phpBB

Development Wiki

Difference between revisions of "Release Highlights/3.0.13"

From phpBB Development Wiki

(Security and Hardening)
(Security and Hardening)
 
(8 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
== Security and Hardening ==
 
== Security and Hardening ==
* Security: The ucp_pm_options form key is now properly validated. Thanks to FBNeal and lampsys who reported this independently. See [https://tracker.phpbb.com/browse/PHPBB3-13526 PHPBB3-13526].
+
* Security (CVE-2015-1431): CSS Injection via Relative Path Overwrite. Thanks to James Kettle for bringing this to our attention. See [https://tracker.phpbb.com/browse/PHPBB3-13531 PHPBB3-13531].
* Hardening: Information received from the phpBB version server is now considered untrusted and escaped. See [https://tracker.phpbb.com/browse/PHPBB3-13527 PHPBB3-13527].
+
* Security (CVE-2015-1432): The ucp_pm_options form key is now properly validated. Thanks to FBNeal and lampsys who reported this independently. See [https://tracker.phpbb.com/browse/PHPBB3-13526 PHPBB3-13526].
 +
* Hardening: Information received from the phpBB version server is now considered untrusted. See [https://tracker.phpbb.com/browse/PHPBB3-13527 PHPBB3-13527].
 
* Hardening: The deregister_globals() function now better handles the case when $_COOKIE['GLOBALS'] is specified. See [https://tracker.phpbb.com/browse/PHPBB3-13376 PHPBB3-13376].
 
* Hardening: The deregister_globals() function now better handles the case when $_COOKIE['GLOBALS'] is specified. See [https://tracker.phpbb.com/browse/PHPBB3-13376 PHPBB3-13376].
 
* Hardening: Existence of the path to the imagick program specified in the Administration Control Panel is now verified. See [https://tracker.phpbb.com/browse/PHPBB3-13519 PHPBB3-13519].
 
* Hardening: Existence of the path to the imagick program specified in the Administration Control Panel is now verified. See [https://tracker.phpbb.com/browse/PHPBB3-13519 PHPBB3-13519].
Line 9: Line 10:
  
 
== Notable Changes and Bug Fixes ==
 
== Notable Changes and Bug Fixes ==
* Improved Compatibility with Apache 2.4 .htaccess files. See [https://tracker.phpbb.com/browse/PHPBB3-11860 PHPBB3-11860].
+
* Improved Compatibility with Apache 2.4. See [https://tracker.phpbb.com/browse/PHPBB3-11860 PHPBB3-11860].
 
* Improved Compatibility with PHP 5.6. See [https://tracker.phpbb.com/browse/PHPBB3-12468 PHPBB3-12468], [https://tracker.phpbb.com/browse/PHPBB3-13096 PHPBB3-13096] and [https://tracker.phpbb.com/browse/PHPBB3-13168 PHPBB3-13168].
 
* Improved Compatibility with PHP 5.6. See [https://tracker.phpbb.com/browse/PHPBB3-12468 PHPBB3-12468], [https://tracker.phpbb.com/browse/PHPBB3-13096 PHPBB3-13096] and [https://tracker.phpbb.com/browse/PHPBB3-13168 PHPBB3-13168].
 
* Improved Compatibility with Internet Explorer 11. See [http://tracker.phpbb.com/browse/PHPBB3-12093 PHPBB3-12093].
 
* Improved Compatibility with Internet Explorer 11. See [http://tracker.phpbb.com/browse/PHPBB3-12093 PHPBB3-12093].
 +
* Improved Compatibility with Microsoft Azure. See [https://tracker.phpbb.com/browse/PHPBB3-9725 PHPBB3-9725] and [https://tracker.phpbb.com/browse/PHPBB3-10796 PHPBB3-10796]
 
* "Edit signature" in the User Control Panel now correctly allows smilies to be selected for insertion. See [https://tracker.phpbb.com/browse/PHPBB3-10037 PHPBB3-10037].
 
* "Edit signature" in the User Control Panel now correctly allows smilies to be selected for insertion. See [https://tracker.phpbb.com/browse/PHPBB3-10037 PHPBB3-10037].
 +
* Remote avatar upload now works correctly when HTTP server uses Keep-Alive. See [https://tracker.phpbb.com/browse/PHPBB3-12755 PHPBB3-12755].
 +
* An issue was fixed where the board would not load correctly for banned users. See [https://tracker.phpbb.com/browse/PHPBB3-13138 PHPBB3-13138].
 
* Language strings containing numbers can now be used as HTML replacement in Custom BBcodes. See [https://tracker.phpbb.com/browse/PHPBB3-12048 PHPBB3-12048].
 
* Language strings containing numbers can now be used as HTML replacement in Custom BBcodes. See [https://tracker.phpbb.com/browse/PHPBB3-12048 PHPBB3-12048].
 
* Cookies now work properly on local networks. See [https://tracker.phpbb.com/browse/PHPBB3-11613 PHPBB3-11613].
 
* Cookies now work properly on local networks. See [https://tracker.phpbb.com/browse/PHPBB3-11613 PHPBB3-11613].
 
* Published package are now checksummed using the SHA-256 algorithm instead of MD5. See [https://tracker.phpbb.com/browse/PHPBB3-11876 PHPBB3-11876].
 
* Published package are now checksummed using the SHA-256 algorithm instead of MD5. See [https://tracker.phpbb.com/browse/PHPBB3-11876 PHPBB3-11876].

Latest revision as of 14:17, 31 January 2015

This page highlights important changes in phpBB 3.0.13. For a complete list of changes, please refer to this report.

Security and Hardening

  • Security (CVE-2015-1431): CSS Injection via Relative Path Overwrite. Thanks to James Kettle for bringing this to our attention. See PHPBB3-13531.
  • Security (CVE-2015-1432): The ucp_pm_options form key is now properly validated. Thanks to FBNeal and lampsys who reported this independently. See PHPBB3-13526.
  • Hardening: Information received from the phpBB version server is now considered untrusted. See PHPBB3-13527.
  • Hardening: The deregister_globals() function now better handles the case when $_COOKIE['GLOBALS'] is specified. See PHPBB3-13376.
  • Hardening: Existence of the path to the imagick program specified in the Administration Control Panel is now verified. See PHPBB3-13519.
  • Abuse Prevention: The "Send password" feature now sends anti-abuse headers in e-mail messages. See PHPBB3-11799.

Notable Changes and Bug Fixes

  • Improved Compatibility with Apache 2.4. See PHPBB3-11860.
  • Improved Compatibility with PHP 5.6. See PHPBB3-12468, PHPBB3-13096 and PHPBB3-13168.
  • Improved Compatibility with Internet Explorer 11. See PHPBB3-12093.
  • Improved Compatibility with Microsoft Azure. See PHPBB3-9725 and PHPBB3-10796
  • "Edit signature" in the User Control Panel now correctly allows smilies to be selected for insertion. See PHPBB3-10037.
  • Remote avatar upload now works correctly when HTTP server uses Keep-Alive. See PHPBB3-12755.
  • An issue was fixed where the board would not load correctly for banned users. See PHPBB3-13138.
  • Language strings containing numbers can now be used as HTML replacement in Custom BBcodes. See PHPBB3-12048.
  • Cookies now work properly on local networks. See PHPBB3-11613.
  • Published package are now checksummed using the SHA-256 algorithm instead of MD5. See PHPBB3-11876.