Introduction

Kunena 3.0.5 [K 3.0.5] is available for download as a native Joomla extension for J! 2.5 and J! 3.x. This version is a security release for Kunena that addresses several maintenance issues that have been reported since the last version release. and this new version replaces (and makes obsolete) all previous versions of Kunena.

This version of Kunena coincides with the simultaneous release of an updated language pack, downloaded separately, for deployment on non-English websites. The release of this version does not not coincide with the release of other Kunena Add-ons that have not been updated at this time and that may or may not be updated for this version.

In general, Kunena Add-ons designed for previous versions of K 3.x should interoperate with this version of Kunena; in general, Kunena Add-ons designed for older major versions of Kunena will not interoperate with this version of Kunena.

The summary of important changes in K 3.0.5 are:

  • XSS vulnerability in BBCode output (thanks Qoppa for finding it)
  • Improvements to lightbox
  • Fixes some JomSocial stream issues
  • Improvements to backend

The Kunena 3.0.5 release notes are essential reading before installing K 3.0.5 for the first time or if you are upgrading from an earlier version of Kunena.

Upgrading to K 3.0 involves changes that may affect Kunena's interoperability with other extensions installed on your site. For this reason it is advisable that you first test K 3.0.5 on a test site before you upgrade your live production site(s).

For users who are familiar with older versions of Kunena, an overview of some of key differences is given in Kunena Features in the Wiki.

Other details

Find the full online README: Here.

K 3.0.5 is available for download on the download page.

K 3.0.5 is has been tested with the latest J! 3.2.3 (stable) and further work has been done to make Kunena more compatiable with the J! 3.2.X series. For people contemplating the use of J! 3.2 on their site they should first test K 3.0.5 to make sure that there are no outstanding compatibility issues.

Other plans

The team is is continuing to develop new, optional add-ons for Kunena — additional templates and features (e.g. WYSIWYG editing, "teasers") — that will be probably become available in the medium-term on a commercial basis (that is, things people will be able to purchase). The basic component and the currently available modules and plugins will continue to be available at no cost and there are no plans to reduce the current features in those areas.

Log in to comment

sozzled replied the topic:
10 years 5 months ago
sozzled's Avatar

viper2k wrote: When will you release the new version of Kunena 3.1?

I'm sorry but this topic is about the release of K 3.0.5. I am sure that, when someone takes the time to write some details about when K 3.1 will be released, this will be done in a different place.

viper2k wrote: Hopefully [K 3.1] comes with a more modern design and some new features.

Yes (for those who use J! 3.x). For those who use J! 2.5, K 3.1 will look much the same as K 3.0 does now.

In response to your comments about professional ticketing systems and "more templates" (which do not really have a lot to do with the announcement about the release of K 3.0.5), we are considering a range of options in relation to "paid support" but we are not in a position to provide you with those kinds of details.

There are a range of services available to you today for support, for additional Kunena templates and for a wide range of things involving Kunena. Perhaps a good place to start your search for services and templates is to look at the advertisements that appear on this website. I am sure that you will be rewarded for your efforts.

As you know, there is no company behind Kunena. Everyone who contributes to Kunena is a hobbyist, enthusiast or professional web developer who gives their time freely to this project - volunteers every one of us. The forum is provided mainly as a self-help community-driven resource for users but there is no "formal" obligation of support, necessarily. We do our best. Our job, in moderating the forum is not necessarily to answer every question but, rather, to point people in the right direction where they can find the answers. It is unfortunate (perhaps) that in this case I do not have a specific answer to the question "when will K 3.1 be released".

If you are interested in being part of the project team that is building K 3.1, and you have software coding skills that will assist the project, you might like join the GitHub community.
viper2k replied the topic:
10 years 5 months ago
viper2k's Avatar
When will you release the new version of Kunena? 3.1? Hopefully it comes with a more modern design and some new features :). I would also pay for the version if you have:

- professional support with ticket system
- some more templates

Thanks
s23Nation replied the topic:
10 years 8 months ago
s23Nation's Avatar
plenty of support up to date features very modern working platform
so take it for a test drive and get a feel of what you can and can not do
sozzled replied the topic:
10 years 8 months ago
sozzled's Avatar
Anastasiya: Please start a new topic in our Installation and Upgrade category and read the installation guide in the Wiki.
Anastasiya replied the topic:
10 years 8 months ago
Anastasiya's Avatar
The situation with downloading large files remains the same. If the attachment is too large, the message "COM_KUNENA_UPLOAD_ERROR_NOT_UPLOADED", but not "COM_KUNENA_UPLOAD_ERROR_SIZE".
naimless replied the topic:
10 years 9 months ago
naimless's Avatar
Thanks sozzled, no problem at all, I know how much you and the rest of your team have on your plate! And apologies, I didn't mean to hijack this thread. Just thought it was the most appropriate place since it was directly related to this release and could have been helpful to others looking to patch security quickly...

