Beta Versions - Security Flags

[Bluto]

Would it be possible to add the security flag to betas so site owners know that the next release will be a security release?

There were 3 4.1.19 betas.  None of them even mentioned that the final 4.1.19 would include security fixes (as far as I remember).

Thanks!

 

[sudo]

Its probably not a good idea as that would alert hackers to take a look at the beta code changes to find the hole and exploit it.

[Bluto]

They're going to look at the beta code changes anyway if they're looking for exploits.  If any exploits exist in a previous version, that's where they're going to show up, in the changes.

The reason I ask is so that people who have a lot of customizations have time to make those changes before the announcement of a new version with the security issues listed in the announcement.  Maybe a policy of not releasing security issues until 1 version has passed.  So an example: security fixes would be announced for v 4.1.17 in 4.1.19, security fixed for 4.1.19 would be listed in 4.1.21, and so on.

[sudo]

1 hour ago, Bluto said:

They're going to look at the beta code changes anyway if they're looking for exploits.  If any exploits exist in a previous version, that's where they're going to show up, in the changes.

The reason I ask is so that people who have a lot of customizations have time to make those changes before the announcement of a new version with the security issues listed in the announcement.  Maybe a policy of not releasing security issues until 1 version has passed.  So an example: security fixes would be announced for v 4.1.17 in 4.1.19, security fixed for 4.1.19 would be listed in 4.1.21, and so on.

Tbh they are much less likely to go through all 280 changed files in the hope there may be an exploit which may or may not be obvious from the code changes. Drawing attention before people can actually upgrade is definitely increase the likelyhood of it being discovered.

Its not that I dont see where you are coming from though, I just think the better way would be for them to release a hotfix for the last version as well as the current version so people can apply that in the interim without having to go through the process of testing everything.

I certainly hope when 4.2 comes out the 4.1 branch will still get security patches as that would be a really really annoying especially for larger sites which have many more things to consider before upgrading to a new major update.

[Bluto]

20 minutes ago, ZeroHour said:

I just think the better way would be for them to release a hotfix for the last version as well as the current version so people can apply that in the interim without having to go through the process of testing everything.

Amen to that.  That would be the IMO logical way to do things.  

At least they could delay the announcements of security bugs in each new version released.  If I ran a high value target and was away for a week when they released a security update, the hacker would know exactly what to attack.

 

20 minutes ago, ZeroHour said:

I certainly hope when 4.2 comes out the 4.1 branch will still get security patches as that would be a really really annoying especially for larger sites which have many more things to consider before upgrading to a new major update.

I could be wrong, but I doubt it.  

[sudo]

2 minutes ago, Bluto said:

Amen to that.  That would be the IMO logical way to do things.  

At least they could delay the announcements of security bugs in the new version.  If I ran a high value target and was away for a week when they released a security update, the hacker would know exactly what to attack.

 

I could be wrong, but I doubt it.  

We can only ask and hope I guess, security only patches may seem like a hassle but it makes the customers life a lot easier and would get rid of one of the gripes I have about moving across. Certainly 4.1 should receive security updates for a few versions of 4.2 until the initial issues have been fixed, I know that didnt happen with 4.1 but I can only hope they consider the change in policy for 4.2 and further updates.

[Mark]

Normally when a security vulnerability is reported to us, the person reporting it is the person who found it and they are happy to not disclose the details publicly. Rolling it into an actual release rather than issuing a patch allows us to do a thorough testing procedure and makes it much more likely people will actually upgrade. If an issue was publicly disclosed, we would naturally release a patch as soon as possible.

We do not announce that a new version will have security patches because that would be public disclosure. It would announce to any potential malicious parties that there is a vulnerability we have not yet patched. This is all standard industry practice.

It's also worth mentioning that the vast majority of security issues are very difficult to exploit in any effective way. Severity of the issue obviously plays a bit part in how we handle security releases. Fortunately we've never had something very devastating like an SQL injection vulnerability in IPS4.

As for 4.1 updates: we do have the capability to do that in our upgrade system, so if a very severe issue was found, we may update a previous branch. 4.2 is going to be largely compatible with 4.1 themes and plugins though, so there is little reason to not upgrade - general bug fixes and performance improvements will always be in new versions only, so it isn't just about new features.

[Bluto]

Thanks for the reply @Mark.

I understand about public disclosure before the release of a patch.  I'm not really asking for a public disclosure of the entire details of the security issue.  I'm asking for the red warning symbol to be added to the beta releases so that owners know that the next update will be a security release.

So, it's a choice between:

Letting site owners who own very customized sites know ahead of time via a red symbol on the betas that they will need to upgrade because a security release is included.  If the  "vast majority of security issues are very difficult to exploit in any effective way" then what's the harm in including a red warning symbol on the betas?

or

Releasing the new version as a security update with the security vulnerabilities listed, forcing site owners to update hoping things won't break on their customized site if they didn't have time to test the beta software.

All that I'm asking for is a notice / red security symbol to notify owners that the upgrade will be required giving them time to prepare to upgrade.

Obviously, it's up to you guys what you want to do.  Just trying to get some forewarning so testing can be done on a highly customized sites.