This DNN release is extremely important. It resolves a dozen of security issues which have so far only been managable if you were an expert. Please read on...
First: This is Serious. Update Now.
Before I dive into all the things you should know about, the most important thing is this:
THIS IS REALLY SERIOUS
YOU SHOULD REALLY, REALLY UPDATE
Plus added bonus: The updated sites feel 30-50% faster 🥳😍💓🚀🤘🏾
👉🏼 At the bottom of this blog we have an FAQ which we continously update.
Major Telerik Security Issues
DNN History 101 🎓
To understand why this is so important, we need to get a bit of history.
Around 10 years ago DNN entered an agreement with Telerik to bundle Telerik components as part of the otherwise open-source DNN platform. The idea sounded good at that time: The most popular CMS bundles the most popular .net Components, resulting in increased value for DNN users and a chance to reach new customers for Telerik.
DNN used these components in everything - from the built-in WYSIWYG editor to the file-manager and more.
But then things went ⬇️
The agreement expired in 2013. At that time, the components were very baked into DNN and there was no quick way to separate. So DNN had to continue to bundle that last version and couldn't update any more. It didn't seem too bad, as the components were great and loved by most users.
What nobody had anticipated then: With time, security holes were found - and patched.
But not in DNN.
The same security holes which were found, fixed and announced publicly were not fixable in DNN, because it couldn't update the components. Even customers paying Telerik couldn't update, because the DNN edition actually had some modifications and was not compatible.
Under pressure, Telerik actually helped out with a few patches, because the publicity was bad. That helped out a bit, but the truth was that the situation wasn't ever really stable.
Only very experienced DNN experts were able to make all the changes necessary to keep the system closed. Others didn't even know they were vulnerable.
A Public Secret 🕵🏻
Just in case you hadn't been aware of this - it was always communicated openly - like in Mitchel Sellers blog from 2 years ago. And any new install of DNN would usually already patch up as much as possible. So you were usually mostly ok. But it just was not a good setup.
Since v9.8 released in October 2020 it has been possible to remove Telerik manually from your system, but it was very difficult. And if you had any third party plugin that required these components, you had to find replacements.
The Long Wait and the Big Release 🚀
You may wonder what took so long. The truth is: it was a LOT of work. Various parts of DNN had to be rebuilt from scratch (like the File Manager) and many plugins - both free and commercial - relied on Telerik to be present in the system.
This is what made it so hard - and what took so much time and effort.
But now the community finally achieved this milestone. We are all very grateful for the many people who did this, including Mitchel for his leadership and work, Daniel Valades, Peter Donker, David Poindexter and many more for their hundreds of hours of work!!!
Risk Management for 1 Dozen Security Bulletins
The security team of DNN released about a dozen security bulletins related to this release. Much of what was only known to insiders (and yes, all the bad guys already knew about this anyhow) will become even more public knowledge.
So basically this is not a zero-day patch: the problems have been around for a long time. But the solution is available now. Don't wait.
Main Risk: Third-Party Modules
There is one risk though: Some third party plugins may stop working. As far as I know, this includes the old FAQ module and also modules purchased from professional vendors.
We do have a temporary solution for you: upgrading won't force you to clean up Telerik. You can still keep it , but your security won't improve much then. So you can go step-by-step and buy some time, but you must act now.
By the way: most of the affected third party modules are really old and deserve to be retired anyhow.
For example, if you had one of these old modules, you could easily just install the meta-module 2sxc and some of the apps - which are usually way better than the obsolete version. Here some suggestions:
- For the old FAQ just grab the (free, awesome, open source, customizable, multi-language, etc.) FAQ App
- For any old galleries, get the (free, awesome, etc.) Gallery App using Fancybox 4
- Your glossary died? get the Glossary App
- News App or Blog? - you betcha!
- Courses / Events and Registration, Custom Forms, Image Swipers - all there for free, open-source and using the latest and greatest Razor technology
- ...and there is a LOT more - check out the Apps catalog
Update Now - We Really Tested This
You may be tempted to wait a while - and it's probably smart to give it a few days.
But I can assure you, we from the community really invested time into testing this, and we believe it's one of the best-tested releases of DNN ever.
And if you do update, and something breaks, you can count on us to release another version within days.
➡️ Get it from github now! (or continue reading below for FAQs)
With love from Switzerland,
FAQ - Continuously Updated
- Why is DNN 9.11 faster than the previous releases?
➡️ In case you noticed it feels 30-50% faster. This surprised us too 😉. Since we diligently updated most third party dependencies, we believe that it's because of enhancements in these external dependencies.
- I have a recent DNN and I've manually cleaned out Telerik. Should I Still update?
➡️ Yes. Telerik is our main focus, but there are other patches in there which will remain confidential. You will also enjoy the speed boost - we've seen 30-50% speed.
- Is it compatible with the latest 2sxc (14.7 LTS or later)?
➡️ We've tested it and everything looks great. So we're confident that everything just works, but until at least 1'000 installs in the wild are updated there is no guarantee. So for the first 2 weeks or so, be sure to first test-update.
- Is it compatible with older 2sxc releases?
➡️ For any version before v13 it should just work, but you should upgrade to v14 LTS
➡️ For v14.0 - 14.6 you will run into problems. This is not because of an incompatibility, but because of an issue related to the upgrade process itself, where DNN overwrites some DLLs. So just confidently upgrade to the latest LTS or newer, and then you're good to go.
- Is it compatible with the third party Modules of DnnSharp / PlantAnApp?
✅ According to PlantAnApp/DnnSharp this is now good to go. At first it was not compatible.
Problems when Updating - Continuously Updated
Are there any known problems I should know about? - yes!
- If you have a subportal which has a name instead of a number (portals/something instead of portals/2) then client dependency fails. So JS/CSS won't be loaded - see issue
🎓 Workaround: Disable client dependency till DNN patches this.
- Some admin-dialogs don't work yet - like the SQL editor - see issue
Update: the core team discussed these and a few other issues on 2022-10-04 and it should be fixed soon in a 9.11.1 release.