I think the people responsible are not thinking in terms of the path to information.
I was reading modx reviews on opensourcecms.com -
one of the posts referred to a site so I went to it.
It had a message on their site that said Ajaxsearch has a securtiy problem.
I don’t take their word for it, so I come here.
I find that it’s a real problem.
So I look at the post on how to fix it and I see:
You need to take immediate action to protect your site( s ).
For 0.9.6.1
Go to
http://svn.modxcms.com/trac/tattoo/changeset/3281 and you can choose from three options for applying the changes to your existing installations: download the zip archive from the link at the bottom (
http://svn.modxcms.com/trac/tattoo/changeset/3281?format=zip&new=3281) and overwrite your existing files, get the unified diff (
http://svn.modxcms.com/trac/tattoo/changeset/3281?format=diff&new=3281) and apply as a patch, or apply the diffs detailed on the page manually.
But those don’t work - so I read on and it says upgrade the new version has the patch - ok - what does that mean???
Do I have to reinstall? Do I upgrade just the snippet?
Now I don’t know what to do. What if I try to do the right thing and now my site doesn’t work because I changed the wrong program.
And what is a common user going to do with information like:
The last security patches cover the security vulnerabilities described here
That link doesn’t answer questions. It’s just another source.
I did download the latest version and now that you wrote:
If you download the last version = 1.7.0.2 from here, this version includes the last patches which correct the last security vulnerabilities (ajaxSearch and plugin Highligth).
Now I know that it’s ok. I didn’t see that on the snippet authors site when I downloaded the upgrade.
I realize when this issue came up everything was very clear and formulated, but much like when you write some code that is clear and seemingly documented, the comments
are relevant to the path you took to get to that point in the development. It’s based on your current state.
Anyway - something like a security risk procedure are not the same as "my menu font is wrong - help"
and should be dated and well controlled and when I need a clear definition of what the path is to remove the risk,
I didn’t find one source of truth, but rather threads that didn’t answer what to do.
Sorry for the frustration but it’s frustrating.