Critical DNN 9.x Security Release Thanks to Community Sponsorship
DNN Runs On Sponsors Like You
Open source projects come with many pros, such as cost-effectiveness, flexibility and customization, and community collaboration, but they also can run into some challenging cons like lack of dedicated support, strain on maintainers and volunteers, as well as the amount of time it takes to design, develop, and test to release changes and improvements.
Realizing that Open Source projects aren’t truly free, helping sponsor the community can make a huge difference, even if it’s just a few dollars a month or sponsoring a specific improvement. Sponsoring can be as easy as checking if any of the project maintainers have GitHub Sponsors enabled. Sponsorship can lead to faster upgrades, tighter security, and modernization of the project.
Many sites found an urgent need to upgrade to DNN 10 after critical security vulnerabilities were remediated in the 10.x versions. However, the scope of changes to get to DNN 10 was prohibitively high for many organizations to take it on in the short-term. There was a desire for a DNN 9.x version with the security fixes from DNN 10.x. In general, DNN has never back-ported security fixes and did not have a process to handle this. As well, if the core maintainers don’t have a specific need for a fix (because they’ve already upgraded to 10.x), there’s less direct incentive for someone to tackle that work.
Engage & Client Co-Sponsor Contribution
Recently a client of ours has made a financial commitment in partnership with Engage to tackle this needed improvement to bridge the gap between DNN 9 and 10. In addition to meeting their own security needs, by co-sponsoring an open source maintainer, they provided a benefit for the whole ecosystem, hopefully inspiring others to make similar contributions.
In this particular case, the issue was made more difficult because it wasn’t just any feature, but security was on the line. As a team of maintainers, what we definitely don’t want to do is release security fixes which make the ecosystem less secure, because they reveal details of how to exploit existing sites. We do our best to juggle the openness of open-source with the secrecy demands of security. Back-porting fixes requires knowing the vulnerabilities and fixes in the first place, which we avoid publicizing. As the author of most of the original fixes, it made the most sense for Engage’s CTO Brian Dukes to be the author of the backport release.
What this Means to You
You may not be able to upgrade to the latest version of DNN if you’re using modules which were written to use code that was removed in DNN 10. This includes older open source modules such as the Events module, or commercial modules (which may just need to be upgraded), or custom modules, themes, or other extensions.
Sites on DNN 9.13.9 or lower are vulnerable to a variety of attacks, including bypassing IP address filters, exposing credentials to SMB shares, overwritten site content, and a variety of cross-site scripting (XSS) attacks (which could allow an attacker to take actions as though they were the user exposed to the XSS).
Hopefully your sites are already upgraded to DNN 10, but if you need to catch your breath before making the leap, DNN 9.13.10 is there for you, due to the power of open source sponsorships and community support. Engage has a deep history in sponsoring and staying actively involved in the DNN community with almost 1500 commits over the last 12 years. If you find yourself needing help with your DNN solution, or other Open Source projects, please reach out to us today and see how we can make a difference together!