Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Laurence Gillian 595 posts 1211 karma points
    Feb 20, 2017 @ 16:44
    Laurence Gillian
    1

    Security Issues < Bleeding Edge

    Hey!

    When Umbraco discovers a security issue you currently release a blog post about it which general advises downloading new DLL's, etc.

    If you are running the bleeding edge version of Umbraco handling these updates is pretty simple, but if you're running multiple versions of Umbraco it starts to get much trickier to handle the updates.

    I wanted to 'bounce' (hopefully not literally!) a few ideas around, perhaps some of you guys have a killer solution to this, or it's something that could be improved in the future.

    I have some scenarios below, which I feel are kinda of common, but at the moment not as easy as they could be!

    Scenarios / Stories

    1. As an agency I am taking over an Umbraco site. I want to ensure the Umbraco instance is using the secure versions of the DLLs.

    2. As an owner I want to ensure I'm running a secure version of Umbraco, to do this I want to check the version I am using via the About Dialogue.

    3. As an agency I want to make sure that all of my Umbraco instances are running security safe versions of Umbraco

    Current solutions

    As far as I know the current solutions are:

    1. Use UaaS (v7+ only)
    2. Manually update by finding all the Security Issues on the Blog, then check your Umbraco instance, and update the DLL's starting from the oldest security issue, to the latest. (Then make a note of it, so someone else doesn't end it doing it in the future again!)
    3. Update to the latest V7 version of Umbraco

    Fictional solutions

    1. When a security hotfix is released - release a new NuGet package for each version of Umbraco (e.g. 7.5.8.1)

      As a developer I update my project to use the updated NuGet package. This might have to be via a new Package due to limitations

    2. Add feature inside Umbraco that checks the DLL's being used are a version that is 'secure'

      When user clicks button and sends finger print of DLL's to imaginary security checker API. If fingerprint does not match, advise the type of upgrade that is needed

    3. The ability to increment the Umbraco version when it's been patched would just be so unbelievably cool ;-)

    Current pitfalls / issues / confusions

    1. When using CI - If the project references NuGet Umbraco binaries, when developer pushes changes, the updated secure binaries are replaced with the insecure ones when the project is built.

    2. Which versions are Umbraco are still supported from a security point of view? I couldn't find any mention of versions which are no longer being patched on the website.

    Best wishes, Laurie

    p.s. it's awesome that there's only 7 security issues that have been reported this way :-D H5YR ;-)

  • Sebastiaan Janssen 4847 posts 14391 karma points MVP admin hq
    Feb 20, 2017 @ 19:23
    Sebastiaan Janssen
    0

    Fantastic question! I will be thinking about this and will check back in soon!

Please Sign in or register to post replies

Write your reply to:

Draft