a security flaw has been identified in Microsoft ASP.NET - the
framework that Umbraco is based on. This will affect any Microsoft
ASP.NET based application including any Umbraco installation as
well as any other CMS that builds upon Microsoft ASP.NET.
This means that you have to take action to secure your
We've produced a
guide that describes how to patch your installation and
we've also produced an Umbraco package that will try to
patch your installation automatically and if it can't
it'll guide you how. You can find the package in the package
repository under Developer tools and it's called "ASP.NET Security
When you run the package, it'll show you a status on whether or
not your website is vulnerable. If it is there's a big "Fix this
problem" button to press:
We're seeding this information via the update checker, our
mailing list and our twitter accounts but please help us spread the
word. This speechbubble (yes, we'll need to work on the css on long
messages!) will be shown to all administrators that log in to
Umbraco over the next 14 days. It'll show even if you've patched
your installation - unfortunately we don't have any way to prevent
this as the patch isn't related to the Umbraco core:
The Panic Fund
We were able to make, test and distribute this patch because of
our Panic Fund. In the HQ we have an account which makes it
possible to book all HQ staff on core development for a week. We
can use this fund in cases of emergencies like the this one.
Despite the frustrating circumstances, it's just yet another
example of why I'm proud of how we've managed to build the Umbraco
HQ and why it makes the whole project sustainable.
Now stop reading and start patching!
For more details visit
the project page for this patch.
For in-depth information on the ASP.NET security issue,
visit Scott Guthries blog.