The 6.2.6 and 7.0.1 CE, PE and EE versions of DotNetNuke have been released. The release notes can be found here
These releases fix three security issues. Two of these are rated as “low” and one is rated as a "critical" security issue.
The bulletins can be read at
We would like to thank the following for responsibly disclosing issues to our security team, and allowing us the time to resolve them.
As always we recommend you upgrade as soon as possible, particularly as this release contains a “Critical” fix.
During this release cycle we also worked with a security researcher, Vinesh Redkar, on a potential problem. Whilst we were able to confirm his findings, the bug relied on legacy user agents that are outside our supported configuration. As the risk level was “low”, required a number of steps that are not possible with a default install, and the change could impact functionality, no change was made. However we would like to thank Vinesh for responsibly disclosing the issue to us and allowing us the time to work through it.
If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent blog entry from Erik here . For users who are running 4.6.2 or above, I recommend you read this blog entry which details how to use the upgrade package to easily merge any web.config changes.
You can read more details about these issues and our security policy here