Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...No notifications by DNN about security issues?No notifications by DNN about security issues?
Previous
 
Next
New Post
7/22/2006 1:56 PM
 
Shane Miller

www.callcenters24x7.com
Joined: 4/2/2005
Posts: 520

I was just directly notified by DNN Modules, that I should lock down my sites because some of them are still running DNN 3.2.  I feel these sorts of notifications are an absolutely imperative aspect of running a professional-grade platform.  Why wasn't this told to us directly by DNN?


Shane Miller
Call Centers 24x7
 
New Post
7/22/2006 3:26 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
As far as I understand, only previous version of 3.3.x and 4.3.x are affected - and those versions were release candidates, that should not be used in productive environments!
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
7/22/2006 3:40 PM
 
Shane Miller

www.callcenters24x7.com
Joined: 4/2/2005
Posts: 520

Actually that's not accurate; the problem exists in 3.2.2 and possibly earlier versions as well. 3.2.2 is an actual production version, still available for download.  Since many users still continue running it, and earlier versions, this begs the question again:  why was this not announced --- not even to Platinums?

Bugs are inevitable but how can I have confidence in a platform which doesn't follow the industry-standard methodology of publishing patches and notifications of security holes --- even to its most-trusted sponsors?


Shane Miller
Call Centers 24x7
 
New Post
7/22/2006 4:32 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

I don't want to comment too much on this but it is standard practice to give a vendor sufficent time to diagnose and fix a problem fully and not go public with the details (most vulnerability reporters allow 60-120 days notice to companies before beginning the process of disclosure - Richard let us know this less than 5 days ago) . We are in the process of checking to see the potential impact, affected version(s), as well as seeing what options need to be made available (i.e. ways to mitigate, alternative fixes, code patches etc.). This is obviously not something you do overnight. FYI I have exchanged a number of mails with Richard this week and had a number of IM chats, and I know Shaun has also exchanged emails with him - so I'm not sure why he's come to his current conclusion.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/22/2006 5:55 PM
 
DNN Modules

Joined: 6/19/2003
Posts: 21

ah okay, since I was mentioned.  Notice I didn't post in here, just my own forums for our customers.  And since Shane hosts our site, I sure wanted him to know about it as well.

Shane's point is his own, and I happen to think it's a really good one.  You're almost implying I shouldn't have informed my clients of potential issues outside of our own code.  I happen to be concerned about our credibility, and DotNetNuke's use of unauthorized and unapproved statements in regards to us.  If the comment is, well, we should inform our customers, then so be it - but then again, informing our users of an issue does not seem out of my realm of responsibility. Since there is no bulletins for any release of DNN,  this would seem to indicate that no security corrective fixes in DNN at all in the last two some odd years.  Thus my conclusions. 

Unlike core team (which Cathal - purportedly you approved the content), I didn't blather it all over the place and in here, nor release any technical details at all, and definitely no details that someone could even derive what the possible issue is and therefore, exploitable sites.  That and any ancillary reporting, I left up to dotnetnuke's security team.

Anyways, this wasn't meant to be a forum post in here, otherwise, I would have done that first.

Cheers,

Richard
DNN Modules
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...No notifications by DNN about security issues?No notifications by DNN about security issues?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out