Security update - two major vulnerabilities found

Wednesday, May 01, 2013 by Niels Hartvig


TL;DR: Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities, so you’ll need to patch your installation as soon as possible. Download a patch for your Umbraco version in the bottom of this post.

Update: 4.11.8 / 6.0.5 released, see the last paragraph of this post.
Update 2: 
Version before 4.5.0 is not affected by these new vulnurabilities, however yesterday's security alert still applies (recommendation is still: delete umbraco.webservices.dll).
In light of this information we will not be publishing custom builds for versions lower than 4.5.0. 
Update 3:
Some people are using 4.9.0 / 4.9.1 with a custom patch, the dll versions are now in the table below and patch files have been added ("Inline Xslt Fix" versions).
Update 4:
Unfortunately we can't  provide a patch update for 4.7.1, please email sebastiaan@umbraco.com for alternatives.

We've found two more major vulnerabilities

In parallel with the earlier security alert, we’ve been going through every method in Umbraco that deals with external requests. Based on this analysis, we’ve found two additional vulnerabilities and therefore we strongly recommend that you update your installation(s). The following steps are necessary even if you have already deleted the umbraco.webservices.dll.

To make this as easy as possible, we’ve created patched versions of all Umbraco releases from the past three years. To secure your site, find what version of Umbraco you’re using and download the corresponding patch in the bottom of this post. The patch is a zip file that includes updated and secure versions of umbraco.dll and umbraco.webservices.dll. Once these files are copied to your /bin folder your installation is patched and secured.

We know this is frustrating as you’ve probably already spent time this week updating your installations. We hope you understand that we took this double approach with delete first, patch secondly to ensure that your Umbraco installation would be as secure as possible in the quickest possible way.

In addition to the incredible efforts from the core team in dealing with these issues, I’d like to thank the brilliant partners and security analysts we’ve worked with over the last couple of days for their tireless help and constructive feedback in making Umbraco as secure as possible.

Last year - after Codegarden - we added a new workflow for core submissions with more thorough code reviews of both internal and external code, but unfortunately the vulnerabilities discovered were related to core changes before this governance was implemented.

We apologize for the inconvenience that these security vulnerabilities have caused, we’re doing everything we possibly can to ensure you won’t experience a deja vu anytime soon. We'll share details of the vulnerabilities in June when you've all had time to secure your installations.

How to patch your installation

The updated files can be downloaded from the list below. Back up your /bin/umbraco.dll and /bin/umbraco.webservices.dll and replace them with the versions you find in the zip file below.

Custom Umbraco build or not able to patch?

If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and build your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course).

Umbraco version

umbraco.dll

umbraco.webservices.dll

4.5.0

1.0.3827.19799

1.0.0.0

4.5.1

1.0.3858.40498

not present

4.5.2

1.0.3891.20719

not present

4.6.1

1.0.4029.25836

not present

4.7.0

1.0.4090.38017

not present

4.7.1.1

1.0.4393.24044

not present

4.7.2

1.0.4500.21031

not present

4.8.0

1.0.4583.15483

1.0.4583.15512

4.8.1

1.0.4609.17579

1.0.4609.17585

4.9.0

1.0.4633.18696

1.0.4633.18727

4.9.0 with Inline XSLT fix

1.0.4640.26027

1.0.4633.18727

4.9.1

1.0.4679.40364

1.0.4679.40370

4.9.1 with Inline XSLT fix

1.0.4693.32168

1.0.4679.40370

4.10.1

1.0.4701.29088

1.0.4701.29098

4.11.7

1.0.4863.25338

1.0.4863.25346

6.0.3

1.0.4834.188856

1.0.4834.18858

6.0.4

1.0.4863.23141

1.0.4863.23147


Upgrading

We've just released version 4.11.8 and 6.0.5. The only changes from their previous versions is the security fixes, so it's a safe upgrade. Head on out to CodePlex or NuGet to get them.

150 comment(s) for “Security update - two major vulnerabilities found”

  1. Gravatar ImagePeter Meyer Says:

    Hi there,

    Is this still an issue, if the webservices DLL has been deleted already?

    Do sites running Umbraco 6.0.2 also include the vulnerabilities, and should they be upgraded to 6.04 for that reason?

    Thanks in advance.

    /Peter

  2. Gravatar ImageJohn Seto Says:

    well done for the fast response and updates, keep up the good work.

  3. Gravatar ImageSebastiaan Janssen Says:

    @Peter Yes, these are new issues in other parts of the system.

  4. Gravatar ImageSebastiaan Janssen Says:

    @Peter We're releasing 6.0.5 and 4.11.8 with a fix for this issue later today. 6.0.4 and 4.11.7 are vulnerable.

  5. Gravatar ImageCraig Stevens Says:

    What about 6.0.3? I'm just building one of those. Is there no action required? Please confirm.

    Craig

  6. Gravatar ImageColin Anderson Says:

    There isn't a patch for version 4.11.3.

  7. Gravatar ImageXin Says:

    Hi there,

    We are using Umbraco version 4.11.4, can we still download the patch for Umbraco version 4.11.7?

    Thanks

    /Xin

  8. Gravatar ImageBrian Andersen Says:

    I´m stuck (as a webdeveloper) on a 4.0.2.1. - please advice what to do on an older system like this !

  9. Gravatar ImageNan Says:

    Is versions below 4.5 (ie 4.021) affected aswell?

  10. Gravatar ImageEd Marden Says:

    Does this issue affect earlier versions than 4.5.0?

