
As a leading British telephone network, giffgaff serves millions of customers. Through innovative use of Flarum, they've built up a passionate peer support community, improving support and engaging customers.
As a leading British telephone network, giffgaff serves millions of customers. Through innovative use of Flarum, they've built up a passionate peer support community, improving support and engaging customers.
An avid adventurer and hiker, Mike has found Flarum to be an excellent platform for blogging about his trips, discussing gear, and meeting fellow hiking enthusiasts while slowly increasing engagement.
Leading provider of communication and entertainment in Switzerland. Their Flarum community creates a framework for healthy togetherness while supporting their customers with an appealing, user-friendly community experience.
Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typingBefore you upgrade, make sure to create a backup of yourpublic/assets
directory, yourcomposer.json
and your database!
php flarum info
. If you're not, use the previous release announcement for upgrading from an earlier version.If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output ofphp flarum info
,composer why-not flarum/core v1.7.0
, and any errors to their fullest.
Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !
v1.x
release before v2.0
development begins.⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3
.
One affect all versions between v1.3.0
and v1.6.2
.
# Update to latest version
composer update --prefer-dist --no-dev -a -W
Verify that you're on v1.6.3composer show flarum/core
Clear cachephp flarum cache:clear
v1.6.3
.Impact
The mentionsPosts
relationship included in the POST /api/posts
and PATCH /api/posts/<id>
JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
, resulting in a CVE score of 7.7. See the CVSS score breakdown.
Workarounds
Disable the mentions extension.
v1.6.3
.Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
, resulting in a CVE score of 6.8. See the CVSS score breakdown.
Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.
v1.3.0
and v1.6.3
.Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.
discussions.comment_count
is still above zero after the post deletion.v1.3.0
and v1.6.3
are impacted.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
, resulting in a CVE score of 3.5. See the CVSS score breakdown.
Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id
.
release/v1.6.3
branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3
on the same day an hour later.$ npm uninstall -g flarum-cli
Now install the new package:$ npm install -g @flarum/cli
To run a command, use either flarum-cli
or fl
:$ flarum-cli COMMAND
$ fl COMMAND
To see a list of available commands, run either of:$ flarum-cli
$ flarum-cli --help
$ npm update -g @flarum/cli
flarum-cli init [PATH]
: Generates a blank extension skeleton, including all recommended infrastructure.flarum-cli infra backend-testing [PATH]
: Adds (or updates) infrastructure for running automated backend tests.flarum-cli make backend api-controller [PATH]
flarum-cli make backend api-serializer [PATH]
flarum-cli make backend api-serializer-attributes [PATH]
flarum-cli make backend command [PATH]
flarum-cli make backend event-listener [PATH]
flarum-cli make backend handler [PATH]
flarum-cli make backend integration-test [PATH]
flarum-cli make backend job [PATH]
flarum-cli make backend migration [PATH]
flarum-cli make backend model [PATH]
flarum-cli make backend policy [PATH]
flarum-cli make backend repository [PATH]
flarum-cli make backend route [PATH]
flarum-cli make backend service-provider [PATH]
flarum-cli make backend validator [PATH]
flarum-cli make frontend component [PATH]
flarum-cli make frontend modal [PATH]
flarum-cli make frontend model [PATH]
flarum-cli update js-imports [PATH]
: Adds admin/forum/common namespaces to all JS imports from flarum core.flarum-cli help [COMMAND]
Learn how to harness the extensibility of Flarum to create your own extensions and customize your community.
Help us make Flarum even more powerful and customizable! Every bug report, pull request, and documentation improvement is a huge help.