Bill Yonder wrote 1)  Why is the core team spending all their time flaming PowerDNN and not releasing a patch?

Mainly because it took PowerDNN two days to inform us as to what the issue was - you can't fix issues in a vacuum.

Bill Yonder wrote 2)  Why is it that DotNetNuke.com is patched but the core team has not released the fixes to the public?

Why is it that you think this site is patched?  What evidence do you have.  I would expect this site to be patched a little before the patch is released, as any release needs to be tested befreo it goes out to the public.

Regardless of what the PowerDNN securtiy scanner says, I've been talking to some people in this forum and have gotten more details on the issue.  I tried going to the insecure page on DotNetNuke.com and it has been fixed.

Where's the patch for the community?  You guy's can't patch your stuff and leave the rest of us vulnerable!

Bill

Bill - your response is evidence that supports our policy that "making security issues public exacerbates the situation".

You believe that we should have a fix and get it out - and are clamouring (almost panicing) for it.

To be responsible we cannot release any software - without fully testing it - do we have the right fix? will the fix have unexpected affects on other areas of the product? - is the fix itself secure?

All we received from PowerDNN after much delay was information on how the issue can be reproduced (we haven't received any information on how they fixed it for their own customers) - we then needed time to detemine the correct fix.

You would be complaining vociferously if we released a badly developed patch that caused other problems to your production sites?

If PowerDNN had not made this public - we could have spent more time on this issue - and less time trying to deal with the community panic/backlash.

Part of our testing process is to "dog-food" it on our properties - this is the responsible procedure.