Will go for option (a) that you suggest as soon as I have 20 minutes or so to spare :) Thanks! :)
sozzled replied the topic:
10 years 9 months ago
sozzled's Avatar
I do not know if Qoppa will read this topic or if he will reply directly to you with the information that you are looking for. I have to admit that for this K 3.0.5 release I did not prepare the release notes because I have been very busy doing other things (and so, if the information is not as complete as you will find in other release notes where I was involved in writing them, please accept my apologies).

So you are right. The "abridged change log" for K 3.0.5 does not specifically state exactly which GitHub bug. Sorry about that. As I said, I haven't had the time lately to review what's in the Wiki. :blush:

This is really not the best topic to ask these kinds of questions. It may be better for you to go to GitHub where you can search for the information that you're looking for. If you can't find the information in GitHub, you have the following choices:

(a) upgrade to K 3.0.5 (in the normal, recommended manner) and reapply any customised changes that you specifically want (or need); or

(b) create a topic in the Custom work - not offering to pay or Miscellaneous, off-topic and general Joomla and wait for another member of this community, who has a common interest in your problem, to reply with the specific information you are looking for.

Please remember, as a courtesy to other users of this forum, to not hijack this topic further by continuing to ask about how to make out-of-the-ordinary changes to your customised installation, questions that do not apply to the majority of other members of the community. Thank you.
naimless replied the topic:
10 years 9 months ago
naimless's Avatar
Thanks for your prompt reply Sozzled.

I'd already looked through release notes (no specific mention of where the XSS vulnerability was, other than BBCode), and through GitHub (where the latest commit has over 1400 changed files, mostly with version numbers, etc, so it was almost impossible for a GitHub newbie such as myself to find which bit was responsible for the security flaw).

I'd agree with you generally though, that if I make core hacks, on my own head be it, though in the case of urgent security alerts, which are now public due to the update, it would be really helpful for someone on the team to be able to confirm which two or three files absolutely need to be patched (and I assume it's a tiny independent change in this case, such as all the files in library/kunena/bbcode or somesuch maybe?).

If Qoppa or someone who was responsible for finding / fixing the flaw is reading this, would be great if they could just ping a quick line across letting me know if any other files are at risk or if that would do.

I don't think that in the case of small security updates, which by their nature are more urgent and important than feature releases, those who choose to embrace Kunena's flexibility and open source nature by hacking it a little bit, can not be supported, at least a little bit?

Anyway, didn't mean to start a long thread or debate over this, it was literally just a quick request for help in case a kind soul happened to have an answer to hand.

Keep up the great work Team K!
sozzled replied the topic:
10 years 9 months ago
sozzled's Avatar

naimless wrote: Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

As you probably know, these kinds of announcement topics are not the best places to ask "quick questions" like those. Details about what is fixed (and how) are usually contained in the release notes and the full source codes is availabled (for those who want to get it) on GitHub.

naimless wrote: Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) ...

This is an example of why we do not recommend to people that they should modify the original source code. People modify source code and then they kind of "paint themselves into a corner" and they're unable to upgrade to new versions because their highly-customised software contains so many changes that it takes a significant time to reapply them when new versions are released. However, as we have always said here, Kunena is open-source and people are free to change it as much as they like but, if they change it, they cannot expect that we will be able to help them when they do. My advice is to read the release notes (in the Wiki) to see what changes have been applied to the new version and then to go to GitHub to find the actual source code that relates to those things.
naimless replied the topic:
10 years 9 months ago
naimless's Avatar
Hi,

Great work on the new release and security fix.

Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) and would be great if I could just copy those files across without having to patch the other core files again with my modifiations.

Thanks!
jimrowland replied the topic:
10 years 9 months ago
jimrowland's Avatar
Looking forward to this, and 3.1! Noticed a typo in the release note, 2nd line above the "Other Details" header:

"For this reason it is advisable that you first test K 3.0.4 on a test site before you upgrade your live production site(s)."

Should be 3.0.5, I assume.

Good work to all the volunteers who keep the prject moving on the back end and to the mod team who keeps all of us "dumb users" functioning!
roland76 replied the topic:
10 years 9 months ago
roland76's Avatar
Hello,

everything works fine. Thanks a lot :-)...

Hopefully 3.1 is not so far away... ;-)

Greetings, Roland