Archive
Monthly
Go
|
|
DNN Blog
Jan
2
Posted by:
cathal connolly
Friday, January 02, 2009 8:17:00 PM
The 4.9.1/5.0 versions of DotNetNuke has been released.
These releases fix 1 "critical" security issue, discovered during an internal core audit conducted by a member of the security team. The details can be read here. Due to the severity of the issue, we recommend you upgrade as soon as possible.
If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent set of blog entries from Erik here and here. For users who are running 4.6.2 or above, I recommend you read this blog entry which details how to use the upgrade package to easily merge any web.config changes.
You can read more details about these issues and our security policy here
3 comment(s) so far...
Re: Security bulletins released
**comment edited - public discussion of exploits is not allowed***
Create a mailing list that mails as soon as a security hole is discovered, so that people immediately can a fix- Post a suggestion for a workaround for the people who do not have the time to instantly upgrade their sites. I'm not posting this workaround here, because that will show the exact security hole and that's against your security policy. In my opinion you should remove the "Disclosure Policy" from the security policy so that we can discus solutions openly and solve them sooner.
By Paco Wensveen on
Friday, January 02, 2009 9:48:45 PM
|
Re: Security bulletins released
I disagree with Paco, I don't think identified security issues should be discussed openly until they are fixed (unless of course somebody decides to leak them which is not a good idea), all issues should be reported to security@dotnetnuke.com and then a discussion can take place with the reporter and the security team who will fix it.
On the other hand I completely agree that all issues should be discussed openly, just not security issues.
By Alex Shirley on
Friday, January 02, 2009 9:47:45 PM
|
Re: Security bulletins released
As with all security issues, we follow a policy. We first create the bulletin text, and link it from the security policy (on the security policy page @ www.dotnetnuke.com/News/SecurityPolicy/tabid/940/Default.aspx you will see the final link in the right hand side links to www.dotnetnuke.com/News/SecurityPolicy/Securitybulletinno24/tabid/1188/Default.aspx which describes the issue). This is the same issue linked to from the blog posts about 4.9.1/5.0 – as you can see it only affects 4.5.2-4.9, and requires a valid user on the site. The bug was discovered by a member of the security team during an internal audit.
In all communications we have mentioned that the issue is critical, if you read the description of that status you’ll see that we recommend you immediately update.
Also, as per policy you’ll see that on the roadmap (support.dotnetnuke.com/project/ChangeLog.aspx?PROJID=2) the issue is listed as resolved in 4.9.1 (work item links to support.dotnetnuke.com/issue/ViewIssue.aspx?id=8995&PROJID=2)
I also create a blog post on the security blog that details when a release has security implications (that's why this post exists)
We do not send out emails detailing security issues, instead there is a section on the DotNetNuke newsletter where they are detailed. I would guess that one of these would be sent out early in the new year.
If you have any further comment, please email security@dotnetnuke.com.
By cathal connolly on
Friday, January 02, 2009 11:33:14 PM
|
|