  11. Gravatar Imagesam Says:

    Will you be updating the source code for the respective installations in codeplex to reflect these changes?

  12. Gravatar ImageStefan Bohlin Says:

    This is one of these days where I really really miss that "Update Now" button in umbraco.. oh well.. I guess I'll have to get to it...

  13. Gravatar ImageAndrew Hawken Says:

    I hate to ask, but does this affect 5? I've still got a U5 install running somewhere...

  14. Gravatar ImageVirendra Says:

    There is no a patch for version 4.11.1, can we download patch 4.11.7 to secure Umbraco CMS 4.11.1 installation?

  15. Gravatar ImageJim car Says:

    I have umbraco v 4.7.2 (Assembly version: 1.0.4500.21031) and my site is already running live. There was no /bin/umbraco.webservices.dll in my version. So still should i require to update this patch on my live site?

    If yes then only i need to update umbraco.dll in site?

  16. Gravatar ImageMatt Says:

    Hi, I've got a site running 4.11.1 can I use the update for 4.11.7?

    Matt

  17. Gravatar ImageNiels Hartvig Says:

    @andrew: v5 isn't affected by this.

  18. Gravatar ImageShropshire Web Team Says:

    Can we have a bit of clarification on the version numbers please?
    We've got a few standard installs that have version numbers that don't quite match those in the list (the major.minor.build match, but the .revision number is less than shown) - are we safe to over-write the dll files?

  19. Gravatar ImageGlenn Says:

    Hi

    Is there patch for 6.0.3?
    6.0.4 patch is giving server error for missing method when using on 6.0.3.

    Any ideas?

    Thanks

  20. Gravatar ImageJim Car Says:

    Any updates on this??
    ----------------------------------
    I have umbraco v 4.7.2 (Assembly version: 1.0.4500.21031) and my site is already running live. There was no /bin/umbraco.webservices.dll in my version. So still should i require to update this patch on my live site?

    If yes then only i need to update umbraco.dll in site?

  21. Gravatar ImageJeppe Vammen Kristensen Says:

    Has the updated dll's been added to the relevant umbraco Nuget-packages, if it's possible?

  22. Gravatar ImageAlex Says:

    May I know if the umbraco.dll version 1.0.4281.20201 is also affected?
    I cant find the version number in the above table, and cant locate the version number as its a customized installation.
    Would appreciate Your swift reply.
    thanks!

  23. Gravatar ImageDon Says:

    I patched 4.7.1 with the correct umbraco.dll file above, and now the majority of my sight does not work. It would be EXTREMELY helpful if we knew what methods were affected, and what changes were made so we can troubleshoot the issue. Were these patch releases tested on their respective versions?

    Don

  24. Gravatar ImageNiels Hartvig Says:

    We've released 4.11.8 and 6.0.5 as both Codeplex downloads and Nuget packages now.

  25. Gravatar ImageSebastiaan Janssen Says:

    @Matt Best to upgrade to 4.11.8 (just published, see the updated blog post text).

    @Shropshire Depends, did you do custom builds of the Umbraco source?

    @Glen Best to upgrade to 6.0.5 (just published, see the updated blog post text).

    @Jim Car yes, these are new issues, please upgrade.

    @Jeppe yes, just published, see the updated blog post text.

  26. Gravatar ImageDenford Says:

    hi i have done the upgrade on two sites one in umbraco 4.10.1 and one in umbraco 4.11.4 and got the same error from the package installer screen but both site still work fine after and i can see the folders from the patch installation. Is this something i need to worry about or not (was using the web services anyway).

    Could not upload file
    System.Exception: Error unpacking extension... ---> System.IO.FileNotFoundException: Could not find file 'C:\Projects\RestAssured\Source\RestAssured.UI\App_Data\b57acd82-d8b0-438c-991f-0099250080c7\package.xml'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn) at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver) at System.Threading.CompressedStack.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state) at System.Xml.XmlTextReaderImpl.OpenUrl() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at umbraco.cms.businesslogic.packager.Installer.LoadConfig(String tempDir) at umbraco.cms.businesslogic.packager.Installer.Import(String InputFile) --- End of inner exception stack trace --- at umbraco.cms.businesslogic.packager.Installer.Import(String InputFile) at umbraco.presentation.developer.packages.Installer.uploadFile(Object sender, EventArgs e)

  27. Gravatar ImageNiels Hartvig Says:

    @Don: Yes, we've tested the respective patches. Could you get in touch via sebastiaan@umbraco.com with details on the issue. For now we think it's best to disclose as little details as possible on affected methods.

    @Alex: All Umbraco versions since v4.x is affected. We recommend that you then IP restrict access to /umbraco

  28. Gravatar ImageNigel Brown Says:

    We have two sites that will not update.

    v4.7.1 (assembly 1.0.4281.20801 - navigation and menus disappear
    v4.11.3 (assembly 1.0.4760.34993) - throws errors/does not load

    4.7.1.1 was ok.

    can you please advise what we need to do,

    thanks
    Nigel

  29. Gravatar ImageOwen Blacker Says:

    Sorry to add yet another question when you must be having an unpleasantly busy day. Good work both on checking for other vulnerabilities and reacting so quickly.

    If we already have a firewall rule in place forbidding external access to /Umbraco does that mean that we should be unaffected?

  30. Gravatar ImageSebastiaan Janssen Says:

    Just to clarify: you can NOT use the 4.11.7 patch on anything else than 4.11.7, do not mix & match versions. Also check the version of your umbraco.dll against the one listed in the table above, they must match.

