One of the exciting enhancements coming in DotNetNuke 6.2.0 is the new Services Framework – a great way to write web services that integrate well with DotNetNuke. There’s a few blogs recently published that contain...

The 6.1.4 CE and PE/EE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 6.1.4 Released .

The 6.1.4 release contain one security fix rated as “moderate” – as this issue was introduced in 6.0.0 no fix was required for earlier builds.

The bulletin for 6.1.4 can be read here:

Filemanager function fails to check for valid file extensions...

The 5.6.7 and 6.1.3 CE and PE/EE versions of DotNetNuke have been released. The  release notes can be read @ DotNetNuke 6.1.3/5.6.7 Released .

The 5.6.7 release only contains these one security fix (as per our Sunsetted releases policy which can be read here ), which is rated “critical”.

The bulletin for 5.6.7 can be read here:

Non-approved users can access user and role functions...

On Thursday 29th December 2011 Microsoft released an out-of-band security update to address an issue with asp.net . This is a relatively rare thing as Microsoft typically only releases security updates every 2nd Tuesday of the month (known as “Patch Tuesday”) so it indicates that this is a serious issue that Microsoft does not want to leave available for exploitation for another few weeks. The advisory can be read here...

The 5.6.6 and 6.1.2 CE and PE versions of DotNetNuke have been released. The 6.1.2 release notes can be read @ DotNetNuke 6.1.2 Released . It contains two security fixes that resolve two “low” items.

The 5.6.6 release only contains these two security fixes (as per our Sunsetted releases policy which can be read here ).

The bulletins for the two items fixed in both...

The 5.6.4 and 6.1.0 CE and PE versions of DotNetNuke have been released. The 6.1.0 release notes can be read @ DotNetNuke 6.1.0 Released . It contains two security fixes that resolve one “low” and one “medium” issues.

The 5.6.4 release only contains security fixes (as per our Sunsetted releases policy which can be read here ). The 5.6.4 release also contains 1 outstanding “low”...

The 5.6.3 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.3 Released . This release contains a fix for two "low" two “medium” and one “critical” security issues.

The bulletins can be read at

ability to reactivate user profiles of soft-deleted users User management mechanisms can be executed by invalid users...

The 5.6.1 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.1 Released . This release contains a fix for two "critical" and five “low” security issues.

The bulletins can be read at

Edit Level Users have Admin rights to modules Unauthenticated user can install/uninstall modules...

The 5.6.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.0 Released . This release contains a fix for one "low" security issue.

The bulletin can be read at

Exception details may leak if logging provider is unavailable (DNN 2010-13-L) As always we recommend you upgrade as soon as possible.

If you're new to upgrading I recommend...

As some of you may know, last Friday we noticed some unexpected user activity on our site. Further checking showing that some administrative accounts had been compromised via the recent asp.net padding oracle issue. As this exploit allows a hacker to crack the machinekey values, it's extremely serious as these are (amongst other things) part of what's used to secure user passwords. The fix for this issue only came out midweek and we were still in the process of applying it, so we took the somewhat unprecedented...

The DotNetNuke Wiki has been in place for a little while now, and is starting to grow as more people discover it. We’re hoping that it’s growth will start to accelerate, and the reference team are committed to making efforts to ensure it becomes a valuable, relevant place to look for help. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it). I plan on blogging regularly...

A few days ago we alerted the community to the existence of a permanent fix from Microsoft to the oracle padding issue.  At that point the fix was only available via Microsoft downloads, but now it’s available via Windows Update. This has the advantage of Windows update identifying and applying the fix for all necessary versions of the framework installed.

We recommend all DotNetNuke sites apply this fix as soon as possible to resolve this issue permanently. Further details on the out-of-band release...

Microsoft have just released a security update that resolves the Oracle padding issue - it will be available via Windows update in a few days, but if you want you can get a copy from Microsoft downloads. Scott Guthries blog @ http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx has all the relevant details.

A critical serious vulnerability in asp.net was publically disclosed late Friday at a security conference.  We recommend that all users immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your DotNetNuke (and any other ASP.NET) applications.

Over the past few days we've had a number of community members send us links to various reports of a potential problem with the encryption of asp.net forms authentication. At this point there is very little information in the public domain about the specifics of it. We're been in contact with both of the authors of the original report, and are also working to gather as much relevant information as we can. If the issue is validated (Microsoft at this point have issued no public comment), we'll be well placed to see if there is anything we can do to mitigate the issue for DotNetNuke users.

...

The 5.5.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2747/DotNetNuke-5-5-release.aspx . This release contains a fix for one "medium" security issue.

The 5.4.3 CE and PE versions of DotNetNuke have been released. These releases include fixes for a number of "low" and "medium" security issues.

The 5.4.2 CE and PE versions of DotNetNuke have been released. These releases include fixes for 2 "low" security issues.

 

 

 

 

The 5.2.3 CE and PE versions of DotNetNuke have been released. The release notes can be read @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2497/DotNetNuke-5-2-3-Released.aspx

These releases fix a "low" security issue. 

At the start of every year I like to do a quick roundup of some of the activities the security team have been up to. In general the better job we do, the less anyone hears about it, but rest assurred that we've busy working away to ensure DotNetNuke is as secure as possible and to help out anyone who's concerned their site may have been hacked.

For anyone installing DotNetNuke on Windows 7/Windows 2008 RC2, theres been a subtle change in the default user used.

 

The DotNetNuke security team would like to give a long overdue public welcome to our newest team member, Brandon Haynes.

 

The 4.9.4 CE and PE versions of DotNetNuke has been released.

 

 

The 4.9.0 version of DotNetNuke has been released.

I've blogged before about how to make timeouts work correctly for persistent cookies, but thought I should also flag up a minor, but often requested, enhancement that will be in DotNetNuke 5.0. Whilst persistent cookies are useful for a lot of sites in some cases they're not approriate. Sites that require a higher level of security such as many financial, insurance, government or ecommerce sites often do not want to...