Flarum 0.1.0-beta.7.1 Released

Toby

This release fixes a security vulnerability in Flarum 0.1.0-beta.7. When exploited, the vulnerability allows an attacker to bypass the email verification step during registration. The vulnerability only affects forums which have OAuth extensions enabled (Facebook Auth, GitHub Auth, Twitter Auth, or any third-party auth extensions).

Please note that this release only contains the security fix. This is the first release we've had to push out specifically to address a security issue (we knew this day would come eventually!). All changes scheduled (and already finished) for beta 8 are due to be released separately in the next few weeks.

Upgrading

We recommend upgrading your Flarum installation immediately. To do so, run the following command at the root of your Flarum installation:

composer update

If you are running PHP with an OPCache, you will need to restart the PHP process to clear the cache. No further steps are required.

A Note About Security

Thanks to @clarkwinkelmann for disclosing this security issue to us responsibly. A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing security@flarum.org, and we will address it promptly.

just-do-it

Toby beta 8 are due to be released separately in the next few weeks.

Can't believe it! Amazing news. ?

And thank you everyone for releasing this security patch.

just-do-it

Toby All changes scheduled (and already finished) for beta 8 are due to be released separately in the next few weeks.

I know when it comes to programming, it's almost impossible to not cross the deadlines since issues/bugs pop up all the time. So I won't bother asking "when is the beta 8 due?" but instead I'd like to ask for a reference point for us to know it ourselves.

Is the 53% accurate? Is it where we should be looking, or you don't always upload the code right away but instead maybe you develop more and then upload chunks of code worth (10% -20%)? https://github.com/flarum/core/milestone/6

Thank you.

bond

Toby All changes scheduled (and already finished) for beta 8 are due to be released separately in the next few weeks.

It be nice if someone in charge could explain what this quote means as there’s 52 weeks in a year ?

I do understand timing isn’t always accurate but having a deadline and working around it is how business succeed in life.

Am not in a position to tell anyone how to run there business, but if you look at the Flarum community, you could see it’s pretty inactive .

Sanguine

Thanks for the patch! All 200 FreeFlarum forums have been updated.

Whoami

Sanguine i don't see it on the panel

Asuf_o

Sanguine only 200, wow.

SmoulBuchholz

Thanks for this update, i have upgrades my forum even if i not use OAuth extensions
Else, into admin panel. It's already beta7 but it's nothing ?

Zeokat

I can skip this update since i don't use oauth extensions. But will be nice see the new beta 8 ?

emw

Zeokat for sure!

joaonl

@Toby, quick question. Once you release beta8, how will the extensions be updated? Will they be disabled if not compatible or do the devs need to have their extensions ready before release beta8?

Zeokat

joaonl The bundled extensions with flarum will be updated. The third party extensions... blame developers to not update them ?

pazitron

Good stuff!

MathieuM

Hello,
The admin panel shows version 0.1.0-beta.7, not 0.1.0-beta.7.1 ?
Good to see the team is here when urgently needed!

Franz

MathieuM The admin panel shows version 0.1.0-beta.7, not 0.1.0-beta.7.1 ?

Yep, we missed that, unfortunately. ?
Let's all assume patch numbers are not supposed to be included in the admin panel, just minor versions. This is, uh, how it was always intended. ?

(Let's just say release announcements don't get better when the only change is a fix to the version number string - if we were to release beta.7.1...)

Franz

Whoami See my post here: Franz

datitisev

Oh, come on! We've been waiting for a 0.1.0-beta.7.1.1.1.5.9 for months! Some people are actually still running 0.1.0-beta.7.1, their forum is going to break! ?

Johann

Thanks to @clarkwinkelmann for the responsible disclosure and to the developers for fixing this!
I have a related question... Is there any e-mail list or anything to suscribe to releases, security patches, etc.?

datitisev

Johann Uuuh, if you want to watch the repository and get emails whenever someone makes issue, pr, comments, blah blah blah... you can do that xD

Prosperous

Johann You cannot subscribe to tags yet but you can subscribe to single discussions.

If you want to do that, click the 'Follow' button with the star icon just under the orange 'Reply' button. Then go to your settings and make sure you have ticked when 'Someone posts in a discussion I'm following' under the email column. You will now receive email notifications.

Soon you will also be able to follow us on Facebook where news and updates will be posted as well. ? That may be an alternative in the interim perhaps?

Sanguine

Johann Flarum does not have one yet, but as it matures, it soon will.

Meanwhile, I'd recommend to subscribe to github releases, for example here: https://coderelease.io

Johann

datitisev I was thinking in a channel with less noise, which is essential for security updates to reach fast and not be missed by sysadmins. E-mail list is probably the best option, people can subscribe or unsubscribe at will, e-mails could even be autogenerated and there are many free options.

luceos

Johann I've voiced the same the day Clark reported the issue. We'll most likely have such a solution before or soon after releasing the stable version.

Johann

Prosperous I know how subscriptions works but I fail to see the relation between a) following a topic (which by the way does not even exist yet) or Facebook page and b) receiving release announcements (some of which may be high priority security fixes) with the less possible noise (i.e.: post from other users saying "Yeehaw!", marketing posts on a Facebook page, etc.). Thanks for your advise, anyway.

Sanguine That's a good one! Done!

Franz

Johann Just so you know, Jordan is away for a few days for personal reasons. He might have been busy for a bit, please forgive him.

I am glad Sanguine pointed out a good solution.

And yes, we will provide an "official" way to stay on top of important (and important only) news once we have time for that. ?

jordanjay29

Johann you can follow a topic by clicking the Follow button on the right side (top if on mobile). It has a star on it.

Prosperous

Johann I completely understand where you're coming from. I merely provided options that are currently available as what you are after is not possible at the moment that's all.

Facebook and Twitter are your next best things as they're live updates; whenever Flarum is updated then an announcement is posted on those mediums too. ?

Johann

jordanjay29 I don’t want to sound rude but have you actually read any of my posts? I fail to see any relation on your reply. Again, I’m not trying to be rude.