phpBB Forum Software

Greetings everyone, We are pleased to announce the release of phpBB 3.3.1 "Bertie’s Twenty". This version is a maintenance and security release of the 3.3.x branch which fixes one security issue, introduces further hardening, and resolves various ... [More] issues reported in previous versions. Previous versions of phpBB did allow limiting the dimensions of images posted. This could however also be used to e.g. check for the existence of services that should only be accessible from the internal network. We would like to thank FVD for reporting this issue to us via hackerone. The issue has been assigned CVE-2020-8226. The fixed issues include, among others, issues with using Emojis in multiple text fields, the inability to delete or mark PMs read in the UCP folder view, issues with resetting a password, and a slow search on PostgreSQL. The amount of emails sent for notifications related to topics have been improved and new and improved enable and disable mechanisms for newer profile field types have been integrated. We would like to dedicate this last addition to javiexin. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15291 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, kasimi, rxu, Dark❶, KYPREO, Alfredo Ramos, JoshyPHP, javiexin, Jakub Senko, ansavin, Bob Weinand, Kidounet, MichaIng, hubaishan, ioannisbat, phpBB España If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team Release Highlights Improvements Enable/disable mechanism for new profilefield types - Added new enable & disable mechanism for profile field types PHPBB3-13867 Only one email notification per topic - Reduced emails sent as notifications when not having visited topic PHPBB3-14754 Notable Bug Fixes Slow search on PostgreSQL - Full text search on PostgreSQL was very slow due to accidentally disabled index PHPBB3-15395 Emoji isues - Issues with using emojis in multiple text fields PHPBB3-16399 PHPBB3-15712 PHPBB3-16480 PHPBB3-16485 Delete marked PMs in UCP - Improper form token check resulted in users being unable to delete marked PMs PHPBB3-16296 File lock issues - Failure while acquiring locks on some storage backends resulted in errors while installing phpBB PHPBB3-16325 Reset password error - Resetting a password resulted in an PHP fatal error being thrown PHPBB3-16308 [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.10 "Bertie’s look back at Rhea". This version is a maintenance and security release of the 3.2.x branch which fixes one security issue, introduces further hardening, and ... [More] resolves various issues reported in previous versions. Previous versions of phpBB did allow limiting the dimensions of images posted. This could however also be used to e.g. check for the existence of services that should only be accessible from the internal network. We would like to thank FVD for reporting this issue to us via HackerOne. The issue has been assigned CVE-2020-8226. The fixed issues include, among others, issues with using Emojis in multiple text fields, the inability to delete or mark PMs read in the UCP folder view, and a slow search on PostgreSQL. In addition to that, new and improved enable and disable mechanisms for newer profile field types have also been integrated. We would like to dedicate this addition to javiexin. We have decided to extend the timeframe board admins have to upgrade to phpBB 3.3. This means that today is the End of Maintenance date for the 3.2 branch and we will provide an additional 3 months of security updates for phpBB 3.2, setting the End of Life date to November 7th, 2020. We recommend everyone to upgrade to phpBB 3.3 as soon as possible. To assist this, phpBB 3.2 will now inform users about the PHP requirements in phpBB 3.3. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.10 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15202 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, kasimi, Dark❶, rxu, KYPREO, javiexin, ansavin, Alfredo Ramos, Kidounet, MichaIng, ioannisbat, phpBB España If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.10 "Bertie’s look back at Rhea". This version is a maintenance and security release of the 3.2.x branch which fixes one security issue, introduces further hardening, and ... [More] resolves various issues reported in previous versions. Previous versions of phpBB did allow limiting the dimensions of images posted. This could however also be used to e.g. check for the existence of services that should only be accessible from the internal network. We would like to thank FVD for reporting this issue to us via HackerOne. The issue has been assigned CVE-2020-8226. The fixed issues include, among others, issues with using Emojis in multiple text fields, the inability to delete or mark PMs read in the UCP folder view, and a slow search on PostgreSQL. In addition to that, new and improved enable and disable mechanisms for newer profile field types have also been integrated. We would like to dedicate this addition to javiexin. We have decided to extend the timeframe board admins have to upgrade to phpBB 3.3. This means that today is the End of Maintenance date for the 3.2 branch and we will provide an additional 3 months of security updates for phpBB 3.2, setting the End of Life date to November 7th, 2020. We recommend everyone to upgrade to phpBB 3.3 as soon as possible. To assist this, phpBB 3.2 will now inform users about the PHP requirements in phpBB 3.3. