All Eveliko clients were patched (CVE-2017-9248) last week
As some of you may know, there was a security issue regarding Telerik.Web.UI.dll, an assembly, that distributes with Sitefinity.
More information about CVE-2017-9248
All projects on active support were patched on the same day.
Some clients that are handling the infrastructure on their side received instructions over email and were guided over calls, chats (whatever is available in their restricted environments basically, we're flexible :) ).
The last large client was patched Tuesday (government entity, multiple websites on different Sitefinity versions, so a bit more time to apply the patch).
Basic tests were performed as well.
Some interesting notes on timing.
We reacted on the same day.
Financial and government institutions received emails with the steps they need to perform right away. We helped them in any way we can applying the patches as they have different needs and are subject to different regulations (mostly security restrictions that make it trickier to apply patches and some procedures that must be followed).
Long term clients
Some of them already have UI tests coverage of the critical functionality built-in to the CI, so we knew it was working when it went to their stage and then we knew it works on production (only passive tests, e.g. no data change) as well.
UI tests tell us (in less than an hour after the code is pushed) that what's really important does work.
I am writing this post as there is a follow up email on that subject from Progress. The issue is the same and was handled last week, so no need to worry about it.
More information about CVE-2017-9248
All projects on active support were patched on the same day.
Some clients that are handling the infrastructure on their side received instructions over email and were guided over calls, chats (whatever is available in their restricted environments basically, we're flexible :) ).
The last large client was patched Tuesday (government entity, multiple websites on different Sitefinity versions, so a bit more time to apply the patch).
Basic tests were performed as well.
Some interesting notes on timing.
We reacted on the same day.
Financial and government institutions received emails with the steps they need to perform right away. We helped them in any way we can applying the patches as they have different needs and are subject to different regulations (mostly security restrictions that make it trickier to apply patches and some procedures that must be followed).
Long term clients
Some of them already have UI tests coverage of the critical functionality built-in to the CI, so we knew it was working when it went to their stage and then we knew it works on production (only passive tests, e.g. no data change) as well.
UI tests tell us (in less than an hour after the code is pushed) that what's really important does work.
I am writing this post as there is a follow up email on that subject from Progress. The issue is the same and was handled last week, so no need to worry about it.