Security fixes

M

monkeyface

New member
I'm very tempted to switch to XenForo, but I cannot find any information about its policy and procedures when it comes to security vulnerabilities.

Do you release patches for some of the previous releases with backported fixes, or is the only option to update to the latest version if a security vulnerability is discovered and fixed?
Also, do you notify customers about security updates a certain amount of time in advance before making a publicly-available announcement?
(I don't know if any of this has even been relevant yet)
 
Sort by date Sort by votes
Fixes are implemented in older versions and made available to all customers, regardless of license/support status.
(Note however that XF1 will be officially EOL June 2019 with fixes available until December 2019.

In general, there is no advance notice of any fixes - the announcement is made as part of the release.
 
Upvote 0 Downvote
I believe it's active support of XF1 that ceases in June.

Security fixes for XF1 will be available until this time next year though, if I'm reading this correctly.

xenforo.com

XenForo 1.5 End of Life Schedule

With XenForo 2.1 now in beta testing, and a year having passed since XenForo 2.0 became our stable, supported release, it is time to talk about our ongoing support for XenForo 1.5. XenForo 1.5 is now considered a legacy product and is no longer in active development. We will continue to support...
xenforo.com xenforo.com

If you're migrating to the most recent version, XF2, you don't need to worry about that though.
 
Upvote 0 Downvote
I would prefer to migrate to the newer version if possible as the code is better and there are new features. Only way I can think of someone wants to stay with xf 1 is that he has added tons of edits and lots of addons. I recommend to write every edit you do to the code so later it will be easier to implement it in new xf version.
 
Upvote 0 Downvote
Just to clarify/expand... we generally do make security patches available publicly via the relevant announcement. These are generally just the patched version of the changed file, which is built against the latest version of that branch (as in, there may be different files for 2.0 and 2.1). They do generally work for older versions of that branch, though that isn't something we can guarantee. Our recommendation is to always upgrade (which would require an "active" license).

Notwithstanding the extended 1.5 life cycle, generally we provide security fixes for x.N-1 releases. As in, if 2.1.x is our current latest release, then we would release a fix for 2.0. Once 2.2.x becomes stable, then security fixes for 2.0 would stop and you'd have to upgrade.

As mentioned, we haven't done advanced warning or anything like that. Usually though, we have releases out within a few days at most (if not within 24 hours) of an issue being discovered/reported.
 
Upvote 0 Downvote

Similar threads

Steffen
Fixed InvalidArgumentException on requests to "/login/keep-alive" after applying the 2.2.16 security fix
Replies
12
Views
301
vape.to
vape.to
zoldos
  • Question Question
XF 2.2 What is that recent security patch for XF 2.2.x that was like 8 files?
Replies
2
Views
50
zoldos
zoldos
SeToY
  • Solved
XF 2.2 Properly fix security issue with v2.2.16
Replies
19
Views
321
FTL
FTL
Simon
  • Question Question
mod security blocking Google connected account
Replies
3
Views
82
Marcus
Marcus
pupu
  • Question Question
XF 2.2 Questions About XenForo Permissions and Security
Replies
0
Views
34
pupu
pupu
Back
Top Bottom