ElkArte Community

Project Support => Announcements => Topic started by: emanuele on July 31, 2016, 10:24:57 am

Title: ElkArte 1.0.8 - Release announcement
Post by: emanuele on July 31, 2016, 10:24:57 am
Update: after the release a couple of issues have been discovered:
1) the "Who is online" page will not display correctly the IP addresses,
2) if using high level of caching, the menu may disappear.
The first is a mostly cosmetic bug, the second can be worked around by reducing temporarily the caching level. It's indeed sub-optimal, but better than a security hole I guess.
Both are going to be addressed soon, an "unofficial" patch that fixes both is available as attachment to the following message:
http://www.elkarte.net/community/index.php?topic=3907.msg27726#msg27726
If you really need both fixed you can download the patch and install it, though it will be released "officially" in the next 24 hours with more fixes if needed.

Sorry for the trouble.



Today, we are pleased to release ElkArte 1.0.8. This release fixes a security issue related to the unserialize php function (related to CVE-2016-5726 and CVE-2016-5727). The release fixes also some bugs that were found or reported since the release of 1.0.7. As this is a security release, it is extremely important to update for everyone running ElkArte.
If you are running a version prior to 1.0.7, the recommended procedure is install any update since 1.0.7 and then the 1.0.8 patch.

Apart from fixing the security issue, some notable updates in 1.0.8 include:
stopped using INET_ATON and INET_NTOA to improve IPv6 handling,
fixed YouTube embedding URLs to avoid problems in certain conditions,
* fixed editing of polls with expiration date,

This release follows our semantic version (MAJOR.MINOR.PATCH), meaning that third-point (x.x.X) releases should contain backwards-compatible bug fixes and enhancements, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).

Refer to the release notes (http://www.elkarte.net/community/index.php?topic=3906.0) on the forum for a complete list of updates.


Patching procedure:

For any question you may have, feel free to ask on the support forum (http://www.ElkArte.net/community/index.php).

Of course you are encouraged to update to this release since it contains a lot of fixes and improvements, thank you for your continued support!
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: meetdilip on July 31, 2016, 11:28:58 am
Thanks for the release :thumbsup:
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: forumsearch0r2 on July 31, 2016, 01:03:41 pm
How's the OpenID bug coming? :D
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: ahrasis on July 31, 2016, 01:49:23 pm
Finished updating to 1.0.8. Thank you very much for this release.

I can also confirmed what @scripple just said above.
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: Jason on July 31, 2016, 01:55:42 pm
So should i update now or wait till the issue is fixed?
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: meetdilip on July 31, 2016, 01:59:28 pm
Quote from: Jason – So should i update now or wait till the issue is fixed?

Wait a bit @Jason
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on July 31, 2016, 02:38:30 pm
Quote from: Jason – So should i update now or wait till the issue is fixed?
If you value more an IP address than your forum security, wait.
If you can live with a couple of issues until they are fixed, install it.

I'm going to split the bug reports in their own topics, otherwise it becomes a mess. ;)

http://www.elkarte.net/community/index.php?topic=3907.0
http://www.elkarte.net/community/index.php?topic=3908.0
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on July 31, 2016, 04:35:07 pm
Posted an update to the first message, and posting it here as well for redundancy:
QuoteUpdate: after the release a couple of issues have been discovered:
1) the "Who is online" page will not display correctly the IP addresses,
2) if using high level of caching, the menu may disappear.
The first is a mostly cosmetic bug, the second can be worked around by reducing temporarily the caching level. It's indeed sub-optimal, but better than a security hole I guess.
Both are going to be addressed soon, an "unofficial" patch that fixes both is available as attachment to the following message:
http://www.elkarte.net/community/index.php?topic=3907.msg27726#msg27726
If you really need both fixed you can download the patch and install it, though it will be released "officially" in the next 24 hours with more fixes if needed.

Sorry for the trouble.
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: b4pjoe on August 02, 2016, 01:16:59 pm
Quote from: emanuele – Posted an update to the first message, and posting it here as well for redundancy:
QuoteUpdate: after the release a couple of issues have been discovered:
1) the "Who is online" page will not display correctly the IP addresses,
2) if using high level of caching, the menu may disappear.
The first is a mostly cosmetic bug, the second can be worked around by reducing temporarily the caching level. It's indeed sub-optimal, but better than a security hole I guess.
Both are going to be addressed soon, an "unofficial" patch that fixes both is available as attachment to the following message:
http://www.elkarte.net/community/index.php?topic=3907.msg27726#msg27726
If you really need both fixed you can download the patch and install it, though it will be released "officially" in the next 24 hours with more fixes if needed.

