Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
When Umbraco discovers a security issue you currently release a blog post about it which general advises downloading new DLL's, etc.
If you are running the bleeding edge version of Umbraco handling these updates is pretty simple, but if you're running multiple versions of Umbraco it starts to get much trickier to handle the updates.
I wanted to 'bounce' (hopefully not literally!) a few ideas around, perhaps some of you guys have a killer solution to this, or it's something that could be improved in the future.
I have some scenarios below, which I feel are kinda of common, but at the moment not as easy as they could be!
As an agency I am taking over an Umbraco site. I want to ensure the Umbraco instance is using the secure versions of the DLLs.
As an owner I want to ensure I'm running a secure version of Umbraco, to do this I want to check the version I am using via the About Dialogue.
As an agency I want to make sure that all of my Umbraco instances are running security safe versions of Umbraco
As far as I know the current solutions are:
When a security hotfix is released - release a new NuGet package for each version of Umbraco (e.g. 18.104.22.168)
As a developer I update my project to use the updated NuGet package. This might have to be via a new Package due to limitations
Add feature inside Umbraco that checks the DLL's being used are a version that is 'secure'
When user clicks button and sends finger print of DLL's to imaginary security checker API. If fingerprint does not match, advise the type of upgrade that is needed
The ability to increment the Umbraco version when it's been patched would just be so unbelievably cool ;-)
When using CI - If the project references NuGet Umbraco binaries, when developer pushes changes, the updated secure binaries are replaced with the insecure ones when the project is built.
Which versions are Umbraco are still supported from a security point of view? I couldn't find any mention of versions which are no longer being patched on the website.
Best wishes, Laurie
p.s. it's awesome that there's only 7 security issues that have been reported this way :-D H5YR ;-)
Fantastic question! I will be thinking about this and will check back in soon!
is working on a reply...
Write your reply to:
Image will be uploaded when post is submitted