  31. Gravatar ImageNigel Brown Says:

    This is the stack trace for 4.11.3

    Method not found: 'System.Collections.Generic.IEnumerable`1 Umbraco.Core.ObjectResolution.ManyObjectsResolverBase`2.get_InstanceTypes()'.



    [MissingMethodException: Method not found: 'System.Collections.Generic.IEnumerable`1 Umbraco.Core.ObjectResolution.ManyObjectsResolverBase`2.get_InstanceTypes()'.]
    Umbraco.Web.Mvc.SurfaceControllerResolver.get_RegisteredSurfaceControllers() in d:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\Mvc\SurfaceControllerResolver.cs:31
    Umbraco.Web.WebBootManager.CreateRoutes() in d:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\WebBootManager.cs:180
    Umbraco.Web.WebBootManager.Complete(Action`1 afterComplete) in d:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\WebBootManager.cs:139
    Umbraco.Web.UmbracoApplication.Application_Start(Object sender, EventArgs e) in d:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\UmbracoApplication.cs:38

    [HttpException (0x80004005): Method not found: 'System.Collections.Generic.IEnumerable`1 Umbraco.Core.ObjectResolution.ManyObjectsResolverBase`2.get_InstanceTypes()'.]
    System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +9859725
    System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +118
    System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +172
    System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +336
    System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +296

    [HttpException (0x80004005): Method not found: 'System.Collections.Generic.IEnumerable`1 Umbraco.Core.ObjectResolution.ManyObjectsResolverBase`2.get_InstanceTypes()'.]
    System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9873912
    System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +101
    System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +254

  32. Gravatar ImageSebastiaan Janssen Says:

    Another update: no just a firewall rule on /umbraco is not eough unfortunately.

  33. Gravatar ImageSebastiaan Janssen Says:

    @Nigel You can't do that. Recommend upgrading to 4.11.8 instead.

  34. Gravatar ImageShropshire Web Team Says:

    @Sebastiaan - These are standard builds (e.g. downloaded from Codeplex on day of release).

  35. Gravatar ImageSebastiaan Janssen Says:

    @Shrop Strange, I downloaded them all yesterday and that's where I got the build numbers from. Which versions?
    Try an upgrade in dev environment, lower version means that you're missing some bug fixes already, as the version numbers are time-based. So it SHOULD hopefully be okay. :)

  36. Gravatar ImageVirendra Says:

    Can't find patch for Umbraco 4.11.1 in the list above.

    umbraco.dll version - 1.0.4715.27659
    umbraco.webservices.dll version - 1.0.4715.27668

    Can you please help me to update my installation?

    Thanks
    Virenda

  37. Gravatar Imagedenford Says:

    @sebastiaan definitely agree dont use 4.11.7 on any other version just broke my 4.11.4 and getting this error when i try and open the project.

    Method not found: 'System.String Umbraco.Core.ApplicationContext.get_OriginalRequestUrl()'.

    unfotunately for me had already done it by the time i saw @sebastiaans message.

  38. Gravatar ImageSebastiaan Janssen Says:

    If you're upgrading, please follow the upgrade guides carefully and make sure to have backups of course. :-)
    http://our.umbraco.org/documentation/Installation/Upgrading/

    We're super busy now, so please head to the forum for upgrade issues. I'll look into patching 4.11.x when I get a chance.

  39. Gravatar ImageSebastiaan Janssen Says:

    @Virendra Recommend upgrading to 4.11.8.

  40. Gravatar ImageSam Hamer Says:

    I fear my question got lost in a sea of other ones, will the core team be updating the source code in codeplex for previous versions?

  41. Gravatar ImageAllan S. Laustsen Says:

    We are running a highly modified version of the umbraco.dll, and would like to wait with updating the umbraco.dll untill the source code for the security fix is made public.

    Is it enough for now, to apply the IP restrictions described in the post http://umbraco.com/follow-us/blog-archive/2013/4/29/security-vulnerability-found-immediate-action-recommended.aspx

  42. Gravatar ImageHartvig Says:

    @Sam: We'll update the source in a few weeks. We like that people have a chance to patch their sites first.

  43. Gravatar ImageNiels Hartvig Says:

    @Allan: Get in touch with sebastiaan@umbraco.com for details.

  44. Gravatar ImageShropshire Web Team Says:

    @Sebastiaan - The main ones that don't match are running 4.9. We are going to take a copy of one of them & run a test with the patches, so I'll let you know how it goes!

  45. Gravatar ImageSebastiaan Janssen Says:

    As for my comment on possible patches for older 4.11.x, I meant: I'll look into if that is necessary (I don't think it will be). I recommend upgrading to 4.11.8. It's a patch release, it's backwards compatible and it will make your site better.

    (same goes for 6.0.x of course, please upgrade to 6.0.5).

  46. Gravatar ImageSimon Radford Says:

    If the umbraco.webservices.dll is not included in the patch, does this mean that it is safe to continue using the existing assembly on that version?

    The umbraco.webservices.dll version we have for 4.7.2 is 1.0.4583.15512

  47. Gravatar ImageSebastiaan Janssen Says:

    Updated the blog post, versions lower than 4.5.0 are not affected by these two vulnerabilities, but the webservices are still unsafe, so make sure to delete umbraco.webservices.dll on those versions still.

  48. Gravatar ImageSebastiaan Janssen Says:

    @Simon No, the webservices are vulnerable still. I'll see if I can update the patch.