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.10 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15202 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, kasimi, Dark❶, rxu, KYPREO, javiexin, ansavin, Alfredo Ramos, Kidounet, MichaIng, ioannisbat, phpBB España If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team Release Highlights Improvements Enable/disable mechanism for new profilefield types - Added new enable & disable mechanism for profile field types PHPBB3-13867 Inform about future PHP requirements - Inform users of phpBB 3.2. about PHP requirements in phpBB 3.3 PHPBB3-16328 Notable Bug Fixes Slow search on PostgreSQL - Full text search on PostgreSQL was very slow due to accidentally disabled index PHPBB3-15395 Mark PMs in UCP - Unable to delete or mark PMs in UCP folder view PHPBB3-16296 Emoji isues - Issues with using emojis in multiple text fields PHPBB3-16399 PHPBB3-15712 PHPBB3-16480 PHPBB3-16485 [Less]

Hello, Tomorrow, Tuesday February 18th from 18:00 PM (UTC) until 21:00 PM (UTC) we will be performing some maintenance on the infrastructure that powers www.phpbb.com. During this timeframe our main website might be down for brief periods of time. ... [More] This downtime will not affect any other installation of the phpBB software other than www.phpbb.com. Many thanks, The phpBB Team [Less]

Today is a big day for the entire phpBB community and we hope that you're as excited as we are! With the help of over one hundred volunteers, we have improved and extended phpBB to provide the new and improved phpBB 3.3 Proteus. The new phpBB 3.3 ... [More] Proteus builds upon 3.2 Rhea and is a big step towards a more modern base while maintaining a clear update path. It is now shipped with Symfony 3.4, Twig 2, and jQuery 3.4. The improvements include, among others, support for Invisible reCAPTCHA, Argon2i and Argon2id password hashing, improved reset password functionality, and minor changes to the UI. The minimum supported PHP version has been increased to PHP 7.1.3 while support for PHP 7.3 and PHP 7.4 has been added. Fixed security issues in 3.2.9 are part of this release as well. Check out further highlights of the new version on our Proteus Launch Page or a more detailed breakdown on our Features Page. As always, phpBB 3.3 Proteus and update packages for previous versions are available in the downloads section. The phpBB community has been working hard to get this release prepared and work on phpBB 4.0 is already underway! We would like to thank everyone for working hard to make today possible! The following people contributed code to the 3.3 Proteus release: Marc Alexander, Jakub Senko, Tristan Darricau, 3D-I, rxu, Rubén Calvo, javiexin, mrgoldy, kasimi, Oliver Schramm, JoshyPHP, Máté Bartus, Derky, hubaishan, Matt Friedman, Dark❶, David Colón, v12mike, nomind60s, Christian Schnegelberger, Mikel Alejo, amalnaeem, Michael Miday, Alfredo Ramos, EA117, Zoddo, Vishal Pandey, Alec, Louis7777, Vinny, battye, Daniel Sinn, Jim Mossing Holsteyn, Sophist, DSR!, Daniel Mota, Erwan Nader, François-Xavier de Guillebon, GanstaZ, PayBas, Kailey Truscott, Richard McGirr, Soeren D. Schulze, brunoais, jasonmarlin, oxcom, stevendegroote, AJ Quick, Anssi Johansson, Jagoba Los Arcos, KYPREO, MichaelC, Nuno Lopes, Rishabh04-02, Saeed Hubaishan, Serge Skripchuk, abyssmedia, david63, dhruveshk, lavigor, vinny, Agris, Akbar, Alex Miles, Andrii Afanasiev, Casey Peel, Daniel, FH, GerB, Ioannis Batas, Julien Tant, Mukesh Kumar Kharita, Nekstati, Paul Sohier, Sage Pointer, TarantinoMariachi, Toxyy, canonknipser, cclauss, espipj, ftc2, kitsiosk, lr94, luzpaz, scootergrisen, tas2580, upstrocker Please discuss this topic in its discussion topic. [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.9 "The Rise of Bertie". This version is a maintenance and security release of the 3.2.x branch which fixes two minor security issues, introduces further hardening, and resolves ... [More] various issues reported in previous versions. Previous versions of phpBB did not properly enforce form tokens on changing group avatars and handling pending group memberships which could have been used to trick users into carrying out unwanted actions. Both of these issues have been found as part of an internal code audit prior to the release of phpBB 3.3. The issues have been assigned CVE-2020-5501 and CVE-2020-5502 respectively. The fixed issues include, among others, multiple issues with default Nginx and Sphinx configuration files supplied in the phpBB package as well as an issue with calculating the chunk size while using plupload. In addition to that, the fallback on invalid styles data has been improved and emoji support has been added to forum names and topic titles. As phpBB 3.3 provides a clear update path with minimal breaking changes, phpBB 3.2 will directly enter a reduced maintenance mode during which it will only receive changes for major issues as well as any security issues. The timetable for maintenance and security fixes is as follows: End of Maintenance (EOM): April 6th, 2020 End of Life (EOL): July 6th, 2020 The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.9 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15193 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, Jakub Senko, mrgoldy, EA117, Alfredo