Thursday, February 5, 2015

Security alert - Update ClientDependency immediately

Update: this information is now obsolete, a new vulnerability was found and a new update is required.

Since Umbraco 4.5 we have shipped with the ClientDependency Framework. You may not have used it yourself but the Umbraco backoffice relies on it pretty heavily and a security flaw has been found.

Impact: High, take immediate action (except sites running on Umbraco as a Service)
Versions affected:
v4.5 - 7.1.9
Summary: A security issue in a library used by Umbraco contains a flaw.
Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

We have been alerted by security company Dionach that there was a security problem with this library and we promptly proceeded to fix it.
We will not reveal the details of the security problem at this time to give everybody a chance to update their sites and eliminate the problem.

The problem affects Umbraco versions 4.5.0 through 7.1.9. It is absolutely necessary that you update live sites in this Umbraco version range with a new version of ClientDependency.
A minor security problem exists in 7.2.0 and 7.2.1 but this is only exploitable under very special circumstances. You don't have to rush an upgrade but it's advisable to do it when you get a chance.

How to update?

Manual

If you are NOT using NuGet then it's as easy as copying the new version of ClientDependency.Core.dll (compatible with .net 4.5), ClientDependency.Core.dll (compatible with .net 4.0)or ClientDependency.Core.dll (compatible with .net 3.5) into the bin folder of your website. This version is fully backwards compatible with all earlier versions of ClientDependency so you don't need to worry about breaking anything. If you are using the nuPickers package in Umbraco 7.x some configuration changes will be required, see below for details.

NuGet

If your ARE using NuGet then the following instructions apply:

For Umbraco versions 4.7.2 until 6.1.2.2 - run:

Install-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and install it.

For Umbraco version 6.1.3, 6.1.4 and 6.1.5 - run:

Update-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and update it. Note: this will upgrade your Umbraco installation to version 6.1.6! This is a good thing, 6.1.6 fixes quite a few bugs. Make sure to answer "No" when NuGet asks you if you want to overwrite config files.

For Umbraco version 6.1.6 and higher - run:

Update-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and update it.

All available zip files on our Downloads page have been updated with the new version of ClientDependency and NuGet installs will also automatically get the latest, secure version.

If you're running on Umbraco as a Service you're not affected by this security issue.

Update: if you are using the nuPickers package in Umbraco 7.x some additional configuration changes will be required

Due to the way that nuPickers loads in request based dependencies for their components, you will need to update your ~/config/ClientDependency.config file and white list your domains. You can find the details on this forum post.

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our- just ask.

Number of active installs
443.450
Number of active members in the community
221.745
Known free Umbraco packages available
1.211

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for Umbraco newsletters and offers

Are you sure, that's your real e-mail?