NodeBB 2.8.17 & 3.3.5 Security Releases

<baris>

Today we are releasing patch versions for 3.x and 2.x lines to fix an xss vulnerability.

As mentioned before we will be supporting 1.x and 2.x until August 2024 and August 2025 respectively. This vulnerability does not effect the 1.x releases so there is no patch for it.

The fix is included in the latest 2.8.17 & 3.3.5 releases
https://github.com/NodeBB/NodeBB/releases/tag/v2.8.17
https://github.com/NodeBB/NodeBB/releases/tag/v3.3.5

FrankM

Before the upgrade i see this?

<baris>

@FrankM when do you get this page?

FrankM

https://<DOMAIN>/admin/extend/plugins

FrankM

user_nodebb@webserver2-4gb-nbg1-1:~/nodebb$ ./nodebb upgrade

Updating NodeBB...

1. Updating package.json file with defaults...  OK

2. Bringing base dependencies up to date...  started

changed 2 packages, and audited 920 packages in 3s

94 packages are looking for funding
  run `npm fund` for details
*delete*

<baris>

@FrankM the issue with out package manager should be fixed now, can you try again?

FrankM

@baris Works. Thank you!

FrankM

~/nodebb$ git fetch
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 9 (delta 6), reused 9 (delta 6), pack-reused 0
Unpacking objects: 100% (9/9), 904 bytes | 75.00 KiB/s, done.
From https://github.com/NodeBB/NodeBB
   05a7c7610d..d36140eb5f  develop    -> origin/develop
   fb43f9ae10..dc14d6a8d1  v2.x       -> origin/v2.x
~/nodebb$ git reset --hard origin/v3.x
HEAD is now at a67f84ea5b chore: incrementing version number - v3.3.4

Ok, i think you are working.

sweetp

after updating, my install still says its running v3.3.4

<baris>

@sweetp I might have forgot to increment the version number in package.json for 3.3.5, I did that later https://github.com/NodeBB/NodeBB/commit/055762e69e66d8a4fb30755a7b84bf52613c9e57.

FrankM

On another forum, i got nothing when i do

git fetch

FrankM

~/nodebb$ git reset --hard v3.3.5
fatal: ambiguous argument 'v3.3.5': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'

julian

@FrankM You'll need to either git pull or git fetch first.

FrankM

Ok, git pull works

~/nodebb$ git pull
remote: Enumerating objects: 475, done.
remote: Counting objects: 100% (475/475), done.
remote: Compressing objects: 100% (231/231), done.
remote: Total 475 (delta 248), reused 469 (delta 244), pack-reused 0
Receiving objects: 100% (475/475), 417.93 KiB | 13.06 MiB/s, done.
Resolving deltas: 100% (248/248), completed with 54 local objects.
From https://github.com/NodeBB/NodeBB
   7d9ff9bf4e..d36140eb5f  develop    -> origin/develop
   c44ddb10e7..055762e69e  master     -> origin/master
   638e098f30..dc14d6a8d1  v2.x       -> origin/v2.x
 * [new tag]               v2.8.17    -> v2.8.17
 * [new tag]               v3.3.5     -> v3.3.5

My other forum show this

~/nodebb$ git pull
hint: You have divergent branches and need to specify how to reconcile them.
hint: You can do so by running one of the following commands sometime before
hint: your next pull:
hint: 
hint:   git config pull.rebase false  # merge
hint:   git config pull.rebase true   # rebase
hint:   git config pull.ff only       # fast-forward only
hint: 
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
fatal: Need to specify how to reconcile divergent branches.

julian

Fixing diverged branches is outside of scope of this forum, sorry

master branch and 'origin/master' have diverged, how to 'undiverge' branches'?

Somehow my master and my origin/master branch have diverged. I actually don't want them to diverge. How can I view these differences and merge them?

Stack Overflow (stackoverflow.com)

What to do when git branch has diverged?

A blog written by PoAn (Baron) Chen.

PoAn (Baron) Chen's site (poanchen.github.io)

FrankM

I somehow got it to v3.3.5 now. Please do not ask how I'm thinking about reinstalling to start cleanly.