The 6.1.4 CE and PE/EE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 6.1.4 Released .

The 6.1.4 release contain one security fix rated as “moderate” – as this issue was introduced in 6.0.0 no fix was required for earlier builds.

The bulletin for 6.1.4 can be read here:

Filemanager function fails to check for valid file extensions...

The 5.6.7 and 6.1.3 CE and PE/EE versions of DotNetNuke have been released. The  release notes can be read @ DotNetNuke 6.1.3/5.6.7 Released .

The 5.6.7 release only contains these one security fix (as per our Sunsetted releases policy which can be read here ), which is rated “critical”.

The bulletin for 5.6.7 can be read here:

Non-approved users can access user and role functions...

On Thursday 29th December 2011 Microsoft released an out-of-band security update to address an issue with asp.net . This is a relatively rare thing as Microsoft typically only releases security updates every 2nd Tuesday of the month (known as “Patch Tuesday”) so it indicates that this is a serious issue that Microsoft does not want to leave available for exploitation for another few weeks. The advisory can be read here...

The 5.6.6 and 6.1.2 CE and PE versions of DotNetNuke have been released. The 6.1.2 release notes can be read @ DotNetNuke 6.1.2 Released . It contains two security fixes that resolve two “low” items.

The 5.6.6 release only contains these two security fixes (as per our Sunsetted releases policy which can be read here ).

The bulletins for the two items fixed in both...

The 5.6.4 and 6.1.0 CE and PE versions of DotNetNuke have been released. The 6.1.0 release notes can be read @ DotNetNuke 6.1.0 Released . It contains two security fixes that resolve one “low” and one “medium” issues.

The 5.6.4 release only contains security fixes (as per our Sunsetted releases policy which can be read here ). The 5.6.4 release also contains 1 outstanding “low”...

Whilst the out-of-the-box experience with DotNetNuke is pretty good, we all know that it’s with extensions such as skins and modules that the power of the platform comes into play. The ecosystem has created thousands of them and they can be integrated effortlessly like Lego blocks that snap together to build virtually any shape without the need to construct and maintain your own blocks. Whilst experienced DotNetNuke users know the common places to find new extensions such as SnowCovered...

The 5.6.3 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.3 Released . This release contains a fix for two "low" two “medium” and one “critical” security issues.

The bulletins can be read at

ability to reactivate user profiles of soft-deleted users User management mechanisms can be executed by invalid users...

The 5.6.1 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.1 Released . This release contains a fix for two "critical" and five “low” security issues.

The bulletins can be read at

Edit Level Users have Admin rights to modules Unauthenticated user can install/uninstall modules...

The DotNetNuke wiki’s up to nearly 200 entries already, with a wide selection of content of interest to many different types of people. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it).

Whilst in the early days we concentrated on documenting lots of technical details such as providers, architecture, development and classes, the wiki also contains lots of...

The DotNetNuke wiki continues to grow with more new pages added every week. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it).



We’ve already added lots of much needed documentation, but last week we also posted a note in the forums asking for topics people would like pages drawn up on. We’ll be working on those community suggestions over the next few...

The 5.6.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.0 Released . This release contains a fix for one "low" security issue.

The bulletin can be read at

Exception details may leak if logging provider is unavailable (DNN 2010-13-L) As always we recommend you upgrade as soon as possible.

If you're new to upgrading I recommend...

The DotNetNuke wiki has more than doubled in the month since I started this series of blogs. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it).

This week I’d like to touch on the providers section. At present DotNetNuke supports 16 different providers, allowing users to...

Another week, and the wiki continues to grow. Up to now I’ve mostly pointed out items of interest to developers, but today I’d like to point out something of broader interest – DotNetNuke AppSettings. Did you know that DotNetNuke has 11 separate AppSettings in the web.config? Whilst the default configuration is fine for most people have you ever wondered what some of them do, or thought that perhaps you should consider tweaking some of them ? Well, now all 11 are detailed here...

The DotNetNuke wiki (http://wiki.dotnetnuke.com ) continues to grow with new, valuable content being added on a daily basis. In the past 2 weeks it's grown by nearly 50% with a number of new pages created by DotNetNuke corporation staff, core team members and the community.

