Question Kunena 3.0.5 released

Read more...

Hello,

everything works fine. Thanks a lot ...

Hopefully 3.1 is not so far away...

Greetings, Roland

Looking forward to this, and 3.1! Noticed a typo in the release note, 2nd line above the "Other Details" header:

"For this reason it is advisable that you first test K 3.0.4 on a test site before you upgrade your live production site(s)."

Should be 3.0.5, I assume.

Good work to all the volunteers who keep the prject moving on the back end and to the mod team who keeps all of us "dumb users" functioning!

Hi,

Great work on the new release and security fix.

Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) and would be great if I could just copy those files across without having to patch the other core files again with my modifiations.

Thanks!

naimless wrote: Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

As you probably know, these kinds of announcement topics are not the best places to ask "quick questions" like those. Details about what is fixed (and how) are usually contained in the release notes and the full source codes is availabled (for those who want to get it) on GitHub.

naimless wrote: Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) ...

This is an example of why we do not recommend to people that they should modify the original source code. People modify source code and then they kind of "paint themselves into a corner" and they're unable to upgrade to new versions because their highly-customised software contains so many changes that it takes a significant time to reapply them when new versions are released. However, as we have always said here, Kunena is open-source and people are free to change it as much as they like but, if they change it, they cannot expect that we will be able to help them when they do. My advice is to read the release notes (in the Wiki) to see what changes have been applied to the new version and then to go to GitHub to find the actual source code that relates to those things.

Thanks for your prompt reply Sozzled.

I'd already looked through release notes (no specific mention of where the XSS vulnerability was, other than BBCode), and through GitHub (where the latest commit has over 1400 changed files, mostly with version numbers, etc, so it was almost impossible for a GitHub newbie such as myself to find which bit was responsible for the security flaw).

I'd agree with you generally though, that if I make core hacks, on my own head be it, though in the case of urgent security alerts, which are now public due to the update, it would be really helpful for someone on the team to be able to confirm which two or three files absolutely need to be patched (and I assume it's a tiny independent change in this case, such as all the files in library/kunena/bbcode or somesuch maybe?).

If Qoppa or someone who was responsible for finding / fixing the flaw is reading this, would be great if they could just ping a quick line across letting me know if any other files are at risk or if that would do.

I don't think that in the case of small security updates, which by their nature are more urgent and important than feature releases, those who choose to embrace Kunena's flexibility and open source nature by hacking it a little bit, can not be supported, at least a little bit?

Anyway, didn't mean to start a long thread or debate over this, it was literally just a quick request for help in case a kind soul happened to have an answer to hand.

Keep up the great work Team K!