• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Security Patch Reporting

#1
I'm currently using IPB, the security patch system there is awful. If a security patch is released, they make an announcement in your AdminCP, and the announcement stays up for about a month. It does not go away if you patch the software for the flaw, nor does the software itself indicate version number or patch level.

How does XF handle security patches and their reporting?
 
#4
Is there a process for reporting this in the AdminCP? If there is more than one site admin, how would he/she know if the patch is applied? A version number/patch level indicator in the admin area seems like an easy way to do this.

So it appears XF does patch reporting like IPB, announcements and email notifications with no internal reporting. vB has clear patch level reporting within the AdminCP itself, and I'd suggest XF do the same. It would save a lot of frustration for people who run multiple sites, and/or have multiple admins.
 

Brogan

XenForo moderator
Staff member
#5
XenForo makes no callbacks/forwards at all, so nothing is ever communicated via the ACP.

The version is displayed in the ACP.
 
#6
Sorry to be so specific, this is a major pain point for me and I want to be 100% sure.

The version is displayed in the ACP.
If the version # is displayed in the ACP, does this mean the current patch level displayed in the ACP? Or are patches simply "upload the new files and you are safe"?
 

Brogan

XenForo moderator
Staff member
#7
XF versioning follows the principle of first, second, and third point releases.

The current version is 1.4.7.

The next third point release would be 1.4.8.
The next second point release would be 1.5.0.
The next first point release would be 2.0.0.
 
#8
I'll re-state the question. What happens if:

1) XF discovers a security vulnerability.
2) They release an patch to remedy the vuln.
3) An admin downloads the patch and applies to their site.

Will another admin who has not communicated directly to the first admin (the one that applied the patch) be able to determine independently from within the ACP that the patch was applied?
 

Tracy Perry

Well-known member
#13
The "applied patch" is normally just a modified .php file or .swf file (in the two main cases I remember).
The best process is when a point release (which is what will happen typically if a security vulnerability is found) is released, install the point upgrade (and not the patch file). Then you see the version number in the ACP when you log in.

Screen Shot 2015-05-20 at 5.27.05 PM.png
 
#14
Patching is always better, but no reason to go through that process especially when the fix is uploading one file a process that takes 15 seconds start to finich, especially when admins are busy.

Seems like an exceptionally simple include that would help some members. Yes, security patches are rare, but exposed sites are mini-crisis points for the admins. Wouldn't it be good to make that process as clear and unconfusing as possible?
 

rainmotorsports

Well-known member
#18
The internal versioning system does account for patch level so if they ever decide to patch as such it can be displayed. Currently doesn't as all permanent patches have been full patch versions.

I can only recall 3 incidents in my time here. 2 of them were the flash uploader and another was a flaw in php itself. None of them directly Xenforo related. If a serious issue comes up the patch is usually available with instructions but a day or two later all the vetted fixes are released with the vulnerablility patch anyways.
 
#19
Nope, as was stated several times above.
I asked if the current patch level was displayed, it is not if the patch alone is applied. Being informed of an outstanding unpatched vulnerability in the ACP is a separate but very important item also.

Sorry for the semantics here, but I need to get very specific info, which I now have. Thanks to all!
 

Jon W

Well-known member
#20
Just to clarify, the Install and Upgrade by Waindigo add-on does not automatically alert you if your XenForo installation is out of date, although it does have the ability to do that and if there was a serious security breach we would certainly use the broadcast system included in that add-on to alert sites that needed to upgrade their installation.