  49. Gravatar ImageWebServices Says:

    Hello I have three Umbraco sites - 2 on Umbraco 4.7.1.1 and 1 on 4.7.0. If I follow these instuctions - by overwriting the Umbraco.dll file in the BIN folder - will my users experience an outage/loss of function or site availability?

    Can you advise?
    Thanks,
    Web Services

  50. Gravatar ImageSebastiaan Janssen Says:

    @Simon 4.7.2 didn't ship with umbraco.webservices.dll, so it's probably a remnant of an older version, can you crosscheck with the version table above?

  51. Gravatar ImageSimon Radford Says:

    The version number of the assembly we have is not listed in that table:

    1.0.4583.15512

    To be honest, I'm not sure where it has come from. I have just realised that our 4.7.2 site is no longer using the web services so we will delete this file completely.

    Luckily, the site we have that does use the web services is 4.8 which does have a patched umbraco.webservices.dll.

    Thanks for your help.

  52. Gravatar ImageKevin Giszewski Says:

    As a general practice, locking down your /umbraco folder to private IP's is a great idea (as HQ has mentioned).

    I realize this isn't possible in many client/design-studio settings, but if you run Umbraco privately (as we do), you should absolutely do so.


    For those who aren't into networking...

    Essentially when you lock it down, only those on your private network can access the back-office (which houses remote web services, etc.). If you are on a remote hosting solution (softsys, rackspace, godaddy, et al), you would have to also establish a VPN with the servers (which is unlikely and costly).

    This is different from SSL. SSL will not prevent a security breach of this nature.

    It may be published somewhere (not sure), but after you lock down /umbraco; the general public (anonymous requests) can no longer access anything under that folder. Therefore as a best practice (for us at least), anything public should not go into /umbraco (you'll get a 403 on any resource from the web if you try to access it).

    We made the early mistake of putting public things (like plugins) into /umbraco; then locked it down. We quickly learned you can't do that. Only back-office plugins should go into /umbraco/plugins.

    Hope this helps someone

  53. Gravatar ImageSebastiaan Janssen Says:

    @Webservices The application pool will recycle. Other than that they shouldn't but please test and make backups.

    @Kevin Thanks. Only locking down /umbraco is not enough in this case unfortunately but it will cover yesterdays webservices problem.

  54. Gravatar ImageKevin Giszewski Says:

    @sebastiaan For sure, we are patching as well. Umbraco security would be a good CG13 topic ;)

  55. Gravatar ImageZar Ni Win Latt Says:

    Hi,

    Can I get the patched files for version 4.11.6? That is the version I am running my projects on. Please kindly help. Will really appreciate if you guys can provide "umbraco v 4.11.6 (Assembly version: 1.0.4834.19775)" version of patched files. Thanks a lot.

  56. Gravatar ImageNiels Hartvig Says:

    @Zar: You should upgrade to 4.11.8 instead. It's fully backwards compatible.

  57. Gravatar ImageBenjamin Says:

    I have an installation running on 6.0.2 (1.0.4811.18151). Am I going to upgrade the installation or can I just override with the 6.0.4 fix?

  58. Gravatar ImagePhil Harvey Says:

    @kevin yes I'm sure this will be one of the hot topics of debate at codegarden! In my opinion I'd be more worried about an open source CMS that NEVER announced any security issues! Everyone major CMS has had security issues, and it's the response to them that matters.

    The Umbraco core team are doing an excellent job. I only regret creating custom builds for all my old projects instead of putting extended functionality in seperate DLL's as extension methods... would make patching so much easier. Oh well, lessons learned :D

  59. Gravatar ImageSebastiaan Janssen Says:

    @Benjamin Please upgrade to 6.0.5.

  60. Gravatar ImageKevin Giszewski Says:

    @phil, indeed the core team provides unprecedented support. #h5yr #transparency

    Security is merely an illusion. I worked in a US Army Information Systems unit... Plenty of things that would make your heart stop.

  61. Gravatar ImageJeric Says:

    I'm running a live site with version 4.11.4. Which patch should I use?

  62. Gravatar ImageSam Hamer Says:

    Just put this on one of our 4.7.2 sites and have got:-

    Method not found: 'Boolean umbraco.UmbracoSettings.get_XmlContentCheckForDiskChanges()'.

    any thoughts?

  63. Gravatar ImageSebastiaan Janssen Says:

    @Jeric Please upgrade to 4.11.8.

  64. Gravatar ImageCraig Stevens Says:

    So what should we do with 6.0.3 sites? Couple of people have asked, no answer so far. I have two at that version. Please advise.

  65. Gravatar ImageCraig Stevens Says:

    Also what to do with 4.7.1 sites as the 4.7.1.1 patch is reported not to work with them?

    Think we could do with a comprehensive list to allay fears and reduce your work load answering queries.

  66. Gravatar ImageSebastiaan Janssen Says:

    @Craig 6.0.3 --> Upgrade to 6.0.5.
    4.7.1 - I can't find what the changes between 4.7.1 and 4.7.1.1 were. Please email me for further advice.

  67. Gravatar ImageWeb Services Says:

    Hi All: can you advise?

    One of my web sites is on Umbraco 4.7.0 where I deployed the right update to correct the issue to check how it works on a test server before I deploy it to our production server(s). I have IIS 7.0 on Windows 2008 Server.

    I tried it with the Web Site and Application Pool stopped and then started and on both times I got this message. I am logged in with Local Administator settings:

    [I am introducting Umbraco.dll and Umbraco.pdb to the BIN folder of the web site.]

