Security update - two major vulnerabilities found
TL;DR: Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities, so you’ll need to patch your installation as soon as possible. Download a patch for your Umbraco version in the bottom of this post.
Update: 4.11.8 / 6.0.5 released, see the last paragraph of this post.
Versions before 4.5.0 are not affected by these new vulnurabilities, however yesterday's security alert still applies (recommendation is still: delete umbraco.webservices.dll).
In light of this information we will not be publishing custom builds for versions lower than 4.5.0.
Some people are using 4.9.0 / 4.9.1 with a custom patch, the dll versions are now in the table below and patch files have been added ("Inline Xslt Fix" versions).
Unfortunately we can't provide a patch update for 4.7.1, please email firstname.lastname@example.org for alternatives.
We've found two more major vulnerabilities
In parallel with the earlier security alert, we’ve been going through every method in Umbraco that deals with external requests. Based on this analysis, we’ve found two additional vulnerabilities and therefore we strongly recommend that you update your installation(s). The following steps are necessary even if you have already deleted the umbraco.webservices.dll.
To make this as easy as possible, we’ve created patched versions of all Umbraco releases from the past three years. To secure your site, find what version of Umbraco you’re using and download the corresponding patch in the bottom of this post. The patch is a zip file that includes updated and secure versions of umbraco.dll and umbraco.webservices.dll. Once these files are copied to your /bin folder your installation is patched and secured.
We know this is frustrating as you’ve probably already spent time this week updating your installations. We hope you understand that we took this double approach with delete first, patch secondly to ensure that your Umbraco installation would be as secure as possible in the quickest possible way.
In addition to the incredible efforts from the core team in dealing with these issues, I’d like to thank the brilliant partners and security analysts we’ve worked with over the last couple of days for their tireless help and constructive feedback in making Umbraco as secure as possible.
Last year - after Codegarden - we added a new workflow for core submissions with more thorough code reviews of both internal and external code, but unfortunately the vulnerabilities discovered were related to core changes before this governance was implemented.
We apologize for the inconvenience that these security vulnerabilities have caused, we’re doing everything we possibly can to ensure you won’t experience a deja vu anytime soon. We'll share details of the vulnerabilities in June when you've all had time to secure your installations.
How to patch your installation
The updated files can be downloaded from the list below. Back up your /bin/umbraco.dll and /bin/umbraco.webservices.dll and replace them with the versions you find in the zip file below.
- Umbraco version 4.5.0
- Umbraco version 4.5.1
- Umbraco version 4.5.2
- Umbraco version 4.6.1
- Umbraco version 4.7.0
- Umbraco version 220.127.116.11
- Umbraco version 4.7.2
- Umbraco version 4.8.0
- Umbraco version 4.8.1
- Umbraco version 4.9.0
- Umbraco version 4.9.0 - with Inline XSLT fix
- Umbraco version 4.9.1
- Umbraco version 4.9.1 - with Inline XSLT fix
- Umbraco version 4.10.1
- Umbraco version 4.11.7
- Umbraco version 6.0.3
- Umbraco version 6.0.4
Custom Umbraco build or not able to patch?
If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and build your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course).
4.9.0 with Inline XSLT fix
4.9.1 with Inline XSLT fix
If you're using Umbraco v4.5.1-4.7.2 and have the umbraco.webservices.dll file in your bin folder and you absolutely cannot live without it, then there's a secured version available for Umbraco 4 and for Umbraco 6.