CiviCRM Security / Upgrade notifications

[Chris Burgess]

CiviCRM 4.3.4 is out today, and it's a security release. I think that the community would benefit from update notifications.

Currently the means of update notifications are (1) check the CiviCRM website or (2) see a notification on your CiviCRM dashboard. (There may be others, but if there are I didn't see them used for this security release.)

I'd like us as CiviCRM community to think about how we should deliver update notifications when they happen, so our users know before bad guys get the drop on them.

civicrm-security@lists.civicrm.org is "Mailing list for CiviCRM security notices. Low volume moderated list". This list says it has 503 subscribers (I'm one) but hasn't been sent a notice for any recent security fix that I've seen. This list could easily be converted to a CiviMail mailing list, and integrate with a "Do you wish to receive (security|upgrade) notifications by email?" option on the "Register your site" form on CiviCRM.org.

The CiviCRM twitter account deserves a notice, because it reaches a lot of people.

And the News & Announcements forum receives notices for some releases, so I guess we'd want to advise people of a security release there too.

What else can you think of that would help get the word out, and help people keep their CiviCRM sites secured?

[totten]

I've updated our release checklist to mention posting to Twitter ( http://wiki.civicrm.org/confluence/display/CRM/Release+checklist ).

For sending out email notifications, it does seem like a good idea to migrate from civicrm-security@lists.civicrm.org to something based on CiviCRM. I don't think we'd want to maintain two separate lists, so we'd shutdown civicrm-security@lists.civicrm.org after setting up a subscription mechanism on civicrm.org.

[Michael McAndrew]

Hey there,

We are adding a sign up to our newsletter block to civicrm.org soon (next few days). we can potentially include in that workflow.

Might be easier to think about what it looks like once you have seen the live site.

Potentially, we could include this
*on / near the newsletter sign up block
* in the confirmation message
* in the footer of civicrm's monthly newsletter

Also, there is the little known http://civicrm.org/civicrm/mailing/subscribe?gid=120 (where 120 is the ID of the mailing list so you can direct people to a page where they can sign up for that mailing list (and no others).

Michael

[Coleman Watts]

Currently we have an in-app notification popup that lets you know there's a new version available. If so, the message gets displayed to admin users once a day until they upgrade.
I think it would be great if that message could somehow distinguish between regular updates and security updates.

[Chris Burgess]

We are adding a sign up to our newsletter block to civicrm.org soon (next few days). we can potentially include in that workflow.

...

Also, there is the little known http://civicrm.org/civicrm/mailing/subscribe?gid=120 (where 120 is the ID of the mailing list so you can direct people to a page where they can sign up for that mailing list (and no others).

Yes - just got a copy of the June newsletter as well, which went out to this group. That would have been an ideal way to get the word out, but mention of the security update didn't make it into the newsletter this time around.

Coleman - that would be a a useful feature, yes. IMO being able to subscribe for notifications helps get the message to the people who need it in a timely manner - the people who need to know about a security upgrade don't necessarily get to see the admin dashboard on the relevant install. Another feature which we could add there would be sending an email to the site admin notifying of the need to upgrade.

Notification features added to future versions won't help people running vulnerable versions today; firing off a quick an email to civicrm-security or mentioning it in the newsletter might.

Perhaps we also need to add getting updates to sources like the Joomla Vulnerable Extensions List as part of our community disclosure process?

[jcasharpe]

On the point of security issues; is there a page outlining how to safely disclose a security issue? Drupal has this page: https://drupal.org/node/101494 which could be used as an example to follow.

[Chris Burgess]

There isn't, yet, and there needs to be - we've been discussing this recently.

The 4.3.4 release has raised lots of issues around security coordination and process for us - I'll write up some notes and post on the blog soon.