vBulletin 3.6.7

As much as we hate to spring another upgrade on you all so soon after the release of vBulletin 3.6.6, an XSS flaw was identified today and in order to maintain our commitment to fix security problems as soon as we become aware of them, we have to release 3.6.7 and a patch for older versions.

All versions of vBulletin 3.6 prior to 3.6.7 are vulnerable to the XSS. vBulletin 3.5.x and 3.0.x are not affected.

To minimize the pain of another upgrade, there are no changed templates since 3.6.6 and no database schema changes, so the upgrade should be as simple and quick as possible.

Since we have fixed several bugs since vBulletin 3.6.6 was released, these fixes are also incorporated in this version and include amongst others:

• RTL support for date picker popup
• Fixed HTML for archive forum lists
• MySQL error while merging users fixed
• Smilie parsing error fixed
• PHP 5.0.5 errors fixed
• Hard-coded image paths fixed

A complete list of bugs fixed in the 3.6 branch is available in the project manager.

Please accept our apologies for bringing out a new version just days after the previous release. We're sorry.

Fixing the XSS Bug

The XSS problem can be resolved in one of three ways.

1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.6.7 package from the vBulletin Members' Area and following the regular upgrade instructions. This is the only option that will not only fix the XSS issue, but will also apply all the bug fixes made since the release of 3.6.6.
2. Patch: A second option is to download the patch files either in the Members' Area or attached to this thread and upload them to your web server, overwriting the existing files.
   Patch file: 366_patch.zip
3. Plugin: The plugin system built into vBulletin 3.6 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
   Plugin File: vb_calendar366_css_fix_plugin.xml

Please note the following:

• The plugin can be used with any previous version of vBulletin 3.6
• The patch can only be applied to vBulletin 3.6.4, 3.6.5 or 3.6.6
• You may perform a full upgrade to vBulletin 3.6.7 from any previous version of vBulletin 3.

--------------------

Reply to the Welcome PM for Full Access to the Forums.. Thanks

Have you heard about Crowdgather?
Find it on Forums

Don't think I will run this anytime soon... It is just too quick. Maybe if I am on tonight and my forum is dead I will...
You gunna do the upgrade... or plugin?

--------------------
Owner of www.bleepd.com

I'll more then likely just add the patch.

--------------------

Reply to the Welcome PM for Full Access to the Forums.. Thanks

Have you heard about Crowdgather?
Find it on Forums

lol, I knew it when 3.6.6 was announced, I said I'd wait, maybe now I'll go for it. Since some time now I saw this pattern after each great update, quickly a little bug fix follows.

--------------------

Aeroclix -- DistantHost link directory
Domains hosting, server rent... -- Distant-Help link directory

what the hell's this ?

are they patching 3.6.7

wtf.jpg

--------------------

Reply to the Welcome PM for Full Access to the Forums.. Thanks

Have you heard about Crowdgather?
Find it on Forums

Hahaha! This is crazy! What is up? They said they researched everything for 6 months for 3.6.6. And what 3 days later, already 2 updates for it? Come on VB!

--------------------
Owner of www.bleepd.com

Well I dont see why people insist on bitching at vb. You should be glad enough that they fix these exploits for our own security. If you read the news, it says it will affect all vb 3.6.x. So it is recomended for your own security to upgrade.

--------------------

It is what people do when they pay for a service. They enjoy complaining about the product, even though if they didn't have it, they would be up shit creek without a paddle.
I was not trying to sound a little bitchy. I just thought it was funny that they apparently worked on 3.6.6 for 6 months getting all the exploits and other stuff gone, and they were proud of it. And then once the released it, they quickly realized, hey, we didn't look at this close enough. It is bad for their business when stuff like that happens. It shows that in fact they didn't spend enough time getting everything correct. Who wants to go through updates every 2 days? Not me...

--------------------
Owner of www.bleepd.com

Maybe not every 2 days upgrading, but maybe once a week....

I upgraded my test forum last night and all the others will be tomorrow night.

--------------------
My Updated Blog

Besides if u upgraded to 3.6.7, then all you have to do is overwrite files for the pl1

--------------------