Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN Security HotfixPowerDNN Security Hotfix
Previous
 
Next
New Post
5/23/2008 11:42 AM
 
Bill Yonder

Joined: 3/24/2007
Posts: 12

Hi All,
I've been watching things on the forum the past couple days and I've noticed that PowerDNN is getting flamed for hotfixing their customers with a critical security vulnerability.  I have a couple questions about this.

1)  Why is the core team spending all their time flaming PowerDNN and not releasing a patch?
2)  Why is it that DotNetNuke.com is patched but the core team has not released the fixes to the public?

Bill
 
New Post
5/23/2008 12:06 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

Bill,

please be aware, that the core team is taking any security issue very serious.

  1. the core team has been working hard to analyse the security issues (which has not been classified to be "hyper-critical" by our security experts) and was working for a sustainable solution, which will be included in DNN 4.8.3, as we do not provide patches, which might expose the vulnarability to anyone for reverse engineering. DNN 4.8.3 will be tested internally for a few days and be published asap.
  2. if the "security scanner" states DotNetNuke.com as being secure, this simply exposes, that the tool is unable to guess the version running (due to a number .txt files removed) - because this is all, the tool is able to "analyse", not, if  it really has been "patched. Fixing the issue to expose version number will be another change in DNN 4.8.3.

I also suggeest to read the latest Blog posts by Shaun Walker and Joe Brinkman.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
5/23/2008 12:07 PM
 
Ed DeGagne


Ed DeGagne's Avatar

www.southvillagesoftware.com
Joined: 12/2/2003
Posts: 420

Bill,

Very good questions. Seems to me the effort should have been in the form a a quick fix and release. Instead, too much effort was spent on the "defensive" side of the equation.

If PowerDNN recieved a black eye in any way from their handling of the situation (which is open to interpretation), then the core team and many community members recieved two black eyes for their handling of it.

The public "lynching", the finger pointing, the labeling of PowerDNN as greedy and opportunistic, all reflect poorly on DotNetNuke itself, the Core Team, and the entire community.

There are quite a few people that should be embarrased by their reaction in these forums.

 

Edward DeGagne | Applications Engineering Manager
ektron, inc.
542 Amherst Street, Route 101A | Nashua, NH 03063

 

Ed DeGagne
South Village Software
 
New Post
5/23/2008 12:20 PM
 
Carlos Rodriguez

www.almacigo.com
Joined: 6/10/2003
Posts: 615

Bill:

With all due respect, you apparently have not read all posts from the Core Team members, there are multiple threads going on on this and not all have the responses from the Core Team.  If you did, you would have seen that the Core Team cannot just take the alleged patch without looking at the possible problem, understanding what the issue is, implementing the change, and test it properly.  They are actually working on it as we speak, and it may take a couple of days.  PowerDNN didn't say how long they took to find the issue and to fix it or whether it was actually exploited.  The Core Team has not actually been flaming PowerDNN, they were just clarifying at one particular point in time that they had not received communications from PowerDNN even though they were claiming they had sent the pertinent info to the DNN security address, they took their time.

Don't know if you saw the following post, that basically started the whole thing when the proverbial caca hit the fan: http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/112/threadid/228802/scope/posts/threadpage/5/Default.aspx

I hope this answers your questions.

Carlos

 
 
New Post
5/23/2008 12:26 PM
 
Scott Stokes

www.adverageous.com
Joined: 4/25/2003
Posts: 110

I have failed to find the module on DotNetNuke.com that shows a breakdown of Core-Team members time spent posting, in relating to Time-spent working on security fixes.

I did however find a couple blog posts at http://www.dotnetnuke.com/tabid/825/default.aspx

And I am left wondering if the other posters in this thread crying for a quick-patch are in the correctt DNN roles to access the same page?

On a side note to keep some focus:  I promise you, whatever operating system your main computer is running:  It has more serious security flaws in it than whatever the hell is being patched in DNN 4.8.3.
 
 Page 1 of 5
123...5Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN Security HotfixPowerDNN Security Hotfix


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out