As some of you may know, last Friday we noticed some unexpected user activity on our site. Further checking showing that some administrative accounts had been compromised via the recent asp.net padding oracle issue. As this exploit allows a hacker to crack the machinekey values, it's extremely serious as these are (amongst other things) part of what's used to secure user passwords. The fix for this issue only came out midweek and we were still in the process of applying it, so we took the somewhat unprecedented...

The DotNetNuke Wiki has been in place for a little while now, and is starting to grow as more people discover it. We’re hoping that it’s growth will start to accelerate, and the reference team are committed to making efforts to ensure it becomes a valuable, relevant place to look for help. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it). I plan on blogging regularly...

A few days ago we alerted the community to the existence of a permanent fix from Microsoft to the oracle padding issue.  At that point the fix was only available via Microsoft downloads, but now it’s available via Windows Update. This has the advantage of Windows update identifying and applying the fix for all necessary versions of the framework installed.

We recommend all DotNetNuke sites apply this fix as soon as possible to resolve this issue permanently. Further details on the out-of-band release...

Microsoft have just released a security update that resolves the Oracle padding issue - it will be available via Windows update in a few days, but if you want you can get a copy from Microsoft downloads. Scott Guthries blog @ http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx has all the relevant details.

A critical serious vulnerability in asp.net was publically disclosed late Friday at a security conference.  We recommend that all users immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your DotNetNuke (and any other ASP.NET) applications.

Over the past few days we've had a number of community members send us links to various reports of a potential problem with the encryption of asp.net forms authentication. At this point there is very little information in the public domain about the specifics of it. We're been in contact with both of the authors of the original report, and are also working to gather as much relevant information as we can. If the issue is validated (Microsoft at this point have issued no public comment), we'll be well placed to see if there is anything we can do to mitigate the issue for DotNetNuke users.

...

The 5.5.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2747/DotNetNuke-5-5-release.aspx . This release contains a fix for one "medium" security issue.

The 5.4.3 CE and PE versions of DotNetNuke have been released. These releases include fixes for a number of "low" and "medium" security issues.

The 5.4.2 CE and PE versions of DotNetNuke have been released. These releases include fixes for 2 "low" security issues.

I recently blogged about the Portal Localization enhancements in DotNetNuke 5.4.0 (http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2580/Portal-Localization.aspx). Unfortunately theres a potential problem that may occur if users use a particular configuration. Read on to understand why this may occur and how to resolve it if it does.

Whilst we've supported static localization for a number of years, we've never had a good content localization story, requiring those who wanted to support multiple different languages (cultures) in DotNetNuke with having to rely on 3rd party options. Whilst many of these are excellent, having a solution out of the box is always a nice idea. With 5.4.0 we've released the first part of a wave of content localization enhancements - in this case what we've called Portal Localization (other parts such as tab localization and module localization with be released in upcoming versions)

 The 5.4.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2575/DotNetNuke-5-4-0-Released.aspx

These releases fix a "critical" security issue, that was introduced with the new user messaging component added in 5.3.0.

A "low" security issue was fixed in 5.3.0 that can affect older browsers (netscape navigator 8.1 and firefox 2.x)

In a break from the normal we're reporting on an issue which is not a DotNetNuke problem, but rather an IIS (internet information server) problem. The reason we're doing this is that we've had a few reports of it being exploited in conjunction with very old DotNetNuke websites - specifically versions 3.0 to 4.8.2 that are running on Windows 2003/IIS6 and that have not followed Microsoft security best practices. We'd also like to provide some advice and guidance to the community and not allow any incorrect reports to cause undue concern.

We've been working on introducing content localization enhancements for a while now. Back in 5.2.0 we started to add some of the API pieces and other supporting framework that we would build on and the original aim was for 5.3.0 to contain support for localisation portal settings. However, this has proved more tricky than it would originally appear, so rather than rush out an imperfect solution with 5.3.0, we've pushed it back a month to the 5.3.1 release.

When under extremely heavy load there is a possibility that Microsoft ado.net classes may return "stale" data i.e. the results of an old query rather than the result of the query that was just executed. This is quite a rare case and only exhibits under extreme load or/and insufficent resources. As the error comes from code external to DotNetNuke i.e. somewhere within the .net framework, ado.net or the database drivers themselves our options were limited. A change introduced in 5.1.1 to mitigate this issue introduced a problem that may be seen by some users running 5.1.1 - 5.2.3. Whilst this has been fixed in 5.3.0, there is an optional workaround that users experiencing timeouts when upgrading/install modules might consider.