Experience Sitecore !

Supports Sitecore 10.2. Supports Windows 11
SUPPORTS 10.2 ON Windows 11

It took me a month longer to conduct all the required testings for software and plugins supplied by me (in fact I was also stuck in Africa on the festive break), but finally, the new version of Sifon is available!

You can download it from Sifon.UK website, but the easier option would be using Chocolatey package manager:

cinst sifon

For the moment it is the only software that can install Sitecore on Windows 11. Let's take a look at Release Notes for this version:

• supports Sitecore 10.2, supports Windows 11. Supports Sitecore 10.2 ON Windows 11!
• comprehensive testing has been done - many bugs fixed or refactored
• plugins were updated, consolidated with main functionality and each other
• it is now possible to mark a plugin with ### Requires Profile: false to make it run even without an active profile
• few features were temporarily suspended until got improved
• lots of new plugins including installers for the latest Horizon, SXA, Publishing Service 6.0 etc
• added support for Solr 8.8.2 and fixed a minor bug in Solr (un)installation script, making it genuinely universal
• added syntax to present (double)clickable URLs right in the output to help users with supporting info
• added Get-SitecoreVersion function that returns either object or string with current XP or XM release version
• added Verify-NetCoreHosting function to ensure minimum required .NET Core version (passed as param) presents on a target system
• since all the SQL Server activity goes through SqlServer PowerShell module (opposed to SQLPS) - it is now added to Sifon prerequisites
• and much more minor issues got tested and fixed

I also recorded a video showing how easy one could install Sitecore without having anything installed at the target machine (except SQL server which could of course be accessible over the network):

Hope you find it useful!

This advice was originally proposed by Peter Nazarov (Twitter, LinkedIn), who kindly asked me to give it a bigger spread.

The biggest question for the day is if the fix was already applied to all official Sitecore container images so that now we can just pull new Sitecore containers and rebuild to rebuild our own container images to apply the patch?

The KB article offers WDP and ZIP packages fixes but says noting about containers, just like containers are not supported by Sitecore:

Critical vulnerability applicable to all Sitecore versions related to XSS. 

This issue is related to a Cross Site Scripting (XSS) vulnerability which might allow authenticated Sitecore users to execute custom JS code within Sitecore Experience Platform (XP) and Sitecore Managed Cloud.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

So below are some findings:

• There is no fix in the current Docker containers images - checked it for Sitecore XM 10.2.0
• Sitecore provides the patch XM and XP 10.2.0 by this link.
• It contains Sitecore XP 10.2 / Sitecore 10.2.1 rev. 007064 PRE / Documentation folder where you can find the Sitecore.Platform.Releasenotes 10.2.1 rev. 007064 PRE.md file which has no instructions at all and Released-images-sxp-pre-10.2.1-007064-21122021-115253.json file which contains Docker "assets" images that contain patch files which you need to copy manually using your own dockerfiles.

So to apply the fix for your Docker images you need to copy the patch files from the following Sitecore Docker assets images:

• for XM1: scr.sitecore.com/sxp-pre/sitecore-xm1-assets:10.2.1.007064.169-10.0.17763.2366-1809
• for XP0: scr.sitecore.com/sxp-pre/sitecore-xp0-assets:10.2.1.007064.169-10.0.17763.2366-1809
• for XP1: scr.sitecore.com/sxp-pre/sitecore-xp1-assets:10.2.1.007064.169-10.0.17763.2366-1809

For example, if using XM1: scr.sitecore.com/sxp-pre/sitecore-xm1-assets:10.2.1.007064.169-10.0.17763.2366-1809 for XM 10.2.0.

Inside this Sitecore Docker assets image you find C:\platform\ directory which contains the directories for the corresponding Docker images that you need to patch:

• \platform\cd
• \platform\cm
• \platform\id (it is empty and can be ignored)

...
FROM scr.sitecore.com/sxp-pre/sitecore-xm1-assets:10.2.1.007064.169-10.0.17763.2366-1809 as kb1001489
...

FROM ${BASE_IMAGE}
...
WORKDIR C:\
COPY --from=kb1001489 /platform/cm/ ./

...
COPY --from=kb1001489 /platform/cd/ ./

Note: this patch changes the version of your Sitecore 10.2.0 instance to 10.2.1: Sitecore.NET 10.2.1 (rev. 007064 PRE) (see the screenshot below). Seeing this happening it feels that, sadly, Sitecore is unlikely to release 10.2.0 Docker that includes this patch - it would cause versioning issues:

The example above is good to learn how you apply a patch with Docker assets image-based patch to your containers.

However, this Cumulative fix for Sitecore XP 10.2 patch changes a lot of DLLs to the new version which are not exposed via NuGet feed, and changes your Sitecore version to a pre-release version (which does not exist). This would give you several challenges. Therefore, I would prefer in this specific case to apply just a standard .zip file-based fix as per Notes section on the page:

For Sitecore XP 10.1 and later, if it is not possible to apply the cumulative fix (pre-release update), the following patch can be applied alternatively: Sitecore.Support.500712.zip.

• Changes multiple DLL versions (they are not available in NuGet feed)
• Changes Sitecore version to a pre-release version (next version that is not released yet)

Sitecore.Support.500712.zip

• Deploys new Sitecore.Support.500712.dll
• Overwrites vulnerable \sitecore\shell\Applications\Content Manager\Execute.aspx page file so that it runs from Sitecore.Support.500712.dll which contains the fix.