upgrade to RC4.

Any bet's on a RC5?

Doubt the RC5. Then again I doubted RC4, but this one is understandable.

I'm glad someone caught this before the final. I'd rather have a perfect final release then to have a security risk sitting on thin ice.

from what i can gather, this isn't a very serious exploit... i'm not even bothering.

The new RC4 with its security features doesn't affect anything in vbseo right??

Yeah, it was a lot of work but you have to do the upgrade!!!

No biggie!

It doesn't affect VBSEO. The only thing this effected was my template(might happen with your template also). I need to get a few template files updated in which will get done this weekend. My url structure and vbseo settings didn't change at all after upgrading to RC4.