We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Staying Secure while Not Introducing Show-Stopping Updates

June 01, 2012 4:51am

Subscribe [4]

  • #1 / Jun 01, 2012 4:51am

    mark186282

    290 posts

    Today I see an urgent message to upgrade to 2.5.1 in my control panel.

    Then I glanced through the bug report and forums, and I see some pretty significant bugs in 2.5.1 including at least two installation show-stoppers (at this point, they are reported but not verified except by other customers)

    show-stopper number one:
    https://support.ellislab.com/bugs/detail/17971

    show-stopper number two:
    https://support.ellislab.com/bugs/detail/17968

    not sure if this is an officially reported bug yet… but also seems to be a showstopper:
    http://ellislab.com/forums/viewthread/218293/

    ———————————-

    I continue to be dismayed by the lack of a thorough testing process prior to releasing production software

    >> there is no program for managing release candidates versus production releases
    >> there is no identification of “stable” versus “beta”
    >> there are no downloads of previous versions… so I must depend on my personal backup to restore to a previous version that didn’t include recent show-stopping bugs (of course, we backup everything before making changes)
    >> there is no release schedule - it was 3 1/2 months between 2.4.0 and 2.5.0, while there remained dozens of bugs in 2.4.0… including “show stoppers”

    It leaves us in the situation of trying to decide “should I upgrade and spend my day debugging the new installation… hoping to not take my sites down for any length of time?” or “should I hold out for a fix to the release… and leave my site at risk for an exploit? (which may take months)”

    We have tens of thousands of record, images, files… and hundreds of paying customers depending on a site that is functional.  Right now, I’m going to hold off on upgrading until there’s more information available about what bugs I’ll need to hammer out prior to the installation.

    ———————————-

    My questions:

    1.  how can I view a list of show-stopping bugs for a specific release of Expression Engine
    2.  how can I apply the 2.5.1 security fix of “Fixed a potential cross site scripting vulnerability in the member module.” without introducing the other bugs that come with the new release?

  • #2 / Jun 03, 2012 1:08pm

    geekamongus

    4 posts

    I would like to know the answers to these questions as well. I am not thrilled with the rather guarded, almost dismissive approach to security.

    Edit: To clarify, EL’s effort to make EE a secure product is great. What is lacking is any sort of openness about it with the user base. Saying “always run the latest version” is not a good enough answer. It’s not that easy for those of us on the front line with many clients running EE.

  • #3 / Jun 04, 2012 12:16pm

    Shane Eckert

    7174 posts

    Hello mark186282,

    I hear your frustrations and I understand why. I know it’s been said before, but as a Customer Advocate, I do appreciate your feedback and we are listening.

    The Dev team is aware of the bugs even though they were just reported last week. I want you to know that. They are getting attention.

    You have two questions I will try and answer for you.

    1. How can I view a list of show-stopping bugs for a specific release of Expression Engine

    There is currently no way to search for “Show-Stopper” bugs, but I think you could make a case for that. Please file a Feature Request for it. I really do see why this is a great idea, so if you do file a request, I will make sure that request gets attention, I am doing my best to be your advocate.

    2. How can I apply the 2.5.1 security fix of “Fixed a potential cross site scripting vulnerability in the member module.” without introducing the other bugs that come with the new release?

    You can make the changes in the bug reports to the source before running the update. For example this bug does list a fix that you can make to “system/expressionengine/modules/referrer/upd.referrer.php” beforehand.

    In response to geekamongus, we try to be as transparent as possible with security, but as you can imagine, too much transparency in this area would not be very secure. Again, I do hear your concerns and they do matter.

    Thank you,

  • #4 / Jun 04, 2012 12:41pm

    mark186282

    290 posts

    Thanks Shane - your response is much appreciated.

    I did make the request in February to another staff member who said that “great idea, I’ll pass it on” - but I failed to submit it as a formal request.  I have done that now.

    ...

    The answer to the second one makes me feel very risky without the answer to number #1 in place.  😊  I know I could drudge through the list of forum posts and bug reports and try to make a task-list of everything I have to patch for you guys… but, honestly, I’ve got bigger fish to fry in this moment.

    ...

    I appreciate the task at hand very personally, and recognize the mountain that we are trying to climb.  I also appreciate the security track record that Ellis Lab and the Expression Engine team have - and know that this team takes security very very seriously.

  • #5 / Jun 05, 2012 4:19pm

    Shane Eckert

    7174 posts

    Hey mark186282,

    Thank you for that request. It’s been brought to the attention of the Devs.

    Again, I am sorry for your frustration here.

    Is there anything else I can help with?

    Thank you,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register