-
VaultWiki News
by Published on September 7, 2018 12:14 PM
VaultWiki 4.0.24 is available today to customers with an active license. This is primarily a maintenance release, containing about 50 bug fixes and style tweaks.
For a list of changes in this release please see Changelog for 4.0.24. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is 4.0.24, which should be usable on vBulletin-based and XenForo-based production sites.by Published on August 27, 2018 2:24 PM
As of August 27, 2018, the regularly scheduled security patches for August are now available.
Issue List
VWE-2018-4625 is a Denial of Service Amplification issue, by which a distributed attack that posts comments to a single wiki discussion may be able to achieve denial of service, due to a flaw in the quick reply handler. Under vBulletin, the issue affects all prior versions of VaultWiki 4.x series. Under XenForo 1.x, the issue affects VaultWiki 4.0.0 Beta 7 and higher.
VWE-2018-4626 is a Data Loss issue, where some database keys may not be successfully created. The issue affects the July 2018 patches.
VWE-2018-4627 is a Data Loss issue, where the patches for VWE-2017-4033 do not successfully prevent accidental deletion of the wiki index or wiki areas and all contents, if not careful when using the Mass Delete function. The issue affects VaultWiki 4.0.18 and higher, but it does not affect Lite versions.
VWE-2018-4630 is a Permissions Escalation issue, where if a user has permission to view a wiki node, that user can view an RSS feed which contains a list of its contents, even though the user does not have permission to view a list of the node's contents. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.
VWE-2018-4631 is a Data Loss issue, where when editing an existing integration, the already-injected content may not be selected. If the integration is saved without re-selecting the content, the existing integration would be removed. The issue affects VaultWiki 4.0.23 and higher, but it does not affect Lite versions.
VWE-2018-4632 is a Permissions Escalation issue, where a fatal error after re-parenting an area may prevent area permissions from being inherited correctly. The issue affects VaultWiki 4.0.21 and higher, but it does not affect Lite versions.
Patches
The following patches, issued August 27, 2018, address the aforementioned issues:
- 4.0.23 Patch Level 2
- 4.0.22 Patch Level 4
- 4.0.21 Patch Level 5
- 4.0.20 Patch Level 8
- 4.0.19 Patch Level 11*
*A patch was issued for 4.0.19 even though it reached its end of life earlier this August, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on July 18, 2018 3:10 PM
As of July 18, 2018, the regularly scheduled security patches for July are now available.
Issue List
VWE-2018-4610 is a Permissions Escalation issue, by which a user may be able to view link statistics for a page even though that user has no permission to view the same page. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions.
VWE-2018-4614 is a Permissions Escalation issue, which could lead to Denial of Service. In some situations, disk space usage limits are not enforced. The issue affects VaultWiki 4.0.22 and higher, but it does not affect Lite versions.
VWE-2018-4618 is a Permissions Escalation issue, by which a user can view templated content even though that user has no permission to view the template. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions. Note that after applying this patch, in order to view templated content, a user must have permission to view the contents of the area that contains the template.
VWE-2018-4620 is a Legal issue, where under some versions of PHP, a user may be able to successfully upload a JPG image containing XMP metadata that is not preserved, as required by some laws, in resized versions of the image. The issue affects patches for VWE-2017-4030, and VaultWiki versions 4.0.20 and higher, but it does not affect Lite versions.
Patches
The following patches, issued July 18, 2018, address the aforementioned issues:
- 4.0.23 Patch Level 1
- 4.0.22 Patch Level 3
- 4.0.21 Patch Level 4
- 4.0.20 Patch Level 7
- 4.0.19 Patch Level 10
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on June 25, 2018 12:54 PM
As of June 13, 2018, VaultWiki 4.0.23 was released and is available to customers with an active license. This is primarily a maintenance release, containing about 20 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.0.23. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is VaultWiki 4.0.23, which should be usable on vBulletin-based and XenForo-based production sites.by Published on June 13, 2018 2:11 PM
As of June 13, 2018, the regularly scheduled security patches for June are now available.
Issue List
VWE-2018-4573 is a Denial of Service issue, involving a design flaw in the wiki session handler. It affects VaultWiki 4.0.13 and higher.
VWE-2018-4574 is a Permissions Escalation issue, in which a moderator may be able to move wiki content into a wiki area where that moderator has no permission. It affects all versions of the VaultWiki 4.x series.
Patches
The following patches, issued June 13, 2018, address the aforementioned issues:
- 4.0.22 Patch Level 2
- 4.0.21 Patch Level 3
- 4.0.20 Patch Level 6
- 4.0.19 Patch Level 9
- 4.0.18 Patch Level 10*
*A patch was issued for 4.0.18 even though it reached its end of life this May, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on May 17, 2018 8:16 PM
As of May 16, 2018, the regularly scheduled security patches for March are now available.
Issue List
VWE-2018-4535 is a Permissions Escalation issue, in which users may be able to use prefixes that are not allowed by the current wiki area, if the area allows a different prefix with an overlapping name. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.
VWE-2018-4536 is a Denial of Service issue, in which an attack may queue enough counter increments that attempting to resolve the increment queue can fail. The issue affects all previous versions of the VaultWiki 4.x series.
Patches
The following patches, issued May 16, 2018, address the aforementioned issues:
- 4.0.22 Patch Level 1
- 4.0.21 Patch Level 2
- 4.0.20 Patch Level 5
- 4.0.19 Patch Level 8
- 4.0.18 Patch Level 9
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on April 17, 2018 11:04 AM
As of this past weekend, VaultWiki 4.0.22 is now available. This is primarily a maintenance release, containing over 20 bug fixes and other minor improvements.
For a list of changes in this release, please see the Changelog for 4.0.22. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is VaultWiki 4.0.22, which should be usable on vBulletin-based and XenForo-based production sites.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.