Sorry for the trouble.

So has the 'official' fix been released yet?
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 02, 2016, 03:24:34 pm
Considering the original patch was postponed by at least a couple of days I would be surprised if I were able to push it out in 24 hours... :P
That aside, I'm waiting to see if it's possible to fix another issue with the sessions in php 7 while we are at it.
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: ahrasis on August 02, 2016, 07:22:00 pm
Quote from: emanuele – That aside, I'm waiting to see if it's possible to fix another issue with the sessions in php 7 while we are at it.
I am about to ask about this. My EA1.1b1 shows whitepage  on php7. EA1.0.8 works fine on php7 (at least I can see no errors so far).
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 03, 2016, 02:14:17 am
Bug reports? :P
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: txcas on August 03, 2016, 11:03:08 am
When trying to install the patch I get:


42.Execute Modification./sources/subs/ScheduledTask.class.phpTest failed


(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=221;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)1.Replace./sources/subs/ScheduledTask.class.phpTest successful
(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=222;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)2.Replace./sources/subs/ScheduledTask.class.phpTest failed
(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=223;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)3.Replace./sources/subs/ScheduledTask.class.phpTest successful
(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=224;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)4.Replace./sources/subs/ScheduledTask.class.phpTest successfu
and...




FaceIt-FaceIt100
Execute Modification./themes/FaceIt-FaceIt100/scripts/elk_jquery_embed.jsTest failed
(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=275;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)1.Replace./themes/FaceIt-FaceIt100/scripts/elk_jquery_embed.jsTest failed
(http://65creedmoor.com/themes/default/images/admin/package_ops.png) (http://65creedmoor.com/index.php?action=admin;area=packages;sa=showoperations;operation_key=276;package=ElkArte_v1-0-8_patch.zip;filename=modifications.xml)2.Replace./themes/FaceIt-FaceIt100/scripts/elk_jquery_embed.jsTest successful
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 03, 2016, 11:18:30 am
The one in the theme could be the theme itself is using an older version of the file that changed in the meantime and now is out-of-sync. I should check it.

The one about ScheduledTask.class... could you attach it here?
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: txcas on August 03, 2016, 12:31:36 pm
Attached is the file.  I think it was modified a while back to fix a bug on the subscriptions task.
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: forumsearch0r2 on August 04, 2016, 02:19:35 pm

Cough...
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 04, 2016, 04:56:02 pm
I'm having a couple of problems with the patch, I'm really sorry, I hope to have it ready tomorrow afternoon, otherwise it will go to Sunday.

I did a bit of a mess this time, I'm really sorry. :(
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 04, 2016, 05:18:23 pm
Quote from: txcas – Attached is the file.  I think it was modified a while back to fix a bug on the subscriptions task.
In your case, the error in ScheduledTask.class.php can be safely ignored.
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: Jorin on August 05, 2016, 02:04:46 am
Quote from: emanuele – I did a bit of a mess this time, I'm really sorry. :(

I can't describe how thankful I am for the patience and effort you are bringing into this project. Sometimes I think: "Wait, Jorin, you can't ask another dumb question anymore! The guys have other things to do!" - but then I am doing it nevertheless. And nobody's complaining!

So: no problem! It's time for me (us) to be patient now.  ;)
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: scripple on August 05, 2016, 07:21:03 pm
I agree with Jorin.  You guys are doing great stuff here and are very responsive to questions and requests.  I appreciate all of your efforts.  A mistake was made but that happens.  It gets fixed and life goes on.

In case it helps you feel better, apology accepted.  :)
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: Dadda on August 18, 2016, 02:24:59 pm
I've done the upgrade to the 1.0.8.
I tried to follow the procedure, but couldn't do the last part, the database upgrade, as the url returned a 404 page.
I basically uploaded the entire 1.0.8 directory, overwriting the 1.0.7, exception made for the docs folder.

in the backend still says elkarte 1.0.8, and everything seems to work, but I'm not sure the update went through completely.

any advice would be much appreciated.

(p.s. yes i do have a backup)
Title: Re: ElkArte 1.0.8 - Release announcement
Post by: emanuele on August 18, 2016, 05:10:11 pm
Unless of specific cases, I would suggest to always use the package manager as described in the first message rather than replace the files.
Anyway, there were no database updates in 1.0.8, so... nothing to do on that side of things.
In case of database changes, since there is no upgrade package, you should use the php file provided in the patch package.