phpList 3.5.1 Released: Security Release

Also, the subset of passwords affected by using “==” instead of “===” are those on which the password hashes begin with 0e followed by exclusively numerical characters.

Suela.

2 Likes

Hi thanks to @Suela for this reply then found this updated file from here

wow! I wish I had found this forum post before I started the long and tedious process of uploading the 12,000 PHPlist files to my server.
It would be nice if we could just have ‘a patch’ in cases like this…

Hi @mikerotec that is why :wink: I 'd asked if so many files must be updated in order to upgrade to 3.5.1 (from 3.5.0)
PS: Tried to find a listing of all “necessary” files for basic usage but none at this point!

I don’t really see the issue, takes about 10 minutes to update when done manually…

@alex01 in order to save the mother earth resources!

and :wink: updated version number in database (table: phplist_config) & uploaded the following files: init.php & structure.php (admin subfolder)

May be more to do? I don’t know…

Try using SFTP, rsync, or the automatic updater to make such upgrades more convenient.

The automatic updater was deprecated, wasn’t it??? It’s not included in the latest version…

I do use SFTP and it’s still pretty tedious. :roll_eyes: Not sure I can set up rsync in this case

It’s really odd that the latest release the automatic updater is showing is 3.5.0.

Hello, can you please try again (make sure you are starting fresh by removing the actions.txt file in the /Config folder). I can’t replicate that in my installation and can confirm the version in the server is 3.5.1.

Hmm, NO it is not deprecated and it is included on the latest version. Can you please check on why would that be with your installation?
Thanks

The automatic updater shows version 3.5.1. The phpList Community News in the dashboard does not. I actually did not try the automatic updater earlier because I assumed that the news and the updater are in sync. I’ve cleared my browser cache, just in case.

Oh, now that bit is actually updated directly from the phplist.org website and usually every release notification is shared so, I understand the confusion. You should be able to see the post about that release too now.

Thanks,
Suela.

FYR, this is release fixes CVE-2020-8547

This is getting off-topic, but fwiw before wpcli, I would usually update my wordpress installs using svn sw. Would it be possible to update phpList’s files with a single carefully written git clone against some tagged version?

@maltfield it seems done for now…

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in this file.

Hello everyone

Someone has shared on Twitter this blog earlier today:

You might want to check.

Mariana

1 Like

For me the" phpList community news" in the dasboard is now only a link to https://www.phplist.org/newslist/

Hi, I get this error at the last step of the web updater:
Could not delete /myphplistsfolder/updater/…/base/vendor/bin

The folder updater contains this files
drwxr-xr-x 3 www-data www-data 4096 Dez 29 16:42 .
drwxr-xr-x 10 www-data www-data 4096 Feb 17 17:09 …
drwxr-xr-x 2 www-data www-data 4096 Dez 29 16:42 images
-rw-r–r-- 1 www-data www-data 80233 Dez 29 16:42 index.php
-rw-r–r-- 1 www-data www-data 3889 Dez 29 16:42 README.md

My whole phplists web folder is owend by the web server user.
What can I do?