Security update - one more major issue fixed in 4.7.0 through 22.214.171.124
This only applies to versions of Umbraco from 2011 or older. If you're running Umbraco 4.7.0 - 126.96.36.199, this blog post contains important information.
The version numbers for patched Umbraco versions between 4.5.0 and 188.8.131.52 will differ from the table below, please read about additional problems found in March 2016.
Hot on the heels of Wednesday's security issue, the same security firm found one more problem that affects a small number of Umbraco versions: 4.7.0, 4.7.1 and 184.108.40.206. Any other versions of Umbraco are NOT affected by this new vulnurability, but do refer to Wednesday's post as well, which covered a few more versions.
In order to protect vulnerable sites, we're not disclosing the details of this vulnerability for a while, trust us that it is severe and you should update your sites as soon as possible.
We've issued patches for affected versions:
- Umbraco version 4.7.0
- Umbraco version 220.127.116.11
The patches for the security issues found a year ago and the one we patched Wednesday have also been applied to these files, so there's no chance of regressing to old security problems. Of course the downloads on the blog post from last year have also been updated with this fix so people landing on that old post will also get this newest fix included.
You'll notice that a patch for 4.7.1 is absent, this is because to we have been unable to reconstruct at which point 4.7.1 was actually built, so we can not issue a patch for this version.
If you are running 4.7.1 then please send us an email and we'll provide you with advice for that version specifically.
How to apply the fix?
- Make a backup of your Umbraco installations "bin" folder, please do not forget this
- Download the zip file from the list above that matches your Umbraco version
- After downloading it, right-click the file, go to properties and click the "unblock" button (this is very important!)
- You've made a backup of the bin folder, right?
- Then simply copy the updated files from the zip file into your Umbraco site's bin folder, overwriting the existing files
Custom Umbraco build or not able to patch?
If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and built your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version numbers then you can safely overwrite the current version with the patched version (after making a backup, of course). The second column shows the version of the dll after it was patched with last year's fix, and the third the version of Wednesday's fix, so the dll can be either one of the three versions. If it is any other version then you're using a custom build and you should not use the patches listed above.
patched umbraco.dll (May 1, 2013)
patched umbraco.dll (May 21, 2014)
does not apply, 18.104.22.168 was not
Also, if you are running a custom build of 4.7.0, 4.7.1 or 22.214.171.124 and need advise on how to update your build to be safe then please e-mail us so we can provide you with that specific information.