UBB.Developers Forums General Discussion Chit Chat What Happened to v6.3.0.1?

I'm one of those who dislikes the idea of very minor updates, however I can still understand their relivance especially when there's an obvious security hole.

I've often been attacked for disliking minor updates, even by InfoPop (in a friendly way =]), yet I'm now somewhat confused as to where v6.3.0.1 has gone given that there's such a strong feeling toward having them?

Only the most familiar UBB users will be aware of the custom fix for that MASSIVE security breach in 6.3 with the search function. I've also seen new exploits on IRC now that allow people to directly access the topics thanks to being able to ID them through the search in the first place.

These days I can still surf onto most UBB v6.3 using sites and see all the private topic titles, somebody with one of the new exploits could thus hack in and view these. So why the fux hasn't the key v6.3.0.1 update come out?

This is a major security problem and not everybody mods their UBB and most won't be aware of it, so why are InfoPop being so idle as to allow this problem to continue? I'm currently going around as many v6.3 boards as I can find that aren't modded and helping them to temp-fix the search bug, but why should I be doing this?

No minor update takes a full month and so I assume v6.3.1 is now next on the list, although for those already hacked v6.3 forums it'll be too late.

Most of my members don't even know about the bug so I can be patient.

That's not the point though is it =).

Theres a MASSIVE security problem in V6.3?? I am using V6.3 and spent all weekend hacking it!
If I have to redo the whole thing again I am going to be really upset.

No, there is no massive bug, it just lets people see topic NAMES (not contents) from private forums and search for words in private forums.

It has been on hold due to another, much more important security issue and another bug with major impact dealing with COPPA registrations.

We will release it when we feel all three fixes are completed properly.

"We will release it when we feel all three fixes are completed properly."

Or we can do three small releases and Mark99 can express his dislike and then after that I can attack him in a friendly way. =]

Did I ever attack you in a friendly way? I mean... excepting this post of course?

Take all the time in the world on it! Don't let these people rush you in any way.

The Private forum bug isn't that big of a deal, just don't put important titles on threads in Private forums.

I can't believe so many of you don't see how serious such a breach is. UBBDev visitors may be ok, we all have a more intimate knowledge of the software and use it in safer ways, yet not everybody does.

Somewhere out there are hundreds, if not thousands, running v6.3 forums that could seriously suffer from this security hole. It's no good saying not to put certain topic titles, I already know - we all do - HERE, but nobody has issued an official update to the thousands that don't visit UBBDev or InfoPop's forum.

The worst thing is that it's obvious and you'd never know if it had occurred. What if a security service using your forum is compromised because of it? Sorry if I sound pushy on this because I prefer major updates to minor ones, love my UBB and have already fixed the problem, but I'm not speaking for me, that's the whole point.

There needs to be an official update about this, that’s all I want to see, acknowledgement to the mass-public via customer E-Mail so they can at least take steps to avoid problems. PLEASE!

I know it may be important, and if your that desperate I think LK had made a fix for Dev before it went to 6.3.0.1 so maybe he's willing to share it?

I was just going to post that it was out. heh

F5 Does something.

Woo.

Two weeks too late...

Great upgrade, it hits alot of files but beyond compare hooked me up again.

Does anyone know off the top of his/her head how many files are altered?!

Looks like 25 in the cgi-bin and a quite a few noncgi.

Sue, what I do is to check the $Id in the end of every file - if it's the same, it's not updated.

For minor releases, it is NEVER safe to go by the CVS ID alone, as I will often not check in the changes made to avoid unwanted branches - always go by the timestamp.