    Copy File:
    An unexpected error is preventing the operation.
    Error 0x80004005: Unspecified Errror.
    Umbraco.dll
    Type - Application Extension
    Date Modified 30/4/13 14:57hrs
    Size: 816 kb. Try Again.

    I have checked the Eventvwr - Application and System Logs and they show nothing.

    I cannot get any further.

    What would you suggest?
    Cheers.

  68. Gravatar ImageLars Due Says:

    Is there any documentation on how to upgrade from 6.0.3 to 6.0.4/6.0.5?

    Is it just files that needs to be copied or will there be changed to the database, which requires to run the "installer"?

  69. Gravatar ImageAndy Says:

    Thanks for the info and the quick response.
    I've just updated and patched about 30 umbraco sites of various different versions. I can confirm upgrading to the latest of each major release then applying the corresponding patch works a treat.
    Obviously recommend upgrading in a dev/temp environment.
    Cheers

  70. Gravatar ImageSteve Callagnhan Says:

    Please can I chase up on Sam Hamer's request from earlier.
    We are attempting to apply the patch to 4.7.2 but get:

    Method not found: 'Boolean umbraco.UmbracoSettings.get_XmlContentCheckForDiskChanges()'.

    Please can you advise?

  71. Gravatar ImageWeb Services Says:

    Ref my last posting - i stopped the application pool and site and deleted the existing umbraco.dll file from BIN folder and copied the patch again. Started application pool and site. Went to browse it in IIS 7.0 - says internet explorer cannot display page.

  72. Gravatar ImageSebastiaan Janssen Says:

    @Web Services Please contact me by email for further assistence. sebastiaan@umbraco.com

    @Lars Upgrade documentation http://our.umbraco.org/documentation/Installation/Upgrading/ - always run the installer, to make sure everything is covered.

    @Steve I'll check 4.7.2 but my testing didn't reveal this error. Where does it show up? Backoffice/Frontend? When?


  73. Gravatar ImageLars Due Says:

    Would it be possible to just have the umbraco.dll and umbraco.webservices.dll in a version 6.0.3 for quick patching?

    We have a number of sites running on 6.0.3 and it would require much more time to take database backups, coordinate with customers about downtime, initially trying a 6.0.5 upgrade locally on a dev site etc., in stead of just being able to do a quick patch of two files on live sites...

    So could you please reconsider making the patch files available in a 6.0.3 version, as this will save us a heck of a lot of time right now...

    Thanks

  74. Gravatar ImagetechSage Says:

    It looks like the version table needs to be updated above for version 4.8.0, umbraco.webservices.dll. I believe the version number should be 1.0.4583.15512 rather than 1.0.4583.15521.

  75. Gravatar ImageJose Says:

    please inform us of the updates for version 6.0.3

  76. Gravatar ImageSebastiaan Janssen Says:

    @Lars @Jose for now we're advising an upgrade to 6.0.5, sorry. :)

    @techSage Correct, typo on my part, fixed! Thanks!

  77. Gravatar ImageKevin Giszewski Says:

    A new section in our.umbraco would be helpful to address this type discussion. That way responders have some credibility.

  78. Gravatar ImageDavid Says:

    I just tried patching a non-custom build of Umbraco 4.8.0 with the matching patch above on a dev site and received a YSoD loading the site. Anyone have success with the patch for 4.8.0?

  79. Gravatar ImageKevin Giszewski Says:

    And to address specific versions ;)

  80. Gravatar ImageSebastiaan Janssen Says:

    @David be good to do a forum post, easier to help and ask questions. Make sure to include the actual error in the post as well.

  81. Gravatar ImageSteve Callaghan Says:

    @Sebastiaan
    The ....
    Method not found: 'Boolean umbraco.UmbracoSettings.get_XmlContentCheckForDiskChanges()'.
    .....error happens as soon as you access the URL after the patch i.e. frontend and backend, and immediately. Please note that we have an incremented build version because we have built a number of times since taking 4.7.2

  82. Gravatar ImageDavid Says:

    @Sebastiaan Good advice, but I resolved the issue myself - I had simply left renamed copies of the old dlls in the bin folder - that never ends well.

  83. Gravatar ImageLars Due Says:

    @ Sebaastian Sorry, but that's just not good advice...

    If I had the patch files for 6.0.3 I could patch the customers sites in 2 minutes.
    Now I have to leave sites unpatched and in danger of being exploited, as I can not "just" do an upgrade on a live site without proper preparation and proper authorization...

    So what might take the Umbraco Core Team few minutes to do, could save me (and probably a lot of others) hours of work and headaches...

    You figure out the math here...

  84. Gravatar ImageSebastiaan Janssen Says:

    @Steve I don't understand what you mean by "incremented build version". I just installed 4.7.2 and copied in the updated dlls and do not get that error. The method definitely exists in the updated dll so something else might've gone wrong. Did make the same mistake that David did leave old, renamed dlls in the bin folder?

  85. Gravatar ImageJeric Says:

    Can't find any answer above for version 4.7.1. Any patch for it?

  86. Gravatar ImageSebastiaan Janssen Says:

    @Lars I would say that the same preperation and authorization should be in place to copy in dlls. If I made a mistake then your site can still go down pretty badly. I try not to, but I'm only human. :-)
    Anyway, thanks to your persistence: 6.0.3 now available above.

    @Jeric Please contact me directly.

