- Posts: 7245
- Thank you received: 566
Kunena 5.2.6 released and Blue eagle 1.6.6 released (25 Jul 2021)
The Kunena team has announce the arrival of Kunena 5.2.6 [K 5.2.6] which is now available for download as a native Joomla extension for J! 3.9.x. This version addresses most of the issues that were discovered in K 5.2 and issues discovered during the development stages of K 5.2.6
Question Kunena 3.0.5 released
Kunena 3.0.5 [K 3.0.5] is available for download as a native Joomla extension for J! 2.5 and J! 3.x. This version is a security release for Kunena that addresses several maintenance issues that have been reported since the last version release. and this new version replaces (and makes obsolete) all previous versions of Kunena.
This version of Kunena coincides with the simultaneous release of an updated language pack, downloaded separately, for deployment on non-English websites. The release of this version does not not coincide with the release of other Kunena Add-ons that have not been updated at this time and that may or may not be updated for this version.
In general, Kunena Add-ons designed for previous versions of K 3.x should interoperate with this version of Kunena; in general, Kunena Add-ons designed for older major versions of Kunena will not interoperate with this version of Kunena.
The summary of important changes in K 3.0.5 are:
- XSS vulnerability in BBCode output (thanks Qoppa for finding it)
- Improvements to lightbox
- Fixes some JomSocial stream issues
- Improvements to backend
"For this reason it is advisable that you first test K 3.0.4 on a test site before you upgrade your live production site(s)."
Should be 3.0.5, I assume.
Good work to all the volunteers who keep the prject moving on the back end and to the mod team who keeps all of us "dumb users" functioning!
Great work on the new release and security fix.
Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?
Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) and would be great if I could just copy those files across without having to patch the other core files again with my modifiations.
As you probably know, these kinds of announcement topics are not the best places to ask "quick questions" like those. Details about what is fixed (and how) are usually contained in the release notes and the full source codes is availabled (for those who want to get it) on GitHub.
This is an example of why we do not recommend to people that they should modify the original source code. People modify source code and then they kind of "paint themselves into a corner" and they're unable to upgrade to new versions because their highly-customised software contains so many changes that it takes a significant time to reapply them when new versions are released. However, as we have always said here, Kunena is open-source and people are free to change it as much as they like but, if they change it, they cannot expect that we will be able to help them when they do. My advice is to read the release notes (in the Wiki) to see what changes have been applied to the new version and then to go to GitHub to find the actual source code that relates to those things.
I'd already looked through release notes (no specific mention of where the XSS vulnerability was, other than BBCode), and through GitHub (where the latest commit has over 1400 changed files, mostly with version numbers, etc, so it was almost impossible for a GitHub newbie such as myself to find which bit was responsible for the security flaw).
I'd agree with you generally though, that if I make core hacks, on my own head be it, though in the case of urgent security alerts, which are now public due to the update, it would be really helpful for someone on the team to be able to confirm which two or three files absolutely need to be patched (and I assume it's a tiny independent change in this case, such as all the files in library/kunena/bbcode or somesuch maybe?).
If Qoppa or someone who was responsible for finding / fixing the flaw is reading this, would be great if they could just ping a quick line across letting me know if any other files are at risk or if that would do.
I don't think that in the case of small security updates, which by their nature are more urgent and important than feature releases, those who choose to embrace Kunena's flexibility and open source nature by hacking it a little bit, can not be supported, at least a little bit?
Anyway, didn't mean to start a long thread or debate over this, it was literally just a quick request for help in case a kind soul happened to have an answer to hand.
Keep up the great work Team K!
So you are right. The "abridged change log" for K 3.0.5 does not specifically state exactly which GitHub bug. Sorry about that. As I said, I haven't had the time lately to review what's in the Wiki.
This is really not the best topic to ask these kinds of questions. It may be better for you to go to GitHub where you can search for the information that you're looking for. If you can't find the information in GitHub, you have the following choices:
(a) upgrade to K 3.0.5 (in the normal, recommended manner) and reapply any customised changes that you specifically want (or need); or
(b) create a topic in the Custom work - not offering to pay or Miscellaneous, off-topic and general Joomla and wait for another member of this community, who has a common interest in your problem, to reply with the specific information you are looking for.
Please remember, as a courtesy to other users of this forum, to not hijack this topic further by continuing to ask about how to make out-of-the-ordinary changes to your customised installation, questions that do not apply to the majority of other members of the community. Thank you.
Will go for option (a) that you suggest as soon as I have 20 minutes or so to spare Thanks!
- Not Allowed: to create new topic.
- Not Allowed: to reply.
- Not Allowed: to edit your message.