大家好,
我们很高兴得宣布phpBB3 RC6包的发布。这是第六个(很有可能是最后一个)候选版本,意味着如果没有严重的错误的发生的话,就是黄金版本了。
这个版本几乎是一个由SektionEins执行的外部的安全审核的成果。所有标记为[Sec]的部分,都是由那个公司为执行和显示一些我们能修复的基本的问题而建立的。我们很骄傲,审核的结果显示了,没有SQL注入的脆弱性和严重的命令执行脆弱性。
For release candidates full
support is given, allowing language packs as well as modifications and
styles. We only give support to those having a clean RC installation or
updates from previous release candidates. Previous conversions or
updates from betas will not be supported here.
We encourage only those running the release candidates wanting to test
out the new version, it is still recommended to wait for the full
release; after all this is a release candidate.
Please
also note that we urge you to update - we only support the latest
version. Bug reports submitted for previous releases will be closed as
well as only the latest version being supported here.
RC6 has seen some improvements as well as fixing some security issues. Some important fixes are:
- [Fix] Further fixing user profile view (please do not forget to update/refresh your template and style) (Bug #14230)
- [Fix] Adjust google adsense bot information (Bug #14296)
- [Fix] Fix horizontal scrollbar problem in IE6 (Bug #14228) - fix provided by Danny-dev
- [Fix] Correctly set user style for guest user (able to be changed within user management)
- [Change] Moved note about dns_get_record function for using GTalk (Jabber) from Jabber log to Jabber ACP panel
- [Fix] Do not use register_shutdown_function within cron.php if handling the queue and the mail function being used (Bug #14321)
- [Fix] Fixing private message on-hold code if moving messages into folder based on rules (Bug #14309)
- [Fix] Allow the merge selection screen to work (Bug #14363)
- [Change] Require additional permissions for copying permission when editing forums
- [Fix] Local magic URLs no longer get an additional trailing slash (Bug #14362)
- [Fix] Do not let the cron script stale for one hour if register_shutdown_function is not able to be called (Bug #14436)
- [Feature]
Added /includes/db/db_tools.php file, which includes tools for handling
cross-db actions such as altering columns, etc.
- [Fix] Fixed token handling in jabber class for extremely spec-compilant XMPP server (Bug #14445)
- [Change] Listing the board url within the email text instead of appending it to the subject (Bug #14378)
- [Fix] Use correct dimension (width x height) in ACP (Bug #14452)
- [Feature] Added completely new hook system to allow better application/mod integration - see docs/hook_system.html
- [Fix] Fixing google cache display problems with Firefox (Bug #14472) - patch provided by Raimon
- [Change] Allow years in future be selected for date custom profile field (Bug #14519)
- [Feature] Added an option to enforce that users spend a configurable amount of time on the terms page during registration
- [Sec] Fixing possible XSS through compromised WHOIS server (#i63, #i64)
- [Sec] Missing access control on whois in viewonline.php (#i51)
- [Sec]
Encoding some variables within user::page array correctly (to cope with
browser not doing it correctly) to prevent XSS through functions
re-using them (#i61)
- [Sec] Fixed XSS through memberlist search feature (#i62)
- [Sec] Fixed XSS through colour swatch (#i65)
- [Sec] Fixed insecure attachment deletion (#i53)
- [Sec] Only allow whitelisted protocols in meta_redirect/redirect (#i66)
- [Sec] Check file names to be written in language management panel (#i52)
- [Sec] Deregister globals if ini_get has been disabled (#i112)
- [Sec] Added form tokens to most forms to enforce a lighter variant of CSRF protection (#i91 - #i96)
- [Sec] Use new password hash method for forum passwords (#i43)
- [Sec] Changed download file location to prevent flash crossdomain policies taking effect (#i8)
- [Sec] Do not allow autocompletion for password on admin re-authentication (#i41)
- [Sec] Made sure users are not completely locked out if they have a GLOBALS cookie (#i101)
- [Sec] Use the secure hash to generate BBCODE_UIDs (#i71)
- [Sec] Increase the length of BBCODE_UIDs (#i72)
- [Sec] New password hashing mechanism for storing passwords (#i42)
Please refer to the changelog for a complete list of fixes since RC5:
http://www.phpbb.com/support/documents. ... &version=3
A
short explanation of how to do a conversion, installation or update is
included within the provided INSTALL.html file, please be sure to read
it. If you want to be on the safe side we suggest still waiting for
later releases before you fully convert your 2.0.x installation.
Important
Due
to the password storage mechanism changed, you will not be able to log
in to your board if you try to use the updated database with files
prior to RC6.
Minimum Requirements
phpBB3 has a few requirements which must be met before you are able to install and use it.
- A webserver or web hosting account running on any major Operating System with support for PHP
- A SQL database system, one of:
- MySQL 3.23 or above (MySQLi supported)
- PostgreSQL 7.3+
- SQLite 2.8.2+
- Firebird 2.0+
- MS SQL Server 2000 or above (directly or via ODBC)
- Oracle
- PHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use.
- getimagesize() function need to be enabled
- These
optional presence of the following modules within PHP will provide
access to additional features, but they are not required.
- zlib Compression support
- Remote FTP support
- XML support
- Imagemagick support
- GD Support
The presence of each of these optional modules will be checked during the installation process.
Security
Security issues found should be reported to our security tracker in the usual way.
Available packages
If
you experience problems with the automatic update (white screens,
timeouts, etc.) we recommend using the "changed files only" or "patch"
method for updating.
With this release, there are four packages available.
- Full Package
Contains entire phpBB3 source and english language files. - Changed Files Only
Contains
only those files changed from previous versions of phpBB3. Please note
this archive contains changed files for each previous release. - Patch Files
Contains patch compatible patches from previous versions of phpBB3. - Automatic Update Package
Update package for the automatic updater, containing the changes from previous release to this release.
Select whichever package is most suitable for you.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!.
The
automatic update package does not include the file
includes/utf/data/recode_cjk.php. If you use a SJIS encoding or a
variant you should replace this file manually with the version included
within the full package.
Download/Documentation
Have fun with the release,
the phpBB Team
|
