Should Umbraco still report on the dashboard the previous installed version after applying the update (manual method)? I'm sure it should but just want to check.
I believe that we are using Contour and not Umbraco Forms, however, whilst everything in Umbraco says Contour and the plugin is called Contour, the related dlls are called Umbraco.Forms.* and specifically the Umbraco.Forms.Core.Providers.dll is present.
Does this mean that we are affected or are Contour dlls also called Umbraco.Forms?
Contour is not affected, yes, the dlls are named Umbraco.Forms as that was always the codename for Contour before Contour was renamed to Umbraco Forms.
If you look at the version of Umbraco.Forms.Core.dll then it should be lower than 4.0.0. Umbraco Forms is 4.0.0 and up.
We are finding on many projects that a nuget UpdatePackage is not upgrading all files correctly; the vulnerable dll gets updated, but not all content files (including some of the backoffice Javascript) - this results in various Angular/console errors.
We've resorted to removing the nuget package, and then re-adding it - this ensures all files are updated correctly.
We have just noticed that this update is stopping the datepicker working on our site.
I have just copied back the previous Umbraco.Forms.Core.Providers.dll we had, and the datepicker starts working again.
Properties of the old dll say version 4.3.2, and we have forms version 4.3.2, and downloaded the fix for Umbraco Forms versions from 4.3.0 up to and including 4.4.1
There are no errors shown in Firefox, Chrome or IE11 debug tools.
Looking in the debug tools in Firefox that the pickaday.js & pickaday.css are not being loaded with the updated .dll file, there is no reference to them in the HTML of the page.
As a quick test copied the new dll back and the datepicker stops working, copy back the old dll and the datepicker is back!
Had a worrying moment this morning, I uploaded the new Umbraco.Forms.Core.Provider.dll to my bin folder which caused the site to crash.
The site is running Umbraco 7.4.3, and Umbraco Forms 4.3.2 and I definitely uploaded the right .dll (dll version 4.3.0 - 4.4.1)
I reverted back to the old .dll, however the site would not come back online. I stop the site in IIS, and also stop the application pool, however after stopping the application pool, I could not get it to start again (it was throwing an error).
I created a new application pool and linked this to the existing site, restarted the site and it worked.
Has anyone else had any issues like this?
I have around 10 other sites I need to update, but after this I'm a bit worried about taking more sites down.
Questions About Umbraco Forms Security Advisory Feb2017
If you have questions about today's security advisory, please ask here and we'll get back to you ASAP.
Now you made me very curious :-)
Unfortunately this usually means it's not good news, sorry. :-)
https://umbraco.com/blog/security-advisory-update-umbraco-forms-immediately/
Hello,
In case some of us don't stumble upon the blog, or catch it at a later date, will you be actively emailing the people who bought licenses?
Thanks!
Yes emails are being sent to license purchasers right now.
If I drag and drop the DLL you provided onto my Azure hosted site, will that resolve this issue for me?
Yes.
We have had to make a lot of customisations around Forms behaviour and an update is very likely to break things for us.
Is there any chance of a little more detail on what has changed/what the threat is?
All I can tell you is that there's absolutely no breaking changes. If you need more information send an email to [email protected]
Should Umbraco still report on the dashboard the previous installed version after applying the update (manual method)? I'm sure it should but just want to check.
Yes.
Hi Seb
So if an Umbraco site has been upgraded to Umbraco 7, and the client has kept Contour...
... so they are not using Umbraco Forms...
... but the Umbraco.Forms.Core.Providers.dll is still present within the bin folder, because is ships with 7 ?
.. then are they affected ?
or only affected if they have hit the 'install' button on the Install Umbraco Forms dashboard...
... eg they actually have to be actively using Umbraco Forms to be affected, or is the dll lying dormant still an issue.
(just prioritising my to patch list)
regards
Marc
If Forms is not installed: no problem . If it gets installed in the future it will install 4.4.2 - no problem.
If Forms is installed, even not in use now: need to update in case it gets used in the future.
