Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Out of contract security patches

Andy Harrison4
Andy Harrison August 27, 2012

We currently have an active support license for the download edition of Jira, I was wondering what would happen once our license expires if another issue crops up like the one in todays security alert?

On the atlassian site it talks about renewing your software maintenance as being entirely optional (http://www.atlassian.com/licensing/purchase-licensing#softwaremaintenance-2) and talks about giving you new features and online support - but no mention of security fixes.

I'd hope that critical security patches would be released to everyone, regardless of support contract status, at least for a reasonable lifetime of the product ... but I can't find a clear statement either way.

Answer
Watch
Like Mo Beigi likes this
308 views

2 answers

1 accepted

0 votes
Answer accepted
Harry Chan5
Harry Chan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 27, 2012

As per your link, "After the first 12 months, your software maintenance will expire and you will no longer be able to receive technical support or software updates."

I think it depends on the natural of the security patch. In instances where I've seen only particular jars are patched, you can easily do that, but when it's a totally new version release then you'd need a license.

View More Comments
Andy Harrison4
Andy Harrison August 27, 2012

The security advisory today seemed pretty serious (potential admin access for non-account holders), and came with some links to patches for older releases, so I guess you'd be able to apply those without a current license? ... but would we still have been sent the security alert emails to even find out about the issue?

Like
Harry Chan5
Harry Chan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 27, 2012

Hi, are you referring to the Bamboo Security issue? https://jira.atlassian.com/browse/BAM-12066 - the one here's definitely a patch on some files. As it's not a version upgrade, it should be fine.

Edit: same for JIRA https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28 - provided you're on a version that can be patched. Edit: however, this JIRA one does need upgrading to JIRA 5.1. Not all the issues can be solved by patching.

Like
Andy Harrison4
Andy Harrison August 27, 2012

It was this one in particular (one of the issues in the Jira advisory you linked to) that'd concern me the most: https://jira.atlassian.com/browse/JRA-29403.

When out of contract would we still get these security advisory emails so we could at least look into whether a patch is available, and if not weigh up the pros/cons of renewing the license for an upgrade? Or would we only find out if we got hacked?

Like
Harry Chan5
Harry Chan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 31, 2012

I'd be worried too, but even more problematic is that we'll have issues upgrading due to plugins that we use. I think this is the same with most companies though - support/updates are subscription based. Nothing I see out of the norm.

Like
Andy Harrison4
Andy Harrison September 2, 2012

I understand that updates would only be available to users with a current/active subscription. Like you say, there's nothing out of the ordinary there. I was just looking for some clarity. It'd be nice if the benefits of renewing software maintenance in the licensing FAQ could be reworded as 'If you're after new features, ever improving usability, critical security patches and the latest innovations in issue tracking ...' ;)

There's still the issue of (when support subscription expires) not being made aware of critical security issues that could be worth re-subscribing to address (or to find out about available workarounds for those not able to update), but it looks like that can easily be solved by putting a watch on this page: https://confluence.atlassian.com/display/JIRA/Security+Advisories .... so, that's what I've done.

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 2, 2012

I don't think Atlassian would restrict security patches based on being in contract or not. The last thing they want is stories about their software being hacked, like the ASF one. As Harry said the security patches are just patches, providing the version you use is still in the support window you should be able to install it.

My point really is that it would be entirely counter-productive for Atlassian to deny access to security patches, so you should probably not worry.

Like
Reply
0 votes
davead75
davead75 September 2, 2012

~~~ spam ~~~

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events