MyBB 1.6.5 Released – Feature Update, Security & Maintenance Release

MyBB 1.6.5 is now available from the MyBB website and is a feature update, security and maintenance release for the 1.6 series.

What’s added/changed in this version?

In 1.6.5, there are 3 vulnerabilities and over 70 reported issues fixed. Please be aware that not all of the existing problems have been fixed in this version.

  • Vulnerabilities:
    • Non Critical: Unparsed user avatar in the buddy list – reported by labrocca
    • Non Critical: Potential XSS vulnerability validating usernames via AJAX – reported by Will G
    • Low Risk: CSRF vulnerability in ?language – reported by Nathan Malcolm (Issue #1729)

    Thanks to everyone who helped find and resolve the issues!

  • Fixed issues in 1.6.5
  • Unfixed issues

There are also over 10 new feature updates in 1.6.5. These range from the ability to locate spam users from the ACP to reCAPTCHA support. To get a summary of these new updates and for a list of changed files and language pack changes, please see the Wiki on 1.6.5.

View 1.6.5 Changes in the Wiki

Upgrading from 1.6.4 and Other Versions

Before performing any upgrade, please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

If you have any plugins installed that limit signatures or provide reCAPTCHA, or might not be needed because of the new default settings available, it’s suggested to uninstall these before the upgrade. If you’re unsure, create a thread in the General Support section of the Community Forum with your plugin list and a useful member will be able to tell you the plugins that need to be disabled.

To upgrade, follow the Upgrading process. The upgrade script is required. There are also language and theme changes.

If you’re using MyBB 1.6.4

If you’re not using MyBB 1.6.4

Plugin System Changes

In 1.6.5, there are some fundamental changes to the Plugin System. These changes were made to provide greater support for PHP 5.3 and above.

These changes mean that you may need to upgrade some of the plugins you are running on your forum before upgrading to 1.6.5. If you are a Plugin Developer, you need to check your plugins to see if you are required to change them so they work with the new version.

Please see the 1.6.5 Plugin System Changes Wiki for an explanation of the changes. There is also the Plugin Changes coming in 1.6.5 thread on the Community Forums.

MyBB Merge System 1.6.2 Update

For those users who have been using Merge System 1.6.1 and earlier, there is a new update ready for you.

You can read more about it in the 1.6.2 Update Blog Post.

In the near future, the Merge System will be following the main branch of MyBB – for example, if you’re using MyBB 1.6.8 you’ll need Merge System 1.6.8. This will mean that the Merge System will jump several minor points. These changes have yet to come into effect, so please continue to use Merge System 1.6.2. We’ll announce further details nearer the time of the changes.

MyBB 1.6.4 Vulnerability

In October, we found that a 3rd party had compromised the MyBB server and the 1.6.4 release was modified to contain a hidden vulnerability. If you’re current using 1.6.4 and have had no prior knowledge of this, then we urge you to upgrade to 1.6.5 as soon as possible.

As a result of the compromise to our systems we will be hosting our download packages on github, we will continue to do this until we are confident our systems here are just as secure as what github can offer.

Here are the MD5 checksums for the release packages:

mybb_1605.zip: 032403cee9d25110370ace935803ab9d

1605_changedfiles.zip: 91e6055b758c0aa233503a2a7528a7b0

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Thank you,
MyBB Team

31 thoughts on “MyBB 1.6.5 Released – Feature Update, Security & Maintenance Release

  1. upgrade to version 1.6.5 and I got this error

    Fatal error: Call to undefined function styleUsernames::initCache() in /home/jesam/public_html/inc/class_plugins.php on line 101

  2. Very nice update, lots of new features to fight against spam. I like the new post count requirements for some things, should stop the bots from during some of those automated actions.

    Cheers to the MyBB team.

  3. I am a LOYAL MyBB fan, but I will now remove myBB copyright in our website..

    because MyBB Staff are Bias!! they refused to post my 1st comment dated nov 27!

    BIAS myBB Staff!

    Insecure.. :(

  4. and I will expose this issue around the net, that the simple comment has been denied because of insecurities of some MyBB Staff! :(

  5. xpserkan (November 27th, 2011, 8:56 am)

    this is the last comment, and I posted after him November 28.. but SOME MyBB Staff are Bias! they refuse to post my comment :(

    and then November 29 already here in PH, my simple comment is not accepted? why? are you insecure guys?

  6. @uzer: I found one comment by you that was caught by Akismet – I have now approved it. I hope this is the post you were talking about. :)

    Please in the future, do not jump to conclusions. Sometimes there are simply mistakes made – this time it was by Akismet.

  7. Upgraded without any problems, only a few small plugins which was not already updated needed changes which very easy to do. Everything went well and working as it should do.

    Thanks to the MyBB team for all of your hard work.

  8. Pingback: CVE-2011-5132 (mybb) | Web Security Watch

  9. Pingback: CVE-2011-5133 (mybb) | Web Security Watch

Comments are closed.