When Umbraco discovers a security issue you currently release a blog post about it which general advises downloading new DLL's, etc.
If you are running the bleeding edge version of Umbraco handling these updates is pretty simple, but if you're running multiple versions of Umbraco it starts to get much trickier to handle the updates.
I wanted to 'bounce' (hopefully not literally!) a few ideas around, perhaps some of you guys have a killer solution to this, or it's something that could be improved in the future.
I have some scenarios below, which I feel are kinda of common, but at the moment not as easy as they could be!
Scenarios / Stories
As an agency I am taking over an Umbraco site. I want to ensure the Umbraco instance is using the secure versions of the DLLs.
As an owner I want to ensure I'm running a secure version of Umbraco, to do this I want to check the version I am using via the About Dialogue.
As an agency I want to make sure that all of my Umbraco instances are running security safe versions of Umbraco
Current solutions
As far as I know the current solutions are:
Use UaaS (v7+ only)
Manually update by finding all the Security Issues on the Blog, then check your Umbraco instance, and update the DLL's starting from the oldest security issue, to the latest. (Then make a note of it, so someone else doesn't end it doing it in the future again!)
Update to the latest V7 version of Umbraco
Fictional solutions
When a security hotfix is released - release a new NuGet package for each version of Umbraco (e.g. 7.5.8.1)
As a developer I update my project to use the updated NuGet package. This might have to be via a new Package due to limitations
Add feature inside Umbraco that checks the DLL's being used are a version that is 'secure'
When user clicks button and sends finger print of DLL's to imaginary security checker API. If fingerprint does not match, advise the type of upgrade that is needed
The ability to increment the Umbraco version when it's been patched would just be so unbelievably cool ;-)
Current pitfalls / issues / confusions
When using CI - If the project references NuGet Umbraco binaries, when developer pushes changes, the updated secure binaries are replaced with the insecure ones when the project is built.
Which versions are Umbraco are still supported from a security point of view? I couldn't find any mention of versions which are no longer being patched on the website.
Best wishes, Laurie
p.s. it's awesome that there's only 7 security issues that have been reported this way :-D H5YR ;-)
Security Issues < Bleeding Edge
Hey!
When Umbraco discovers a security issue you currently release a blog post about it which general advises downloading new DLL's, etc.
If you are running the bleeding edge version of Umbraco handling these updates is pretty simple, but if you're running multiple versions of Umbraco it starts to get much trickier to handle the updates.
I wanted to 'bounce' (hopefully not literally!) a few ideas around, perhaps some of you guys have a killer solution to this, or it's something that could be improved in the future.
I have some scenarios below, which I feel are kinda of common, but at the moment not as easy as they could be!
Scenarios / Stories
As an agency I am taking over an Umbraco site. I want to ensure the Umbraco instance is using the secure versions of the DLLs.
As an owner I want to ensure I'm running a secure version of Umbraco, to do this I want to check the version I am using via the About Dialogue.
As an agency I want to make sure that all of my Umbraco instances are running security safe versions of Umbraco
Current solutions
As far as I know the current solutions are:
Fictional solutions
When a security hotfix is released - release a new NuGet package for each version of Umbraco (e.g. 7.5.8.1)
As a developer I update my project to use the updated NuGet package. This might have to be via a new Package due to limitations
Add feature inside Umbraco that checks the DLL's being used are a version that is 'secure'
When user clicks button and sends finger print of DLL's to imaginary security checker API. If fingerprint does not match, advise the type of upgrade that is needed
The ability to increment the Umbraco version when it's been patched would just be so unbelievably cool ;-)
Current pitfalls / issues / confusions
When using CI - If the project references NuGet Umbraco binaries, when developer pushes changes, the updated secure binaries are replaced with the insecure ones when the project is built.
Which versions are Umbraco are still supported from a security point of view? I couldn't find any mention of versions which are no longer being patched on the website.
Best wishes, Laurie
p.s. it's awesome that there's only 7 security issues that have been reported this way :-D H5YR ;-)
Fantastic question! I will be thinking about this and will check back in soon!
is working on a reply...