  87. Gravatar ImageBill Says:

    I am moving from 4.11.4 to 4.11.7 (fine) and patching (problem)

    When debugging I get this:

    NO SOURCE AVAILABLE

    umbraco.dll!umbraco.presentation.nodefactory.Node.GetCurrent() Line 513 + 0x63 bytes

    Locating source for 'd:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs'. Checksum: MD5 {25 f9 93 67 54 da c0 39 9d 70 da a2 a1 5e 0 e8}
    The file 'd:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs' does not exist.
    Looking in script documents for 'd:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs'...
    Looking in the projects for 'd:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs'.
    The file was not found in a project.
    Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\crt\src\'...
    Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\src\mfc\'...
    Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\src\atl\'...
    Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\'...
    Looking in directory 'c:\'...
    The debug source files settings for the active solution indicate that the debugger will not ask the user to find the file: d:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs.
    The debugger could not locate the source file 'd:\Dropbox\Dev\UmbracoSource_v4\src\Umbraco.Web\umbraco.presentation\umbraco\nodeFactory\Page_Legacy.cs'.

    Please help! If I should be in the forums please point in right direction because I can't locate myself.

    Thank you!

  88. Gravatar ImageAndrei Says:

    @Niels, @Sebastiaan

    For the patched dlls, can you guys confirm that method signatures and/or namespaces have not changed? In other words, can you confirm updating the dlls in the installations won't break existing bespoke functionality that was relying on the old dlls?

    Also, some of the zip files don't actually include an umbraco.webservices.dll. For example, the 4.7.2 zip doesn't include one. Is that by design and if not, can an updated dll be provided?

    Thank you.

  89. Gravatar Imageroger Says:

    Our version is 4.7.2 and it has umbraco.webservices.dll in the bin folder.
    We are getting xslt erros and errors creating an xslt file and macro complaining about the lack of this dll.
    Is there a replacement we can use ?

  90. Gravatar ImageLars Due Says:

    @Sebastiaan Thanks for putting up patch files for 6.0.3 That will be a big help :-)

    Meanwhile I have been looking through more sites and have discovered that we also have a couple of sites running 6.0.0 and one very important customer running 4.7.1. Neither of these version have patch files?

    The two 6.0 sites are not that important so these I can upgrade to 6.0.5, but the 4.7.1 site I would like to patch ASAP...

    Can you help with a 4.7.1 version?

    Thanks.

  91. Gravatar ImageAndrew Neely Says:

    We are running Umbraco 4.0.3. What security vulnerabilities apply to us, and how do we patch it seeing that our version is not listed above?

  92. Gravatar ImageSebastiaan Janssen Says:

    @Lars 6.0.0 really needs updates, it has some serious bugs.
    Email me for a solution for 4.7.1.

  93. Gravatar ImageSebastiaan Janssen Says:

    @Andrei: Of course.
    @Andrew: Remove umbraco.webservices.dll as advised Monday, today's vulnerabilities do not apply to anything under 4.5.0
    @roger find the version of umbraco.webservices.dll and see if it's in the table above, update with the corresponding version if possible. If that's of no help, email me.

  94. Gravatar ImageSebastiaan Janssen Says:

    @Bill You should move to 4.11.8 - Please follow the upgrade guides and if you still get errors please create a topic on our.umbraco.org to get some help.
    Upgrade documentation: http://our.umbraco.org/documentation/Installation/Upgrading/

  95. Gravatar ImageSebastiaan Janssen Says:

    @Andrei 4.7.2 didn't contain a webservices dll in the original release, so by design.

  96. Gravatar Imageroger Says:

    I cannot find the same version of the webservices dll. It is 1.0.4147.21643

    Thanks

  97. Gravatar ImageSebastiaan Janssen Says:

    @roger Email me! :-)

  98. Gravatar ImageRichard Barg Says:

    @Lars
    @Sebastian

    Lars and others have asked several times about 4.71 as it is (inexplicably) not listed in the patch releases. Question has not been answered.

    Pls post a patch to 4.71 or advise definitively what needs to be done?

  99. Gravatar ImageSebastiaan Janssen Says:

    @Richard We unfortunately cannot provide a patch for 4.7.1. I've encouraged everyone who asked to e-mail me for an alternative solution.

  100. Gravatar ImageBill Says:

    @Sebastiaan - thank you, looking good.

    Props to you guys for helping us lowly devs out on what must be a pretty stressful day for you.

  101. Gravatar ImageLee C. Says:

    After updating two different sites (both 4.7.2), I get this on one site:

    Compilation Error
    Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

    Compiler Error Message: BC32206: The project currently contains references to more than one version of interfaces, a direct reference to version 1.0.4497.23945 and an indirect reference (through 'umbraco.NodeFactory.Node') to version 1.0.4868.23952. Change the direct reference to use version 1.0.4868.23952 (or higher) of interfaces.

    ...And this on the other:

    Compilation Error
    Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

    Compiler Error Message: BC32206: The project currently contains references to more than one version of interfaces, a direct reference to version 1.0.4701.29087 and an indirect reference (through 'Umbraco.NodeFactory.Node') to version 1.0.4868.24744. Change the direct reference to use version 1.0.4868.24744 (or higher) of interfaces.

    Please help!

  102. Gravatar ImageSebastiaan Janssen Says:

    @Lee sounds like you compiled your custom code directly against a specific version of our dll. Please return the old (vulnerable) dll back into the bin folder for now and email me for further instructions.

