CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • CiviCRM Security / Upgrade notifications
Pages: [1]

Author Topic: CiviCRM Security / Upgrade notifications  (Read 2496 times)

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
CiviCRM Security / Upgrade notifications
June 10, 2013, 08:25:27 pm
CiviCRM 4.3.4 is out today, and it's a security release. I think that the community would benefit from update notifications.

Currently the means of update notifications are (1) check the CiviCRM website or (2) see a notification on your CiviCRM dashboard. (There may be others, but if there are I didn't see them used for this security release.)

I'd like us as CiviCRM community to think about how we should deliver update notifications when they happen, so our users know before bad guys get the drop on them.

civicrm-security@lists.civicrm.org is "Mailing list for CiviCRM security notices. Low volume moderated list". This list says it has 503 subscribers (I'm one) but hasn't been sent a notice for any recent security fix that I've seen. This list could easily be converted to a CiviMail mailing list, and integrate with a "Do you wish to receive (security|upgrade) notifications by email?" option on the "Register your site" form on CiviCRM.org.

The CiviCRM twitter account deserves a notice, because it reaches a lot of people.

And the News & Announcements forum receives notices for some releases, so I guess we'd want to advise people of a security release there too.

What else can you think of that would help get the word out, and help people keep their CiviCRM sites secured?
@xurizaemon ● www.fuzion.co.nz

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 07:07:29 am
I've updated our release checklist to mention posting to Twitter ( http://wiki.civicrm.org/confluence/display/CRM/Release+checklist ).

For sending out email notifications, it does seem like a good idea to migrate from civicrm-security@lists.civicrm.org to something based on CiviCRM. I don't think we'd want to maintain two separate lists, so we'd shutdown civicrm-security@lists.civicrm.org after setting up a subscription mechanism on civicrm.org.

Michael McAndrew

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1274
  • Karma: 55
    • Third Sector Design
  • CiviCRM version: various
  • CMS version: Nearly always Drupal
  • MySQL version: 5.5
  • PHP version: 5.3
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 09:52:59 am
Hey there,

We are adding a sign up to our newsletter block to civicrm.org soon (next few days). we can potentially include in that workflow.

Might be easier to think about what it looks like once you have seen the live site.

Potentially, we could include this
*on / near the newsletter sign up block
* in the confirmation message
* in the footer of civicrm's monthly newsletter

Also, there is the little known http://civicrm.org/civicrm/mailing/subscribe?gid=120 (where 120 is the ID of the mailing list so you can direct people to a page where they can sign up for that mailing list (and no others).

Michael
Service providers: Grow your business, build your reputation and support CiviCRM. Become a partner today

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 10:07:08 am
Currently we have an in-app notification popup that lets you know there's a new version available. If so, the message gets displayed to admin users once a day until they upgrade.
I think it would be great if that message could somehow distinguish between regular updates and security updates.
Try asking your question on the new CiviCRM help site.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 11:26:26 am
Quote from: Michael McAndrew on June 11, 2013, 09:52:59 am
We are adding a sign up to our newsletter block to civicrm.org soon (next few days). we can potentially include in that workflow.

...

Also, there is the little known http://civicrm.org/civicrm/mailing/subscribe?gid=120 (where 120 is the ID of the mailing list so you can direct people to a page where they can sign up for that mailing list (and no others).


Yes - just got a copy of the June newsletter as well, which went out to this group. That would have been an ideal way to get the word out, but mention of the security update didn't make it into the newsletter this time around.

Coleman - that would be a a useful feature, yes. IMO being able to subscribe for notifications helps get the message to the people who need it in a timely manner - the people who need to know about a security upgrade don't necessarily get to see the admin dashboard on the relevant install. Another feature which we could add there would be sending an email to the site admin notifying of the need to upgrade.

Notification features added to future versions won't help people running vulnerable versions today; firing off a quick an email to civicrm-security or mentioning it in the newsletter might.

Perhaps we also need to add getting updates to sources like the Joomla Vulnerable Extensions List as part of our community disclosure process?

@xurizaemon ● www.fuzion.co.nz

jcasharpe

  • I post occasionally
  • **
  • Posts: 57
  • Karma: 5
    • Woodlands Church
  • CiviCRM version: 4.4.6
  • CMS version: Drupal 7
  • MySQL version: MariaDB 10.0.13
  • PHP version: 5.5
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 01:58:22 pm
On the point of security issues; is there a page outlining how to safely disclose a security issue? Drupal has this page: https://drupal.org/node/101494 which could be used as an example to follow.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: CiviCRM Security / Upgrade notifications
June 11, 2013, 02:01:27 pm
There isn't, yet, and there needs to be - we've been discussing this recently.

The 4.3.4 release has raised lots of issues around security coordination and process for us - I'll write up some notes and post on the blog soon.
@xurizaemon ● www.fuzion.co.nz

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • CiviCRM Security / Upgrade notifications

This forum was archived on 2017-11-26.