I am happy to announce the release of DotNetNuke 5.5.1. This release includes many bug fixes for the most critical issues identified in DotNetNuke 5.5.0 which we released last month. As a result of the recent ASP.Net Padding Oracle Vulnerability, which was discussed by Shaun Walker and Cathal Connolly in their recent blogs, we have added additional checks and upgrade enhancements in this release to ensure that DotNetNuke sites running the latest version are using the recommended CustomErrors configuration.
As we have noted in many of our recent releases, we continue to increase our Quality Assurance efforts with each release. Given the critical nature of the ASP.Net vulnerability, we paid extra attention to more than 40 different upgrade scenarios to increase the stability and reliability of the upgrade process, and to ensure that once upgraded your site would be protected. As always, even for those unfortunate few who have issues upgrading, the community stands ready to assist you with any problems you may encounter. We highly recommend that everyone upgrade to the DotNetNuke 5.5.1 release as soon as possible. For those who are unable to upgrade their sites we anticipate having a standalone module which we will make available later this week which provides the same benefits against the padding oracle vunlnerability as the core enhancements made in 5.5.1.
You can find out more information about all of the issues fixed in this release on the changelog.
Major Highlights
- Added feature to detect if a site is not running the suggested customErrors configuration to mitigate the ASP.Net Padding Oracle Vulnerability.
- Updated the default web.config to use the recommended customerrors settings to mitigate the ASP.Net Padding Oracle Vulnerability.
- Fixed Sitemap Provider so it only returns one page when multiple languages are enabled and Content Localization is not enabled.
- Fixed Telerik File Manager to make files stored using database folders visible to the user.
- Fixed issue where module developers using custom aspx pages that inherit from basepage and use codeblocks get an exception
- Fixed issue where the locale was not properly reflecting the querystring and the users browser or portal settings.
- Fixed issue where users were not granted proper permissions for the Templates folder on install.
- Fixed issue where missing objectqualifier would cause upgrade script to fail.
- Updated the url parser to take port 443 and ssl into consideration. its no longer necessary to turn off human friendly or use-port number in web.config
- Fixed behavior of Language detection when Content Localization is not enabled.
- Updated update tab logic to take host tabs into consideration.
- Fixed install template to ensure content localization is defaulted to off for new installs
- Updated the warnning dialog confirmation box to show the user name and the role that the user is being removed from.
- Fixed issue where tab hierarchy was not displayed properly when the tab level was changed in the tab hierarchy.
- Fixed issue where translators were not given the proper edit permissions when content localization was enabled.
Security Fixes
Updated Modules/Providers
The following modules and providers have been updated in the 5.5.1 packages. Please see the specific project pages for notes on what bugs or enhancements were corrected with each release.
Modules
Providers
NOTE: As with any release, we recommend you perform a complete file and database backup before performing any upgrade on a production website and that you first conduct a trial upgrade on a staging version of the site. Following these guidelines will ensure that you are able to recover should any unforeseen problems arise during the upgrade process.