  103. Gravatar ImageSteve Callaghan Says:

    @Sebastiaan
    We have resolved our 4.7.2 issue. Further investigation revealed we had an incorrect businesslogic.dll (which did not contain the missing method).

  104. Gravatar ImageJames Knowles Says:

    @Sebastiaan what is your email address I have two sites on 4.7.1 and I have no idea how to fix them ?

  105. Gravatar ImageJames Knowles Says:

    I mean 4.7.1 been a long day!

  106. Gravatar Imagetomigaoaka Says:

    Same here, wheres the patch for 4.7.1 please?

  107. Gravatar ImageSebastiaan Janssen Says:

    @James hehe, same here. You found it and have mail! :)

    @tomi please email me sebastiaan@umbraco.com

  108. Gravatar ImageZar Ni Win Latt Says:

    @Niels, is there a guide on how to upgrade from 4.11.6 to 4.11.8? I also have a lot of custom sections and modifications on 4.11.6. Please advice on the guide to upgrade. Many thanks.

  109. Gravatar ImageSebastiaan Janssen Says:

    @Zar Please follow the upgrade documentation http://our.umbraco.org/documentation/Installation/Upgrading/

  110. Gravatar ImageAdam Says:

    Is there a plan to update the legacy NuGet packages. 4.9.2 in our case.

    Our CI server pulls a fresh copy down on each integration. The .dlls that are coming down are still the old ones.

    Any chance of getting them updated?

  111. Gravatar ImageAdam Says:

    correction *4.9.1* in our case

  112. Gravatar ImageSebastiaan Janssen Says:

    @Adam I'm very sorry but NuGet does not allow updates to packages. I recommend an beforebuild event that copies in the updated version.

  113. Gravatar ImageAlex Says:

    Do I need to upgrade 4.11.3? If so, which one should I use? 4.10.1 or 4.11.7?

    *This has probably been asked before, but I'm having trouble trying figure out what answers go with what questions. It would be helpful if the answers stated the question instead of just "@Bob Yes. Upgrade". Maybe even place the Q & A in the body of the article if it's been asked many times.

  114. Gravatar ImageSebastiaan Janssen Says:

    @Alex You should upgrade to 4.11.7 please, thanks!

  115. Gravatar ImageMendel Says:

    I upgraded from 4.11.6 to 4.11.8. The installer doesn't run. It redirects me to the root of the site. What do I need to do to complete the upgrade?

  116. Gravatar ImageSebastiaan Janssen Says:

    @Mendel Make sure you copy in the /install folder and have followed the instructions in the upgrade docs: http://our.umbraco.org/documentation/Installation/Upgrading/

    As mentions there, if you used NuGet to initially install Umbraco then you should use NuGet to update Umbraco too. Please direct additional upgrade questions to the forum at our.umbraco.org so you can get help from the community.

  117. Gravatar ImageRobert Says:

    Hi,

    I have several websites of 4.7.1, can i get the correct file to update my sites?
    robert@prodo.com

    thanks

  118. Gravatar ImagePeter Meyer Says:

    @Sebastiaan Ok, Thank you for the additional info :-)

  119. Gravatar ImagePravin Says:

    Hi,
    As per the instructions above we have 4.6.1 umbraco version. We dont have umbraco.webservices.dll file in bin directory. We just have umbraco.dll file in bin directory. Should we still copy umbraco.webservices.dll file in bin directory from the above patched updates?

  120. Gravatar ImagePravin Says:

    As per the instructions above we have 4.6.1 1.0.4029.25836 umbraco version. We dont have umbraco.webservices.dll file in bin directory. We just have umbraco.dll file in bin directory. Should we still copy umbraco.webservices.dll file in bin directory from the above patched updates?

  121. Gravatar Imagekaren Says:

    I made a mistake of performing the patch without double checking for the assembly version. I have a version of 4.6.1 with an Assembly version of 1.0.4868.28542 which is different from your default assembly version of 1.0.4029.25836. Will my site run into any issues? Currently, the CMS is running slow. It is taking a long time for the page to refresh. Thanks.

  122. Gravatar ImageSebastiaan Janssen Says:

    @Pravin Nope, leave it out then.

    @karen See mail. :)

  123. Gravatar ImageMarcel Says:

    Hi Sebastiaan,

    We are having similar problems to that of Lee, but for version 4.7.1.1.:

    The project currently contains references to more than one version of interfaces, a direct reference to version 1.0.4388.21791 and an indirect reference (through 'umbraco.NodeFactory.Node') to version 1.0.4868.25100. Change the direct reference to use version 1.0.4868.25100 (or higher) of interfaces.

    How can we resolve this? assembly binding redirects?

  124. Gravatar ImageSebastiaan Janssen Says:

    @Marcel You've got mail.

  125. Gravatar ImageGavin Says:

    I'm currently using version 4.11.4 and after reading above it seems like my best course of action is to upgrade to 4.11.8 then applying the patch for that version.

    Can somebody tell me how to upgrade a NuGet installation of version 4.11.4 to version 4.11.8?

  126. Gravatar Imagenick Says:

    So, I have an old site on 4.7.1, any change to see a patch for this?

    Also, I don't see the 4.7.1.1 release which i believe will be the safer upgrade. Where can i get those?

  127. Gravatar ImageSebastiaan Janssen Says:

    @Gavin In the nuget package manager you can install updates. Please be advised that your config files (web.config and files in /config) will be backed up and then overwritten. You need to merge the config files manually after the upgrade is done. 4.11.8 is secure, so there's no patch for it. 4.11.8 IS the patch. :)

    @nick As said in the blog post: email me.

