-
VaultWiki News
by Published on May 9, 2019 12:06 PM
As the number of critical issues begins to dwindle, VaultWiki 4.1.x's alpha phase comes to a close. VaultWiki 4.1.0 Beta 1 is now available. This release expands XenForo 2.1 support with bookmarking and contains about 60 fixes and tweaks.
For a list of changes in this release, please see Changelog for 4.1.0 Beta 1. If you are a style or language pack maintainer, please check here for changes which may affect you.
Resolved Security Issues
Since alpha and beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues that were already patched on the stable branch.
VWE-2019-5150 is a Permissions Escalation, where users can post new wiki content regardless of permissions, as long as the user can create normal wiki pages and he knows the proper editor URL for the desired content-type.
VWE-2019-5151 is a Subscription Management issue, where the page that lists all of a user's subscriptions and the page containing the user's wiki subscription preferences do not successfully render. The issue affects vBulletin only.
VWE-2019-5157 is a Permissions Escalation issue, where users can view the index's feed list even if they are not permitted to view the index.
VWE-2019-5159 is a Permissions Escalation issue, where users can view index-scoped widgets via the sidebar-type WIDGET BB-Code, as long as they have global permissions to view the same widget.
VWE-2019-5160 is a Permissions Escalation issue, where users can create, open, or close discussion topics on the index, as long as they have global permissions to perform the action.
VWE-2019-5161 is a Permissions Escalation issue, where users can view moderated attachments on index comments, as long as they have global permissions to view moderated attachments. The issue affects vBulletin 4.x only.
VWE-2019-5162 is a Permissions Escalation issue, where users can view a poster's IP address for discussions, comments, edits, and last-updates related to the index, as long as they have global permissions to view IP addresses.
VWE-2019-5163 is a Permissions Escalation issue, where users can view moderated discussions, comments, and edits related to the index, as long as they have global permissions to view the same.
Release Notes
Sites running 4.1.x Alphas should upgrade to VaultWiki 4.1.0 Beta 1 as soon as they are able in order to improve stability. VaulWiki 4.1.0 Beta 1 is beta software. We recommend that beta software only be used in a test environment.by Published on May 2, 2019 2:28 PM
As of today, May 2, the security patches for May 2019 are now available.
Issue List
VWE-2018-4972, which was a Permissions Escalation previously patched for vBulletin 3.x, where a user was able to use smilies in wiki content without permission, was discovered to additionally affect vBulletin versions 4.0.0 Alpha 1 - 4.0.12.
VWE-2019-5171 is an Information Disclosure, by which internal requests to a third-party server, such as for image proxy, may reveal the VaultWiki version number to the foreign server.
VWE-2019-5172 is an Information Disclosure, by which the VaultWiki version number is revealed in CSS output.
VWE-2019-5181 is a Permissions Escalation issue, where a user can view the current edit of a page even though the user does not have permission to view the page.
VWE-2019-5188 is a Permissions Escalation issue, where a user can view template output even though the user doesn't have permission to view the template.
VWE-2019-5189 is a Permissions Escalation issue, where a user can inject any page as though it were a template.
Patches
As of May 2, 2019, the following patches address the aforementioned issues:
- 4.0.25 Patch Level 2
- 4.0.24 Patch Level 4
- 4.0.23 Patch Level 6
- 4.0.22 Patch Level 8*
* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on March 20, 2019 1:54 PM
As of today, we have released 4.1.0 Alpha 3 for public testing. This release expands XenForo 2.1 support, contains a small number of minor features and tweaks, and corrects about 30 known issues from Alpha 2, moving the 4.1.x series closer to a proposed Beta.
For a list of changes in this release, please see Changelog for 4.1.0 Alpha 3. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
Sites running previous 4.1.x Alphas should upgrade to VaultWiki 4.1.0 Alpha 3 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Alpha 3 is alpha software. We recommend that alpha software only be used in a test environment. During the alpha period, there may be frequent builds, as often as daily, with which testers should try to keep up-to-date.by Published on March 6, 2019 1:52 PM
On February 19, the security patches for March were released early in an effort to rollout fixes for an issue which may have been being used in the wild.
Issue List
VWE-2019-5016 is a Permissions Escalation issue, where by guessing the correct editor URL, users are able to post new wiki content without proper permissions. The issue affects new content only; edits to existing content are unaffected.
Patches
Important: if you already run one of the following patches but believe you may have downloaded it prior to February 19, 2019, we recommend that you re-download and reapply the patch; there was a problem where our downloader offered some these names for download even though the patch was not released yet or provided patches for different versions than requested.
As of February 19, 2019, the following patches address the aforementioned issue:
- 4.1.0 Alpha 2
- 4.0.25 Patch Level 1
- 4.0.24 Patch Level 3
- 4.0.23 Patch Level 5
- 4.0.22 Patch Level 7
- 4.0.21 Patch Level 8*
*A patch was issued for this version even though it reached its end-of-life before the patch date, because the issue was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on March 1, 2019 10:30 AM
On February 12, we have released 4.1.0 Alpha 2 for public testing. This release corrects about 125 known issues from Alpha 1 and previous versions, moving the 4.1.x series closer to a proposed Beta.
For a list of changes in this release, please see Changelog for 4.1.0 Alpha 2. If you are a style or language pack maintainer, please check here for changes which may affect you.
XenForo 2.1 Support
Alpha 2 is the first version to include basic compatibility and support for XenForo version 2.1.x, meaning that VaultWiki should now run on these versions without throwing showstopper error messages.
Importer
Alpha 2 reintroduces the ability to import content from outside wiki sources via the Admin Panel, including from source installations running XenForo 2+.
Release Notes
Sites running previous 4.1.x Alphas should upgrade to VaultWiki 4.1.0 Alpha 2 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Alpha 2 is alpha software. We recommend that alpha software only be used in a test environment. During the alpha period, there may be frequent builds, as often as daily, with which testers should try to keep up-to-date.by Published on January 22, 2019 2:53 PM
VaultWiki 4.0.25 is now available to customers with an active license. This is a maintenance release, containing about 25 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.0.25. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is 4.0.25, which should be usable on vBulletin-based and XenForo-based production sites.by Published on January 22, 2019 2:50 PM
Today, January 22, 2019, the regularly scheduled security patches for January are available.
Issue List
VWE-2018-4972 is a Permissions Escalation issue, where users may be able to use smilies in wiki content even if they don't have permission to use smilies or even if the area does not permit smilies. The issue affects VaultWiki 4.0.21 - 4.0.24, on vBulletin 3.x only.
Patches
The following patches, issued January 22, 2019, address the aforementioned issue:
- 4.0.24 Patch Level 2
- 4.0.23 Patch Level 4
- 4.0.22 Patch Level 6
- 4.0.21 Patch Level 7
We recommend that all users running VaultWiki on vBulletin 3.x in a production environment update to a patched release.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.