We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Security and Updates/Builds

June 10, 2008 4:51pm

Subscribe [7]

  • #1 / Jun 10, 2008 4:51pm

    sigork

    155 posts

    I see EE suggested to update v.1.5.2 to improve security for a website:

    4) update to the latest version of EE

    http://ellislab.com/forums/viewreply/412180/

    I don’t understand why to update that website. Is v.1.5.2 insecure? Are there any security vulnerabilities in it?

    If ‘yes’, I think we need to know which versions have vulnerabilities. If I see that I use an insecure version, I’ll pay the download access and update it. (vB offers such information and necessary free patches for such cases)

    If I don’t see such patches or announcements, that means I can use v.1.5.2 without any problems. But at the same time I see an article about EE—The Open Security Model, Drupal and ExpressionEngine on Security that one of 1.6.2 builds has at least 3 security vulnerabilities.

    So, my question is: Can EE be securely used without regular paid updates? Are previous versions secure?

    I’m not a specialist in this field, that is why I have such questions.

    Thanks a lot.

  • #2 / Jun 10, 2008 5:05pm

    Ingmar

    29245 posts

    As you know, security is a process. There is no permanently secure stage that, once reached, would allow us to rest on our laurels and consider ourselves immune from future attacks. The thread you mentioned here has almost certainly nothing to do with EE as such. Still, it certainly is a good idea to upgrade to the latest version to take advantage of bugfixes, improved security etc.

    There was one case where a largely theoretical, yet still real, vulnerability existed in EE. EllisLab provided a security patch for all (!) users within 24 hours of being notified of this vulnerability. I have no reason to believe that they would react differently if a similiar situation came up again.

    Regardless of security considerations, it is always recommended to keep software current. Software, too, has a shelf life, as it were, and does not necessarily age gracefully.

  • #3 / Jun 10, 2008 5:17pm

    narration

    773 posts

    Sigork, might like to look at this thread:

    Blogger on ExpressionEngine security

    I found it from your article link’s comments, and people are discussing the question you raise there.

    Kind regards,
    Clive

  • #4 / Jun 10, 2008 5:19pm

    narration

    773 posts

    agree with you also, Ingmar.  Maybe this chat about the topic will sensitize people to take the updates and upgrades when they are offered. 

    On the other hand, as discussed in other thread, EllisLabs silent policy so as to not inform hackers seems to me a very prudent way which means we won’t get caught by those hackers when we delay for reasons on the upgrades.

    Kind regards,
    Clive

  • #5 / Jun 10, 2008 5:37pm

    Derek Allard

    3168 posts

    Hey Sigork, since you’ve quoted me, I just want to take a moment to respond.  We always recommend to users to update to the latest builds.  There are lots of good reasons to update, including stability, features, ease of support, but let me focus on the main issue you raise, that of security.

    Security is a large part of what we do.  We are extraordinarily proactive on this front.  We’re always refining things, even when issues aren’t reported.  We don’t take a wait and see approach here, we constantly improve the code - it’s deeply ingrained into our development process.  In general, in each new build there are new enhancements (documented in the changelog) because of this process, and in each case I’d recommend you update your version.

    In the case you cite above, the main reason I asked him to update was not because I thought there was a fix in there that he needed, but because I wanted to be sure he had uncompromised files in place for his site (if it was in fact a malicious user with his FTP, no level of programming security is sufficient, but new files and a new password would be).  But to directly answer your question, yes I think you would want to update your installations, previous versions were secure against what we knew of then, recent versions are a cumulation of all our efforts.

    This is true of all software of course, and is the driving reason why most hosts require their customers to keep their scripts up to date in their terms of service.

  • #6 / Jun 10, 2008 5:44pm

    Leslie Camacho

    1340 posts

    Keep in mind that just because someone claims there is a security issue with EE doesn’t mean that there is.

    If there is a significant security issue with EE we always announce it on our website. It would be posted in our forums and on our blogs. This is what we’ve done in the past and what we will continue to do. We’d release a patch for past versions if necessary.

    If there are security improvements mentioned in the Changelog but not in our blog or website it means we’ve improved EE’s security in some fashion but that doesn’t represent a true “security threat” that is likely to impact a significant portion of EE installations. That doesn’t change that the best practice is to stay on the current version.

  • #7 / Jun 11, 2008 11:22am

    Willem de Boer

    142 posts

    https://secure.expressionengine.com/download.php?ACT=ee_build

    To get always the latest version, here’s the rss feed with the latest build.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register