1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Patch Reporting

Discussion in 'XenForo Pre-Sales Questions' started by OttoBomb, May 20, 2015.

  1. OttoBomb

    OttoBomb Member

    I'm currently using IPB, the security patch system there is awful. If a security patch is released, they make an announcement in your AdminCP, and the announcement stays up for about a month. It does not go away if you patch the software for the flaw, nor does the software itself indicate version number or patch level.

    How does XF handle security patches and their reporting?
  2. Brogan

    Brogan XenForo Moderator Staff Member

    There is no equivalent of that in XF.

    Generally releases are just regular releases.
  3. borbole

    borbole Well-Known Member

    If a patch is issued, then a topic is posted in the Announcements forum and then all customers receive an email notifying them about it.
  4. OttoBomb

    OttoBomb Member

    Is there a process for reporting this in the AdminCP? If there is more than one site admin, how would he/she know if the patch is applied? A version number/patch level indicator in the admin area seems like an easy way to do this.

    So it appears XF does patch reporting like IPB, announcements and email notifications with no internal reporting. vB has clear patch level reporting within the AdminCP itself, and I'd suggest XF do the same. It would save a lot of frustration for people who run multiple sites, and/or have multiple admins.
  5. Brogan

    Brogan XenForo Moderator Staff Member

    XenForo makes no callbacks/forwards at all, so nothing is ever communicated via the ACP.

    The version is displayed in the ACP.
  6. OttoBomb

    OttoBomb Member

    Sorry to be so specific, this is a major pain point for me and I want to be 100% sure.

    If the version # is displayed in the ACP, does this mean the current patch level displayed in the ACP? Or are patches simply "upload the new files and you are safe"?
  7. Brogan

    Brogan XenForo Moderator Staff Member

    XF versioning follows the principle of first, second, and third point releases.

    The current version is 1.4.7.

    The next third point release would be 1.4.8.
    The next second point release would be 1.5.0.
    The next first point release would be 2.0.0.
    maszd likes this.
  8. OttoBomb

    OttoBomb Member

    I'll re-state the question. What happens if:

    1) XF discovers a security vulnerability.
    2) They release an patch to remedy the vuln.
    3) An admin downloads the patch and applies to their site.

    Will another admin who has not communicated directly to the first admin (the one that applied the patch) be able to determine independently from within the ACP that the patch was applied?
  9. Brogan

    Brogan XenForo Moderator Staff Member

  10. OttoBomb

    OttoBomb Member

    So the 2nd admin will not be able to tell then.

    Thanks for the info.
  11. Brogan

    Brogan XenForo Moderator Staff Member

    They will if the upgrade version is installed.
  12. OttoBomb

    OttoBomb Member

    I should hope a full upgrade would come with a new version number. I was just hoping that an applied patch would also be indicated.
  13. Tracy Perry

    Tracy Perry Well-Known Member

    The "applied patch" is normally just a modified .php file or .swf file (in the two main cases I remember).
    The best process is when a point release (which is what will happen typically if a security vulnerability is found) is released, install the point upgrade (and not the patch file). Then you see the version number in the ACP when you log in.

    Screen Shot 2015-05-20 at 5.27.05 PM.png
  14. OttoBomb

    OttoBomb Member

    Patching is always better, but no reason to go through that process especially when the fix is uploading one file a process that takes 15 seconds start to finich, especially when admins are busy.

    Seems like an exceptionally simple include that would help some members. Yes, security patches are rare, but exposed sites are mini-crisis points for the admins. Wouldn't it be good to make that process as clear and unconfusing as possible?
  15. Jake B.

    Jake B. Well-Known Member

    You can always use the Install & Upgrade Add-on by @Jon W. IIRC it tells you when there is a new XF version in the ACP.
  16. OttoBomb

    OttoBomb Member

    So XF does not inform you of a new version in the ACP by default?
    Last edited: May 21, 2015
  17. Jake B.

    Jake B. Well-Known Member

    Nope, as was stated several times above.
  18. rainmotorsports

    rainmotorsports Well-Known Member

    The internal versioning system does account for patch level so if they ever decide to patch as such it can be displayed. Currently doesn't as all permanent patches have been full patch versions.

    I can only recall 3 incidents in my time here. 2 of them were the flash uploader and another was a flaw in php itself. None of them directly Xenforo related. If a serious issue comes up the patch is usually available with instructions but a day or two later all the vetted fixes are released with the vulnerablility patch anyways.
  19. OttoBomb

    OttoBomb Member

    I asked if the current patch level was displayed, it is not if the patch alone is applied. Being informed of an outstanding unpatched vulnerability in the ACP is a separate but very important item also.

    Sorry for the semantics here, but I need to get very specific info, which I now have. Thanks to all!
  20. Jon W

    Jon W Well-Known Member

    Just to clarify, the Install and Upgrade by Waindigo add-on does not automatically alert you if your XenForo installation is out of date, although it does have the ability to do that and if there was a serious security breach we would certainly use the broadcast system included in that add-on to alert sites that needed to upgrade their installation.

Share This Page