XenForo & Add-ons 2.3.0 Release Candidate 2 Released (Unsupported) (Includes Security Fixes)

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.

If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue.

XenForo & Add-ons 2.3.0 Release Candidate 1 Released​

It's finally here, the first of a series of release candidates for the XenForo 2.3.0 stable release. We still have a bit more work to do and other changes and improvements in the pipeline but at this point the most serious bugs have been tackled and we don't expect many more releases before we can declare it is ready for a stable release.

We strongly recommend anyone testing 2.3 during this pre-release period upgrade as each pre-release version is released.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.


Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend running pre-release software in a production environment, and support is limited at this time to questions here on the community forums.

Add-ons and custom styles may be broken after upgrading to 2.3. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.3; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.3.

If you choose to run pre-release software, it is your responsibility to ensure that you make a backup of your data. We recommend you do this before attempting an upgrade. If in doubt, always do a test upgrade on a copy of your production data.

All customers with active licenses may now download the new version from the customer area.

Download XenForo 2.3.0 Release Candidate 1

From the licensed customer area


Alongside the release of XenForo 2.3.0 Release Candidate 1, we are also releasing updated versions of each of our official add-ons:
  • XenForo Media Gallery 2.3.0 Release Candidate 1 (Includes Security Fix)
  • XenForo Resource Manager 2.3.0 Release Candidate 1
  • XenForo Enhanced Search 2.3.0 Release Candidate 1
Customers with active licenses for these add-ons may download the new versions from their customer area.

Download official add-ons

From the licensed customer area


Requirements

The following are minimum requirements:
  • PHP 7.2 or newer
  • MySQL 5.7 and newer
  • All of the add-ons listed here require XenForo 2.3.
  • Enhanced Search requires at least Elasticsearch 7.2
Note: Only the PHP version requirements have changed here. However, even if you're running PHP 7.2 we strongly recommend upgrading to PHP 8.3 at the earliest opportunity for improvements in speed, security and stability. We also recommend MySQL 8.0 (or equivalent).

Installation and upgrade instructions

Full details for how to install and upgrade XenForo can be found in the XenForo manual. One-click upgrades from XF 2.2 are possible, but you must uncheck the "Only check for stable upgrades" option in Options > Basic board information. Once the XF 2.3 upgrade has been complete, the official add-ons should be upgraded as well.

Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend or support running pre-release software in a production environment. Support for pre-releases are limited to questions here on the community forums.
 

XenForo 2.3.0 Release Candidate 2 Released​

Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a \ instead of a :

oh-come-on-jim-carrey.gif


Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.

The specific files with changes are:
  • src/XF/Admin/Controller/Node.php
  • src/XF/Admin/Controller/Permission.php
 
Back
Top Bottom