CiviCRM Community Forums (archive)

"You can keep up with the latest security advisories by reguarly visiting http://civicrm.org/advisory or subscribing to the feed."

- http://civicrm.org/blogs/colemanw/security-releases-civicrm-4212-437-44beta4

We can do better than this.

CiviCRM has both a Mailing list for CiviCRM security notices, and a larger list of people who have registered their site and checked the "I want to be informed about new releases and major news about CiviCRM". Neither of these groups of people received an update notice with CiviCRM 4.3.7.

Personally, I'd err on the side of caution - CiviCRM 4.3.7 is an anonymous SQLi, and EVERY site should be notified before they get popped.

If we emailed EVERYONE, offended one or two people that would prefer not to receive an email and secured a few more sites today, I'd prefer that to the alternative.

Yes, CiviCRM sites deliver update notifications if they are configured to do so. That message reaches logged-in CiviCRM users (provided they check, have the permissions to see the message, and understand enough to take some action). The blog delivers messages to people who subscribe or visit the website. Twitter reaches a lot of people in a shallow way.

But email notifications are -

• cheap and easy to do (especially when we have a tool for email notifications!),
• a service we claim to offer,
• able to reach a much wider audience,
• ubiquitous (everyone, everyone, everyone who administers a CiviCRM site has an email address)
• a medium which integrates well with software management (email => a new issue in your org's Trac, Jira etc)

The security announcement is on the blog and on Twitter, but not in the "News & Announcements". There are probably other places it might or might not be mentioned. If you subscribe to an RSS feed of the blog, you might catch this ... provided you check in time, and don't miss it in the maelstrom of other feeds you read. To my mind, for security updates email notifications are a core service and RSS or Twitter feeds are nice to haves.

With so many forums today (g+, facebook, what have you) it's a lot of work to keep lots of networks up to date - I appreciate that. However, I think we as a community would do well to put a bit of effort into making sure we put a bit more effort into delivering "less welcome" news that is urgent, like security release notifications, to the people who have asked for it.

I'd be happy to contribute code to the CiviCRM site so that any new node tagged "security-advisory" is turned into a CiviMail which goes out to members of (1) the civicrm-security email list (2) people who checked "update me about new releases". We've done this for a client with press releases and it works great for them; we should use it ourselves for this.

Previous discussions (there may be more). The second below has 11K views ...

• Security and mailing lists?
• how to get information about security updates
• CiviCRM Security / Upgrade notifications (from me, re 4.3.4 update)
• Security mailing list?

I'd be happy to contribute code to the CiviCRM site so that any new node tagged "security-advisory" is turned into a CiviMail which goes out to members of (1) the civicrm-security email list (2) people who checked "update me about new releases". We've done this for a client with press releases and it works great for them; we should use it ourselves for this.

Awesome! Do you have the necessary permissions on the server? Let me know what you need.

I made two suggestions:

1. while I realize providing a patch early to providers may be disagreeable, at least a "hey there will be a security release tomorrow. end of line" will be useful for scheduling

2. re-evaluate the 'hints' we give publicly on how an exploit might be exploited, keeping in mind it will appear on google rather rapidly.  I realize a seasoned hacker will reverse engineer the patch, but we don't want to make it easy on rookies by giving them starting instructions.