Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

PortalWebHosting
  Ads  
Engage Software - Training Partner for DotNetNuke
 


  Sponsors  

Meet Our Sponsors

Mad Development is a full service interactive agency focusing on the merge of design, technology, e-commerce, and affiliate marketing by providing total website solutions.
SteadyRain
DataSprings - Great Ideas. Always Flowing.
R2integrated - formerly bi4ce
Jango Studios - Skins, Modules and Hosting for DotNetNuke
eUKhost.com is commited to offer exceptional UK Windows Web Hosting solutions with quality 24x7 technical support.Our plans support ASP.Net, ASP, ASP.NET Ajax extensions, XML, MSSQL, MySQL, PHP,DNN, multiple domains and Shared SSL as standard.
 


DotNetNuke Forums
 
  Forum  General DotNetN...  Chat About It!  PowerDNN Security Hotfix
Previous Previous
 
Next Next
New Post 5/23/2008 9:42 AM
User is offline Bill Yonder
12 posts
10th Ranked


PowerDNN Security Hotfix 

Hi All,
I've been watching things on the forum the past couple days and I've noticed that PowerDNN is getting flamed for hotfixing their customers with a critical security vulnerability.  I have a couple questions about this.

1)  Why is the core team spending all their time flaming PowerDNN and not releasing a patch?
2)  Why is it that DotNetNuke.com is patched but the core team has not released the fixes to the public?

Bill
 
New Post 5/23/2008 10:06 AM
User is offline Sebastian Leupold
15216 posts
www.deutschnetnuke.de
1st Ranked












Re: PowerDNN Security Hotfix 
Modified By Sebastian Leupold on 5/23/2008 12:07:36 PM)

Bill,

please be aware, that the core team is taking any security issue very serious.

  1. the core team has been working hard to analyse the security issues (which has not been classified to be "hyper-critical" by our security experts) and was working for a sustainable solution, which will be included in DNN 4.8.3, as we do not provide patches, which might expose the vulnarability to anyone for reverse engineering. DNN 4.8.3 will be tested internally for a few days and be published asap.
  2. if the "security scanner" states DotNetNuke.com as being secure, this simply exposes, that the tool is unable to guess the version running (due to a number .txt files removed) - because this is all, the tool is able to "analyse", not, if  it really has been "patched. Fixing the issue to expose version number will be another change in DNN 4.8.3.

I also suggeest to read the latest Blog posts by Shaun Walker and Joe Brinkman.

Sebastian Leupold

DeutschNetNuke dnnWerk - The DotNetNuke Experts German DotNetNuke User-Group

DotNetNuke Project UserDefinedTable
DotNetNuke Project Release Tracker
 
New Post 5/23/2008 10:07 AM
User is offline Ed DeGagne
313 posts
www.southvillagesoftware.com
8th Ranked


Re: PowerDNN Security Hotfix 

Bill,

Very good questions. Seems to me the effort should have been in the form a a quick fix and release. Instead, too much effort was spent on the "defensive" side of the equation.

If PowerDNN recieved a black eye in any way from their handling of the situation (which is open to interpretation), then the core team and many community members recieved two black eyes for their handling of it.

The public "lynching", the finger pointing, the labeling of PowerDNN as greedy and opportunistic, all reflect poorly on DotNetNuke itself, the Core Team, and the entire community.

There are quite a few people that should be embarrased by their reaction in these forums.

 

Edward DeGagne | Applications Engineering Manager
ektron, inc.
542 Amherst Street, Route 101A | Nashua, NH 03063

 

Ed DeGagne
South Village Software
 
New Post 5/23/2008 10:20 AM
User is offline Carlos Rodriguez
526 posts
www.almacigo.com
8th Ranked


Re: PowerDNN Security Hotfix 
Modified By Carlos Rodriguez on 5/23/2008 12:20:50 PM)

Bill:

With all due respect, you apparently have not read all posts from the Core Team members, there are multiple threads going on on this and not all have the responses from the Core Team.  If you did, you would have seen that the Core Team cannot just take the alleged patch without looking at the possible problem, understanding what the issue is, implementing the change, and test it properly.  They are actually working on it as we speak, and it may take a couple of days.  PowerDNN didn't say how long they took to find the issue and to fix it or whether it was actually exploited.  The Core Team has not actually been flaming PowerDNN, they were just clarifying at one particular point in time that they had not received communications from PowerDNN even though they were claiming they had sent the pertinent info to the DNN security address, they took their time.

Don't know if you saw the following post, that basically started the whole thing when the proverbial caca hit the fan: http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/112/threadid/228802/scope/posts/threadpage/5/Default.aspx

I hope this answers your questions.

Carlos

 
 
New Post 5/23/2008 10:26 AM
User is offline Scott Stokes
108 posts
www.adverageous.com
9th Ranked


Re: PowerDNN Security Hotfix 

I have failed to find the module on DotNetNuke.com that shows a breakdown of Core-Team members time spent posting, in relating to Time-spent working on security fixes.

I did however find a couple blog posts at http://www.dotnetnuke.com/tabid/825/default.aspx

And I am left wondering if the other posters in this thread crying for a quick-patch are in the correctt DNN roles to access the same page?

On a side note to keep some focus:  I promise you, whatever operating system your main computer is running:  It has more serious security flaws in it than whatever the hell is being patched in DNN 4.8.3.
 
 Page 1 of 5123...5Next 
Previous Previous
 
Next Next
  Forum  General DotNetN...  Chat About It!  PowerDNN Security Hotfix
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


Code 5 Systems, LLC.
The DNN Missing Link: A Form Module. Form Master 1.6 is an intuitive Form Creation Module at a great price. Quality Custom Module development, and DNN consulting services.
www.code5systems.com 		SSL Enabled and Amazingly FAST...
SSL enable your DNN web site with SSLRedirect, compress your DNN web site HTTP data flow by up to 75%-90% with HttpCompressionAgent, and monitor your DNN web site's performance with WebKeepAlive...
www.sanibellogic.com 		Ultra Media Gallery & Video Gallery
The most popular photo gallery and video gallery module. with Flash interface.
www.bizmodules.net

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP