September 27, 2010

DotNetNuke 5.5.1 Update and POET Security Vulnerability

For just a little over a week there has been a lot of buzz in the .NET and DotNetNuke community around the POET security vulnerability that was identified within the Microsoft ASP.NET technology stack.  For those of you unaware of the true details on this vulnerability I highly recommend you read the initial announcement from Scott Guthrie from Microsoft, as well as his Frequently Asked Questions post, and lastly his secondary followup posting, with a more detailed workaround.  So why do I bring this up now?  Well late last week DotNetNuke corporation released DotNetNuke 5.5.1 and in the materials that went out with that release they note that it includes a workaround fix for this vulnerability, I wanted to make sure that as always people have ALL information needed before they are doing upgrades.

What DotNetNuke 5.5.1 provides

In an amazingly fast turnaround time the DotNetNuke corporation people have incorporated into the 5.5.1 DotNetNuke package an automatic application of the Microsoft recommended workaround in regards to the CustomErrors configuration outlined in Scott's blog posts I linked above.

For those individuals doing new site setups, or for those that are upgrading existing 5.x sites, this is helpful as it will automatically ensure that your site is fully up to date, with the best applicable workaround in place.

What Alternatives are Available?

Now the common misconception that I want to make sure that everyone understands is that you DO NOT need to upgrade to 5.5.1 to protect yourself from the POET security vulnerability.  The Microsoft recommended changes can be successfully applied to ANY DotNetNuke installation version, therefore an upgrade to 5.5.1 is not mandatory to improve the security of your site.

My reason for mentioning this is taht I still strongly recommend a detailed review process PRIOR to upgrading to a new version of DotNetNuke.  This includes cases where security patches are included.

tags: DNN, ASP.NET, DNN Administration, DNN Install/Upgrade
comments powered by Disqus

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Content Copyright

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.