OctoDev Posted March 21, 2017 Posted March 21, 2017 I haven't updated to 4.1.19 at all, which includes a security fix. Now that you guys announced 4.1.19.1 it doesn't show the security warning even though i haven't updated to 4.1.19 which includes a security fix (XSS)..
David.. Posted March 21, 2017 Posted March 21, 2017 4.1.19.1 Already includes all previous security fixes.
rllmukforum Posted March 22, 2017 Posted March 22, 2017 I think the point is, if you're on anything less than 4.1.19, you're exposed to the security defect. However, if you miss the red banner (and perhaps email notification) and only catch 4.1.19.1, you could be forgiven for missing the fact that you're a critical update behind.
Simon Woods Posted March 22, 2017 Posted March 22, 2017 Even when you click on the link in the banner the relevant security information does not appear in the updater. There is no way for somebody who has missed the red banner and didn't check their email and hasn't checked this site to know that this is a security update. Now, to be honest, if you're this person then I wouldn't join your site since I expect you to be on top of security updates especially but yeah there is some seeming inconsistency here.
Colonel_mortis Posted March 22, 2017 Posted March 22, 2017 I reported this in a ticket, along with another related issue, and Matt said he would look into it. Then again, he also said that he would flag 4.1.19.1 as a security release today, because it contains fixes for additional XSS vulnerabilities, but that has not yet happened.
OctoDev Posted March 22, 2017 Author Posted March 22, 2017 Yeah seems weird, it's very easy to miss out updates - especially when they release them shortly after each other. Then if you did, it wouldn't be marked as red or warn you that it contains a security fix.
rllmukforum Posted March 23, 2017 Posted March 23, 2017 18 hours ago, Simon Woods said: Even when you click on the link in the banner the relevant security information does not appear in the updater. There is no way for somebody who has missed the red banner and didn't check their email and hasn't checked this site to know that this is a security update. Now, to be honest, if you're this person then I wouldn't join your site since I expect you to be on top of security updates especially but yeah there is some seeming inconsistency here. It feels contrived, but you're a lone admin of a smaller site and are away for a couple of weeks. 19 and 19.1 dropped within about a week, so I could see you logging in and missing the red banner. Obviously, the system is currently orders of magnitude better than 3.x, but keeping the banner red if any pending updates are critical is a nice nod to security.
Mark H Posted March 23, 2017 Posted March 23, 2017 That is a bug, and I will report it as such. If you are running a version less than a security release update, the banner should remain Red and not be able to be dismissed.
Jujuwar Posted March 23, 2017 Posted March 23, 2017 50 minutes ago, Mark H said: That is a bug, and I will report it as such. If you are running a version less than a security release update, the banner should remain Red and not be able to be dismissed. I remember that I already report that in the past, and it was fix. It's weird that this bug is back
Management Charles Posted March 23, 2017 Management Posted March 23, 2017 Sorry about all the confusion here. We even confused ourselves internally.
Simon Woods Posted March 23, 2017 Posted March 23, 2017 A good reminder that every admin should check the Release Notes on this site at least once a month.
MADMAN32395 Posted March 23, 2017 Posted March 23, 2017 1 minute ago, Simon Woods said: A good reminder that every admin should check the Release Notes on this site at least once a month. or at least 'Follow' that entire page so when updates are made they are emailed to you. I have mine piped (commerce) into the suite so all admins are notified.
Simon Woods Posted March 23, 2017 Posted March 23, 2017 1 minute ago, MADMAN32395 said: or at least 'Follow' that entire page so when updates are made they are emailed to you. I have mine piped (commerce) into the suite so all admins are notified. You could so inventive with access to that as well -- even to the point of being notified on your phone. That way it doesn't matter if you haven't visited your site or ACP or whatever. Although, not everybody is willing to have their site intrude on them in this way so it's good to know that IPS is still on the case with improving the basic communication.
Colonel_mortis Posted March 23, 2017 Posted March 23, 2017 The problem with following that section, or even getting emails when new versions are released, is that security updates aren't always flagged at the time that the notifications are sent - .19 wasn't flagged when I got the email about it, and .19.1 has only just been flagged (PSA: upgrade asap).
Jujuwar Posted March 25, 2017 Posted March 25, 2017 5 minutes ago, Jimmy Gavekort said: It is fixed now. Of course, they flagged it as a security release
Recommended Posts
Archived
This topic is now archived and is closed to further replies.