  128. Gravatar ImageGavin Says:

    @Sebastiaan,

    I tried to upgrade my NuGet installation from version 4.11.4 to 4.11.8 by running the following command from the Package Manager Console in Visual Studio:

    PM> Update-Package UmbracoCms -Version 4.11.8

    I then compared and merged config files and did a build on the solution. It still builds and works ok - no errors, however I still seem to be running version 4.11.4. None of the dll files in bin folder have changed.

    The output from within VS when it is build also shows a warning stating 'Found conflicts between different versions of the same dependent assembly'.

    Am I missing a step?

  129. Gravatar ImageSebastiaan Janssen Says:

    @Gavin Hmm, try a rebuild of the solution. If you have multiple projects in your solution, all of them that have references to the Umbraco NuGet package need to be updated.

  130. Gravatar ImageJohn Perryn Says:

    I have upgraded successfully from 4.11.4 to 4.11.8 via the normal upgrade method and have deleted /bin/umbraco.webservices.dll. It appears to have succeeded. Do I now need to apply security patches or were they included in the upgrade? How can I test to ensure that the security problem has been eliminated?

  131. Gravatar ImageJared Smith Says:

    umbraco v 4.7.2 (Assembly version: 1.0.4509.30052)

    Could not load type 'umbraco.uQuery' from assembly 'umbraco, Version=1.0.4868.23956, Culture=neutral, PublicKeyToken=null'.

    Seemed to be a problem with ucomponents which we are using. Have rolled back dlls.

    Any advice?

  132. Gravatar ImageSebastiaan Janssen Says:

    @John 4.11.8 is completely secure.

    @Jared email me.

  133. Gravatar ImageManish Says:

    I see there are not patches available for 4.11.1 , 4.11.3 , 4.11.4 , 4.11.6.
    For the site on those version what should we do?

  134. Gravatar ImageNiels Hartvig Says:

    @Manish: Upgrade to 4.11.8.

  135. Gravatar ImageSam Wang Says:

    Hi there, Since we update the patch, we could not upload any image or file as the error message is 404. Test server work fine without patch, any similar issue?

  136. Gravatar ImageSam Wang Says:

    Forgot to mention the version is 4.7.2

  137. Gravatar ImageTim Mather Says:

    We have just upgraded a site to 6.0.5 and it is running very very slowly, the CMS is unuseable, any ideas?

  138. Gravatar ImageSarah Says:

    What is the recommended approach to migration from say 4.7.2 now that 4.8 - 4.10 have been removed from CodePlex? Is it safe to upgrade straight to 4.11.8 from such earlier versions?

  139. Gravatar ImageGlenn Says:

    I installed my site through the Azure Gallery, it's version 6.0.3, but my dll version numbers don't match the chart above. Should I try patching or do I need to upgrade to 6.0.5? Patching would be nice since backing up an Azure site seems tricky.

  140. Gravatar ImageSebastiaan Janssen Says:

    @Glenn well you can back up the bin folder easily, so try the patch, if that doesn't work, go the upgrade route. Maybe leave a message in the forum to see how to upgrade safely using your particular set up as I'm not familiar enough with it to give advice.

  141. Gravatar ImageRachel Says:

    I have 4.7.0 installation. The file in the patch zip "umbraco.pdb" is not currently present in my /bin folder. Does this need to be introduced if it is not already present or only if it already exists?

  142. Gravatar ImageSebastiaan Janssen Says:

    @Rachel it's just added as a convenience if you need the debugging symbols.No need to copy in if not already there.h

  143. Gravatar ImageAllan Lykke Says:

    Do these security updates solve the unsecure method of storing user passwords in the database? Hashed, but not salted.

    It is very disconcerting to see how fast a hashed password can be cracked.

    Link posted to a video showing just how fast it can be done.

    it took 0.00 seconds to crack such a password, once you got the database.

  144. Gravatar ImageFabian Says:

    After I copy the patched umbraco.dll 4.7.0 to the bin-dir, none of the usercontrols will load, gving all this error: macro Error creating usercontrol (usercontrols/menuProfessionalArea.ascx)
    External component has thrown an exception.
    at System.Web.Compilation.AssemblyBuilder.Compile()
    at System.Web.Compilation.BuildProvidersCompiler.PerformBuild()
    at System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath)
    at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)
    at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)
    at System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath)
    at System.Web.UI.TemplateControl.LoadControl(String virtualPath)
    at umbraco.macro.loadUserControl(String fileName, MacroModel model, Hashtable pageElements) in d:\Dropbox\Dev\UmbracoSource_v4\umbraco\presentation\macro.cs:line 1204

  145. Gravatar ImageSebastiaan Janssen Says:

    Allan: No.
    Fabian: Please email me.

  146. Gravatar Imageleo bear Says:

    I am having HASH SYMBOL problem, while publishing an article using 'publish at' dates property
    kindly help me to figure out solutions for this problem
    Regards!

  147. Gravatar Imageleo bear Says:

    Kindly help me!!

  148. Gravatar ImageRody Says:

    "We'll share details of the vulnerabilities in June when you've all had time to secure your installations."

    Are there any details available yet about this security issue?

  149. Gravatar ImageBrian Williams Says:

    Any news yet?

  150. Gravatar Imagetrotmaster Says:

    Details of the vulnerability released:
    https://labs.mwrinfosecurity.com/advisories/2013/11/29/umbraco-cms-templateservice-remote-code-execution/

Leave a comment