The 5.6.7 and 6.1.3 CE and PE/EE versions of DotNetNuke have been released. The  release notes can be read @ DotNetNuke 6.1.3/5.6.7 Released .

The 5.6.7 release only contains these one security fix (as per our Sunsetted releases policy which can be read here ), which is rated “critical”.

The bulletin for 5.6.7 can be read here:

• Non-approved users can access user and role functions – fix for a “Critical” issue

The 6.1.3 release contain two security fixes, one of which was in 5.x and one which was introduced in the 6.x branch.

The bulletins for 6.1.3 can be read here:

• Non-approved users can access user and role functions – fix for a “Critical” issue
• Radeditor provider function could confirm the existence of a file – fix for a “low” issue

Please note, we had an additional report of another issue shortly after the 6.1.2 release, however that had already been resolved inadvertently by an unrelated bug fix. As such this issue was resolved with the 6.1.0 release (it involved code introduced in the 6.x branch and does not impact 5.x). Whilst no code was changed in the 6.1.3 release we have chosen to publish a bulletin anyway to make users aware of it and to allow us to acknowledge the security researchers who raised the issue.

• Potential XSS issue via modal popups

As both 5.6.7 and 6.1.3 contain a “Critical” fix we recommend you upgrade as soon as possible.

If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent blog entry from Erik here . For users who are running 4.6.2 or above, I recommend you read this blog entry which details how to use the upgrade package to easily merge any web.config changes. The wiki also has a guide on upgrading and the video section has a number of free videos on both installing and upgrading.

You can read more details about these issues and our security policy here

Acknowledgements

We would like to thank Brandon Haynes, Ben Zhong, Richard Lundeen of Microsoft and Microsoft Vulnerability Research (MSVR) and Mark Litchfield from NGSSecure for responsibly disclosing the issues to us and allowing us to ensure updated releases were available that resolved them.

After working with ASP.Net Webforms for the past decade, the time has come to move on. I have enjoyed using Webforms and I was pretty good at bending ASP.Net to my will. Having recently tried some newer web frameworks I find that I am more productive than ever before. Over the past couple of years I have dabbled with ASP.Net MVC, jQuery and even WebFormsMVP but none of them truly held my interest for long. I never felt like they really offered solutions to problems that I was worried about. Because of my involvement with DotNetNuke, and the fact that it relies heavily on Webforms, I found that I couldn’t justify the use of some of these technologies. Things like WebFormsMVP added too much friction to the way I was used to working. ASP.Net MVC couldn’t really work in any meaningful way with DotNetNuke. And jQuery was a nice add-on, but it didn’t fundamentally change the way I developed modules.