Hi,
I believe that we are using Contour and not Umbraco Forms, however, whilst everything in Umbraco says Contour and the plugin is called Contour, the related dlls are called Umbraco.Forms.* and specifically the Umbraco.Forms.Core.Providers.dll is present.
Does this mean that we are affected or are Contour dlls also called Umbraco.Forms?
Thanks, Mark
Contour is not affected, yes, the dlls are named
Umbraco.Formsas that was always the codename for Contour before Contour was renamed to Umbraco Forms.If you look at the version of
Umbraco.Forms.Core.dllthen it should be lower than 4.0.0. Umbraco Forms is 4.0.0 and up.Hope that helps!
Yep, that helps, thanks. I thought that would be the case, but wanted to make sure.
Hello,
The issue is on what umbraco Form versions ? All umbraco form versions below 4.4.2 should be updated ?
Thanks
Yes, all versions below 4.4.2 should be updated.
We are finding on many projects that a nuget UpdatePackage is not upgrading all files correctly; the vulnerable dll gets updated, but not all content files (including some of the backoffice Javascript) - this results in various Angular/console errors.
We've resorted to removing the nuget package, and then re-adding it - this ensures all files are updated correctly.
http://issues.umbraco.org/issue/CON-1287 logged for now, although more investigation is needed to flesh out the detail.
Phil
We have just noticed that this update is stopping the datepicker working on our site.
I have just copied back the previous Umbraco.Forms.Core.Providers.dll we had, and the datepicker starts working again. Properties of the old dll say version 4.3.2, and we have forms version 4.3.2, and downloaded the fix for Umbraco Forms versions from 4.3.0 up to and including 4.4.1
There are no errors shown in Firefox, Chrome or IE11 debug tools.
Looking in the debug tools in Firefox that the pickaday.js & pickaday.css are not being loaded with the updated .dll file, there is no reference to them in the HTML of the page.
As a quick test copied the new dll back and the datepicker stops working, copy back the old dll and the datepicker is back!
Hi Mike,
I will need to do some tests & investigation to see if I can reproduce and help sort this out.
Can you clarify if the following file is present please:
I suspect it may be missing, if so you can upgrade to the lasts Forms 4.4.2 as opposed to just the DLL.
As always back up everything before doing upgrades.
Please let me know Mike, if this resolves your problems.
Thanks,
Warren
Hi Warren,
You are correct, that file does not exist.
We have not done many updates on packages as due to the security setup on our servers & networks it never seems to go quite right.
Anyway, I downloaded the latest Forms package file and did a manual upgrade using Install Local Package as the server has no outbound internet access.
Crossed fingers and it installed, and everything is working good, it has the updated .dll file, and now the DatePicker.cshtml file is also there.
Thanks for you help Mike
Hi Guys,
Had a worrying moment this morning, I uploaded the new Umbraco.Forms.Core.Provider.dll to my bin folder which caused the site to crash.
The site is running Umbraco 7.4.3, and Umbraco Forms 4.3.2 and I definitely uploaded the right .dll (dll version 4.3.0 - 4.4.1)
I reverted back to the old .dll, however the site would not come back online. I stop the site in IIS, and also stop the application pool, however after stopping the application pool, I could not get it to start again (it was throwing an error).
I created a new application pool and linked this to the existing site, restarted the site and it worked.
Has anyone else had any issues like this?
I have around 10 other sites I need to update, but after this I'm a bit worried about taking more sites down.
Thanks
Darren
Hi Darren,
Can you reproduce it locally and get a stack trace error that may indicate what the problem is.
Thanks,
Warren
Hi Warren,
This is strange, I just ran the project locally with the new .dll and its working without any issues.
Darren
Hi Warren,
Bit of an update, I re-uploaded the .dll again, and the site seems to be working now, very strange.
Thanks for coming back to me.
Darren
Do we have to patch this if we are using the old Contour 3.0.8? Is this just for the new Umbraco Forms?
Thanks
Hi JLon you do not need to do anything as the blog post mentions this:
Many Thanks,
Warren :)
is working on a reply...