Latest from the umbraco blog

Codegarden - the Umbraco event of the year, is less than a month away, and its time to reveal the complete program, which in my humble opinion is the best speaker line-up we have ever had.

Watch the complete program here, we are adding the complete session abstracts as we get them reviewed and approved by speakers.

We have case stories from Redbull, Sainsbury's, The danish state and german hospitals. Indepth tech sessions on the core API's, data layer and request pipeline. As well as sessions on the Umbraco 7 UI, Umbraco as a Service, Responsive Imaging, designing websites in the browser and so much more. 

All presented by experienced and knowledgeable speakers.

We are running out of tickets

There are only about 40 tickets left now, so if you havn’t already purchased your ticket, it is about time to do so. All codegardens in the past have sold out, and do you really want to miss this? - get your ticket here.

More then just the planned sessions

Besides the planned sessions, there is a complete track of open hackathon sessions, with guidance from Umbraco HQ developes, Core team members and community geniueses.

A whole day of open space sessions, where the community come together to discuss the present and future direction of Umbraco as an open source project, software and community.

Amazing social events like the wednesday canal tour after party with music, champagne and a festival vibe. A delicious organic dinner on thursday evening, complete with live hammond organ and the traditional and bizar Umbraco bingo.

There’s even a pre-conference social meetup tuesday, arranged by other codegarden attendees.

Oppunities to celebrate our community with Umbraco package competions and Umbraco Website awards, as well as meeting all thos helpfull people from our.umbraco.org to give them that well deserved high-five.

About the present and the future

Since codegarden 12 last year, Umbraco as a project and as a company has moved at an amazing pace.

There is not a single major component in the Umbraco core that we havn’t refactored, reimplemented, improved or tweaked, there are new API’s, new major versions, a new hosted service, a brand new UI coming, a lot of new fantastic sites has been launched, and a ton of lessons has been learned.

And there is only one place, where you can learn about all these things and that is at Codegarden, so I look forward to meeting you there. 

It's here! 6.1.0 beta 2 is out now and it is much improved over the first beta thanks to your excellent feedback! There's nothing much new since the previous beta but we did put in plenty of bug fixing so 6.1.0 is now rock solid. 

Yes, the security fixes have been applied to this version and no, they haven't been committed to source control yet for security reasons. 

MiniProfiler

Many people noticed that in Mvc mode, Umbraco can't give you tracing any more, which made finding bugs and performance issues harder.

This is about to change as we've now built the awesome MiniProfiler - by the great people at StackExchange - into the core of Umbraco!
Over time we can start adding more and more useful information into the profiler so you can find out exactly what is going on on your site.

Oh, and did I mention it works in the backoffice as well? We look forward to optimizing performance with this treasure trove of data we're now easily able to grab!

To get the profiler to show up, make sure that umbracoDebugMode is set to true in your web.config and then add umbDebug=true to your querystring. 

The MiniProfiler is also awesome because you can easily add your own profiling anywhere you want:

Umbraco.Core.Profiling.Profiler.Instance.Step("Hello World");

or nested profiling like:

using (Umbraco.Core.Profiling.Profiler.Instance.Step("This will take long")) {
   Umbraco.Core.Profiling.Profiler.Instance.Step("Here we go...");
   NielsWritesAparsingAlgorithm();
   Umbraco.Core.Profiling.Profiler.Instance.Step("Ahh, finally done");
}

And as an added bonus this also works in WebForms mode!

We're looking forward to your feedback on this release. It looks like we're on track to release it by the end of the month unless we find more serious flaws.

Umbraco 6.1.0 Beta 2 is available now on CodePlex and NuGet.

TL;DR: Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities, so you’ll need to patch your installation as soon as possible. Download a patch for your Umbraco version in the bottom of this post.

Update: 4.11.8 / 6.0.5 released, see the last paragraph of this post.
Update 2: 
Version before 4.5.0 is not affected by these new vulnurabilities, however yesterday's security alert still applies (recommendation is still: delete umbraco.webservices.dll).
In light of this information we will not be publishing custom builds for versions lower than 4.5.0. 
Update 3:
Some people are using 4.9.0 / 4.9.1 with a custom patch, the dll versions are now in the table below and patch files have been added ("Inline Xslt Fix" versions).
Update 4:
Unfortunately we can't  provide a patch update for 4.7.1, please email sebastiaan@umbraco.com for alternatives.

We've found two more major vulnerabilities

In parallel with the earlier security alert, we’ve been going through every method in Umbraco that deals with external requests. Based on this analysis, we’ve found two additional vulnerabilities and therefore we strongly recommend that you update your installation(s). The following steps are necessary even if you have already deleted the umbraco.webservices.dll.

To make this as easy as possible, we’ve created patched versions of all Umbraco releases from the past three years. To secure your site, find what version of Umbraco you’re using and download the corresponding patch in the bottom of this post. The patch is a zip file that includes updated and secure versions of umbraco.dll and umbraco.webservices.dll. Once these files are copied to your /bin folder your installation is patched and secured.

We know this is frustrating as you’ve probably already spent time this week updating your installations. We hope you understand that we took this double approach with delete first, patch secondly to ensure that your Umbraco installation would be as secure as possible in the quickest possible way.

In addition to the incredible efforts from the core team in dealing with these issues, I’d like to thank the brilliant partners and security analysts we’ve worked with over the last couple of days for their tireless help and constructive feedback in making Umbraco as secure as possible.

Last year - after Codegarden - we added a new workflow for core submissions with more thorough code reviews of both internal and external code, but unfortunately the vulnerabilities discovered were related to core changes before this governance was implemented.

We apologize for the inconvenience that these security vulnerabilities have caused, we’re doing everything we possibly can to ensure you won’t experience a deja vu anytime soon. We'll share details of the vulnerabilities in June when you've all had time to secure your installations.

How to patch your installation

The updated files can be downloaded from the list below. Back up your /bin/umbraco.dll and /bin/umbraco.webservices.dll and replace them with the versions you find in the zip file below.

• Umbraco version 4.5.0
• Umbraco version 4.5.1
• Umbraco version 4.5.2
• Umbraco version 4.6.1
• Umbraco version 4.7.0
• Umbraco version 4.7.1.1
• Umbraco version 4.7.2
• Umbraco version 4.8.0
• Umbraco version 4.8.1
• Umbraco version 4.9.0
• Umbraco version 4.9.0 - with Inline XSLT fix
• Umbraco version 4.9.1
• Umbraco version 4.9.1 - with Inline XSLT fix
• Umbraco version 4.10.1
• Umbraco version 4.11.7
• Umbraco version 6.0.3
• Umbraco version 6.0.4

Custom Umbraco build or not able to patch?

If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and build your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course).

Upgrading

We've just released version 4.11.8 and 6.0.5. The only changes from their previous versions is the security fixes, so it's a safe upgrade. Head on out to CodePlex or NuGet to get them.