×
Kunena 5.2.6 released and Blue eagle 1.6.6 released (25 Jul 2021)

The Kunena team has announce the arrival of Kunena 5.2.6 [K 5.2.6] which is now available for download as a native Joomla extension for J! 3.9.x. This version addresses most of the issues that were discovered in K 5.2 and issues discovered during the development stages of K 5.2.6

Question Kunena 3.0.5 released

More
7 years 6 months ago #1 by Matias
Kunena 3.0.5 released was created by Matias

Introduction

Kunena 3.0.5 [K 3.0.5] is available for download as a native Joomla extension for J! 2.5 and J! 3.x. This version is a security release for Kunena that addresses several maintenance issues that have been reported since the last version release. and this new version replaces (and makes obsolete) all previous versions of Kunena.

This version of Kunena coincides with the simultaneous release of an updated language pack, downloaded separately, for deployment on non-English websites. The release of this version does not not coincide with the release of other Kunena Add-ons that have not been updated at this time and that may or may not be updated for this version.

In general, Kunena Add-ons designed for previous versions of K 3.x should interoperate with this version of Kunena; in general, Kunena Add-ons designed for older major versions of Kunena will not interoperate with this version of Kunena.

The summary of important changes in K 3.0.5 are:

  • XSS vulnerability in BBCode output (thanks Qoppa for finding it)
  • Improvements to lightbox
  • Fixes some JomSocial stream issues
  • Improvements to backend

Read more...
The following user(s) said Thank You: roland76, lifeguard
The topic has been locked.
More
7 years 6 months ago #2 by roland76
Replied by roland76 on topic Kunena 3.0.5 released
Hello,

everything works fine. Thanks a lot :-)...

Hopefully 3.1 is not so far away... ;-)

Greetings, Roland
The topic has been locked.
More
7 years 6 months ago #3 by jimrowland
Replied by jimrowland on topic Kunena 3.0.5 released
Looking forward to this, and 3.1! Noticed a typo in the release note, 2nd line above the "Other Details" header:

"For this reason it is advisable that you first test K 3.0.4 on a test site before you upgrade your live production site(s)."

Should be 3.0.5, I assume.

Good work to all the volunteers who keep the prject moving on the back end and to the mod team who keeps all of us "dumb users" functioning!
The topic has been locked.
More
7 years 6 months ago #4 by naimless
Replied by naimless on topic Kunena 3.0.5 released
Hi,

Great work on the new release and security fix.

Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) and would be great if I could just copy those files across without having to patch the other core files again with my modifiations.

Thanks!
The topic has been locked.
More
7 years 6 months ago - 7 years 6 months ago #5 by sozzled
Replied by sozzled on topic Kunena 3.0.5 released

Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

As you probably know, these kinds of announcement topics are not the best places to ask "quick questions" like those. Details about what is fixed (and how) are usually contained in the release notes and the full source codes is availabled (for those who want to get it) on GitHub.

Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) ...

This is an example of why we do not recommend to people that they should modify the original source code. People modify source code and then they kind of "paint themselves into a corner" and they're unable to upgrade to new versions because their highly-customised software contains so many changes that it takes a significant time to reapply them when new versions are released. However, as we have always said here, Kunena is open-source and people are free to change it as much as they like but, if they change it, they cannot expect that we will be able to help them when they do. My advice is to read the release notes (in the Wiki) to see what changes have been applied to the new version and then to go to GitHub to find the actual source code that relates to those things.
Last edit: 7 years 6 months ago by sozzled.
The topic has been locked.
More
7 years 6 months ago #6 by naimless
Replied by naimless on topic Kunena 3.0.5 released
Thanks for your prompt reply Sozzled.

I'd already looked through release notes (no specific mention of where the XSS vulnerability was, other than BBCode), and through GitHub (where the latest commit has over 1400 changed files, mostly with version numbers, etc, so it was almost impossible for a GitHub newbie such as myself to find which bit was responsible for the security flaw).

I'd agree with you generally though, that if I make core hacks, on my own head be it, though in the case of urgent security alerts, which are now public due to the update, it would be really helpful for someone on the team to be able to confirm which two or three files absolutely need to be patched (and I assume it's a tiny independent change in this case, such as all the files in library/kunena/bbcode or somesuch maybe?).

If Qoppa or someone who was responsible for finding / fixing the flaw is reading this, would be great if they could just ping a quick line across letting me know if any other files are at risk or if that would do.

I don't think that in the case of small security updates, which by their nature are more urgent and important than feature releases, those who choose to embrace Kunena's flexibility and open source nature by hacking it a little bit, can not be supported, at least a little bit?

Anyway, didn't mean to start a long thread or debate over this, it was literally just a quick request for help in case a kind soul happened to have an answer to hand.

Keep up the great work Team K!
The topic has been locked.
More
7 years 6 months ago - 7 years 6 months ago #7 by sozzled
Replied by sozzled on topic Kunena 3.0.5 released
I do not know if Qoppa will read this topic or if he will reply directly to you with the information that you are looking for. I have to admit that for this K 3.0.5 release I did not prepare the release notes because I have been very busy doing other things (and so, if the information is not as complete as you will find in other release notes where I was involved in writing them, please accept my apologies).

So you are right. The "abridged change log" for K 3.0.5 does not specifically state exactly which GitHub bug. Sorry about that. As I said, I haven't had the time lately to review what's in the Wiki. :blush:

This is really not the best topic to ask these kinds of questions. It may be better for you to go to GitHub where you can search for the information that you're looking for. If you can't find the information in GitHub, you have the following choices:

(a) upgrade to K 3.0.5 (in the normal, recommended manner) and reapply any customised changes that you specifically want (or need); or

(b) create a topic in the Custom work - not offering to pay or Miscellaneous, off-topic and general Joomla and wait for another member of this community, who has a common interest in your problem, to reply with the specific information you are looking for.

Please remember, as a courtesy to other users of this forum, to not hijack this topic further by continuing to ask about how to make out-of-the-ordinary changes to your customised installation, questions that do not apply to the majority of other members of the community. Thank you.
Last edit: 7 years 6 months ago by sozzled.
The topic has been locked.
More
7 years 6 months ago #8 by naimless
Replied by naimless on topic Kunena 3.0.5 released
Thanks sozzled, no problem at all, I know how much you and the rest of your team have on your plate! And apologies, I didn't mean to hijack this thread. Just thought it was the most appropriate place since it was directly related to this release and could have been helpful to others looking to patch security quickly...

Will go for option (a) that you suggest as soon as I have 20 minutes or so to spare :) Thanks! :)
The topic has been locked.
More
7 years 6 months ago #9 by Anastasiya
Replied by Anastasiya on topic Kunena 3.0.5 released
The situation with downloading large files remains the same. If the attachment is too large, the message "COM_KUNENA_UPLOAD_ERROR_NOT_UPLOADED", but not "COM_KUNENA_UPLOAD_ERROR_SIZE".
The topic has been locked.
More
7 years 6 months ago #10 by sozzled
Replied by sozzled on topic Kunena 3.0.5 released
Anastasiya: Please start a new topic in our Installation and Upgrade category and read the installation guide in the Wiki.
The topic has been locked.
  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Time to create page: 0.097 seconds