Ramos, JoshyPHP, kasimi, rxu, DSR!, oxcom, stevendegroote, KYPREO, v12mike, Matt Friedman If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team Release Highlights Improvements Improved fallback on invalid styles data - More fallbacks for when a user has an invalid style configured have been added PHPBB3-16144 Extended emoji support - More parts of phpBB now support emojis PHPBB3-16151 PHPBB3-16153 PHPBB3-16203 Notable Bug Fixes Improper chunk size calculation during upload - Some conbinations of phpBB and PHP configurations resulted in invalid chunk sizes for plupload PHPBB3-16141 Issues with default config files - Resolved multiple issues with sample config files for nginx and sphinx search PHPBB3-16242 PHPBB3-16258 PHPBB3-16209 [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.9 "The Rise of Bertie". This version is a maintenance and security release of the 3.2.x branch which fixes two minor security issues, introduces further hardening, and resolves ... [More] various issues reported in previous versions. Previous versions of phpBB did not properly enforce form tokens on changing group avatars and handling pending group memberships which could have been used to trick users into carrying out unwanted actions. Both of these issues have been found as part of an internal code audit prior to the release of phpBB 3.3. The issues have been assigned CVE-2020-5501 and CVE-2020-5502 respectively. The fixed issues include, among others, multiple issues with default Nginx and Sphinx configuration files supplied in the phpBB package as well as an issue with calculating the chunk size while using plupload. In addition to that, the fallback on invalid styles data has been improved and emoji support has been added to forum names and topic titles. As phpBB 3.3 provides a clear update path with minimal breaking changes, phpBB 3.2 will directly enter a reduced maintenance mode during which it will only receive changes for major issues as well as any security issues. The timetable for maintenance and security fixes is as follows: End of Maintenance (EOM): April 6th, 2020 End of Life (EOL): July 6th, 2020 The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.9 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15193 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, Jakub Senko, mrgoldy, EA117, Alfredo Ramos, JoshyPHP, kasimi, rxu, DSR!, oxcom, stevendegroote, KYPREO, v12mike, Matt Friedman If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.3.0-RC1 "Bertie's holiday preparations". This is the first release candidate of the upcoming phpBB 3.3.0 feature release and introduces minor changes and new functionality. Among ... [More] the biggest changes are the updated third party dependencies like Symfony that result in the minimum supported PHP version increasing to PHP 7.1 while also adding support for PHP 7.3 and 7.4. New features include increased Emoji support, support for the latest Argon2id and Argon2i password hashing, as well as refactoring of the OAuth implementation and small UI adjustments like an updated phpBB logo. The full changelog is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release candidate on the wiki at https://wiki.phpbb.com/Release_Highlights/3.3.0-RC1 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15192 The packages can be downloaded from our Area51 downloads site and our package archive. The development team thanks everyone who contributed code to this release: rxu, 3D-I, JoshyPHP, mrgoldy, Alfredo Ramos, Matt Friedman, KYPREO, Sage Pointer If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Hello, Today, Monday September 23rd from 9:00 PM (UTC) until 11:00 PM (UTC) we will be performing some maintenance on the infrastructure that powers www.phpbb.com and several subdomains of phpbb.com. This downtime applies to our various sites ... [More] , including, but not limited to: https://www.phpbb.com https://area51.phpbb.com https://tracker.phpbb.com https://wiki.phpbb.com This downtime will not affect any other installation of the phpBB software other than www.phpbb.com. However, the version check in your administration control panel might give a temporary error message. Many thanks, The phpBB Team [Less]

Greetings everyone, Today we’re announcing the release of phpBB 3.2.8. This release is dedicated to the memory of Maria Wilhelmina Theodora 'Marian' Verhoog-Wienk [08 October 1958 - 18 September 2019], who you may know as marian0810. Rust in vrede ... [More] , Marian. This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions. Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively. In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108. For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively. The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions. Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up. In order to help the support team in assessing issues in phpBB, we have now disabled the uninstallation of prosilver. Prosilver can however still be deactivated. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.8 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15090 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, Dark❶, Jakub Senko, mrgoldy, rxu, Christian Schnegelberger, EA117, kasimi, JoshyPHP, Casey Peel, Nekstati, Nuno Lopes, cclauss, espipj, kinerity If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]