Security Patch Reporting

[OttoBomb]

I'm currently using IPB, the security patch system there is awful. If a security patch is released, they make an announcement in your AdminCP, and the announcement stays up for about a month. It does not go away if you patch the software for the flaw, nor does the software itself indicate version number or patch level.

How does XF handle security patches and their reporting?

 

[Paul B]

There is no equivalent of that in XF.

Generally releases are just regular releases.

 

[borbole]

How does XF handle security patches and their reporting?

If a patch is issued, then a topic is posted in the Announcements forum and then all customers receive an email notifying them about it.

 

[OttoBomb]

Is there a process for reporting this in the AdminCP? If there is more than one site admin, how would he/she know if the patch is applied? A version number/patch level indicator in the admin area seems like an easy way to do this.

So it appears XF does patch reporting like IPB, announcements and email notifications with no internal reporting. vB has clear patch level reporting within the AdminCP itself, and I'd suggest XF do the same. It would save a lot of frustration for people who run multiple sites, and/or have multiple admins.

 

[Paul B]

XenForo makes no callbacks/forwards at all, so nothing is ever communicated via the ACP.

The version is displayed in the ACP.

 

[OttoBomb]

Sorry to be so specific, this is a major pain point for me and I want to be 100% sure.

The version is displayed in the ACP.

If the version # is displayed in the ACP, does this mean the current patch level displayed in the ACP? Or are patches simply "upload the new files and you are safe"?

 

[Paul B]

XF versioning follows the principle of first, second, and third point releases.

The current version is 1.4.7.

The next third point release would be 1.4.8.
The next second point release would be 1.5.0.
The next first point release would be 2.0.0.

 

[OttoBomb]

I'll re-state the question. What happens if:

1) XF discovers a security vulnerability.
2) They release an patch to remedy the vuln.
3) An admin downloads the patch and applies to their site.

Will another admin who has not communicated directly to the first admin (the one that applied the patch) be able to determine independently from within the ACP that the patch was applied?

 

[Paul B]

Perhaps this will answer your questions.

https://xenforo.com/community/threa...s-1-2-7-1-3-6-and-1-4-1-includes-patch.83256/

 

[OttoBomb]

So the 2nd admin will not be able to tell then.

Thanks for the info.

 

[Paul B]

They will if the upgrade version is installed.

 

[OttoBomb]

I should hope a full upgrade would come with a new version number. I was just hoping that an applied patch would also be indicated.

 

[TPerry]

The "applied patch" is normally just a modified .php file or .swf file (in the two main cases I remember).
The best process is when a point release (which is what will happen typically if a security vulnerability is found) is released, install the point upgrade (and not the patch file). Then you see the version number in the ACP when you log in.

 

[OttoBomb]

Patching is always better, but no reason to go through that process especially when the fix is uploading one file a process that takes 15 seconds start to finich, especially when admins are busy.

Seems like an exceptionally simple include that would help some members. Yes, security patches are rare, but exposed sites are mini-crisis points for the admins. Wouldn't it be good to make that process as clear and unconfusing as possible?

 

[Jake B.]

You can always use the Install & Upgrade Add-on by @Jon W. IIRC it tells you when there is a new XF version in the ACP.

 

[OttoBomb]

So XF does not inform you of a new version in the ACP by default?

 

[Jake B.]

Nope, as was stated several times above.

 

[rainmotorsports]

The internal versioning system does account for patch level so if they ever decide to patch as such it can be displayed. Currently doesn't as all permanent patches have been full patch versions.

I can only recall 3 incidents in my time here. 2 of them were the flash uploader and another was a flaw in php itself. None of them directly Xenforo related. If a serious issue comes up the patch is usually available with instructions but a day or two later all the vetted fixes are released with the vulnerablility patch anyways.

 

[OttoBomb]

Nope, as was stated several times above.

I asked if the current patch level was displayed, it is not if the patch alone is applied. Being informed of an outstanding unpatched vulnerability in the ACP is a separate but very important item also.

Sorry for the semantics here, but I need to get very specific info, which I now have. Thanks to all!

 

[Jon W]

Just to clarify, the Install and Upgrade by Waindigo add-on does not automatically alert you if your XenForo installation is out of date, although it does have the ability to do that and if there was a serious security breach we would certainly use the broadcast system included in that add-on to alert sites that needed to upgrade their installation.