Question Kunena 3.0.5 released

Read more...

Hello,

everything works fine. Thanks a lot ...

Hopefully 3.1 is not so far away...

Greetings, Roland

Looking forward to this, and 3.1! Noticed a typo in the release note, 2nd line above the "Other Details" header:

"For this reason it is advisable that you first test K 3.0.4 on a test site before you upgrade your live production site(s)."

Should be 3.0.5, I assume.

Good work to all the volunteers who keep the prject moving on the back end and to the mod team who keeps all of us "dumb users" functioning!

Hi,

Great work on the new release and security fix.

Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) and would be great if I could just copy those files across without having to patch the other core files again with my modifiations.

Thanks!

naimless wrote: Quick question - could you please confirm which files I need to patch for the BBCode XSS vulnerability?

As you probably know, these kinds of announcement topics are not the best places to ask "quick questions" like those. Details about what is fixed (and how) are usually contained in the release notes and the full source codes is availabled (for those who want to get it) on GitHub.

naimless wrote: Have some core modifications done to Kunena (I know, it's not a good idea to hack core files) ...

This is an example of why we do not recommend to people that they should modify the original source code. People modify source code and then they kind of "paint themselves into a corner" and they're unable to upgrade to new versions because their highly-customised software contains so many changes that it takes a significant time to reapply them when new versions are released. However, as we have always said here, Kunena is open-source and people are free to change it as much as they like but, if they change it, they cannot expect that we will be able to help them when they do. My advice is to read the release notes (in the Wiki) to see what changes have been applied to the new version and then to go to GitHub to find the actual source code that relates to those things.

Thanks for your prompt reply Sozzled.

I'd already looked through release notes (no specific mention of where the XSS vulnerability was, other than BBCode), and through GitHub (where the latest commit has over 1400 changed files, mostly with version numbers, etc, so it was almost impossible for a GitHub newbie such as myself to find which bit was responsible for the security flaw).

I'd agree with you generally though, that if I make core hacks, on my own head be it, though in the case of urgent security alerts, which are now public due to the update, it would be really helpful for someone on the team to be able to confirm which two or three files absolutely need to be patched (and I assume it's a tiny independent change in this case, such as all the files in library/kunena/bbcode or somesuch maybe?).

If Qoppa or someone who was responsible for finding / fixing the flaw is reading this, would be great if they could just ping a quick line across letting me know if any other files are at risk or if that would do.

I don't think that in the case of small security updates, which by their nature are more urgent and important than feature releases, those who choose to embrace Kunena's flexibility and open source nature by hacking it a little bit, can not be supported, at least a little bit?

Anyway, didn't mean to start a long thread or debate over this, it was literally just a quick request for help in case a kind soul happened to have an answer to hand.

Keep up the great work Team K!

I do not know if Qoppa will read this topic or if he will reply directly to you with the information that you are looking for. I have to admit that for this K 3.0.5 release I did not prepare the release notes because I have been very busy doing other things (and so, if the information is not as complete as you will find in other release notes where I was involved in writing them, please accept my apologies).

So you are right. The "abridged change log" for K 3.0.5 does not specifically state exactly which GitHub bug. Sorry about that. As I said, I haven't had the time lately to review what's in the Wiki. :blush:

This is really not the best topic to ask these kinds of questions. It may be better for you to go to GitHub where you can search for the information that you're looking for. If you can't find the information in GitHub, you have the following choices:

(a) upgrade to K 3.0.5 (in the normal, recommended manner) and reapply any customised changes that you specifically want (or need); or

(b) create a topic in the Custom work - not offering to pay or Miscellaneous, off-topic and general Joomla and wait for another member of this community, who has a common interest in your problem, to reply with the specific information you are looking for.

Please remember, as a courtesy to other users of this forum, to not hijack this topic further by continuing to ask about how to make out-of-the-ordinary changes to your customised installation, questions that do not apply to the majority of other members of the community. Thank you.

Thanks sozzled, no problem at all, I know how much you and the rest of your team have on your plate! And apologies, I didn't mean to hijack this thread. Just thought it was the most appropriate place since it was directly related to this release and could have been helpful to others looking to patch security quickly...

Will go for option (a) that you suggest as soon as I have 20 minutes or so to spare Thanks!

The situation with downloading large files remains the same. If the attachment is too large, the message "COM_KUNENA_UPLOAD_ERROR_NOT_UPLOADED", but not "COM_KUNENA_UPLOAD_ERROR_SIZE".

Anastasiya: Please start a new topic in our Installation and Upgrade category and read the installation guide in the Wiki.