Drupal News

Drupal News

Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
  • Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003

    Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.

    Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

    • Advisory ID: DRUPAL-SA-CORE-2017-003
    • Project: Drupal core
    • Version: 7.x, 8.x
    • Date: 2017-June-21
    • Multiple vulnerabilities

    Description

    PECL YAML parser unsafe object handling - Critical - Drupal 8 - CVE-2017-6920

    PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.

    File REST resource does not properly validate - Less Critical - Drupal 8 - CVE-2017-6921

    The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

    Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - Moderately Critical - Drupal 7 and Drupal 8 - CVE-2017-6922

    Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

    The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

    Versions affected

    • Drupal core 7.x versions prior to 7.56
    • Drupal core 8.x versions prior to 8.3.4

    Solution

    Install the latest version:

    Also see the Drupal core project page.

    Reported by

    PECL YAML parser unsafe object handling

    File REST resource does not properly validate

    Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

    Fixed by

    PECL YAML parser unsafe object handling

    File REST resource does not properly validate

    Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

    Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: 
  • What’s new on Drupal.org? - May 2017

    Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

    After returning from DrupalCon Baltimore at the end of April, we spent May regrouping and focusing on spring cleaning tasks. It's important for any technical team to spend time on stability and maintenance, and we used May to find improvements in these areas and look for some other efficiencies.

    Drupal.org updates

    🎉 UTF8MB4 Support

    Support for the UTF8MB4 character set has been a long outstanding issue for Drupal.org and the sub-sites. This expanded character set supports supplementary characters outside of the basic unicode multilingual character plane, including symbols and emoji.

    Previously the use of any of these characters on Drupal.org would result in an error. This extended support has been rolled out to Drupal.org and all of the sub-sites except Groups, our legacy Drupal 6 site on LTS.

    Protecting Localize.Drupal.org from Spam

    After a spike in spam form submissions was reported (thanks Gábor!) we enabled form protection on Localize.drupal.org. Hopefully this will keep our many translation volunteers focused on the hard work of localizing Drupal, instead of on spam fighting. The techniques that spammers use to bypass protections continue to escalate, so we'll be continuing to evaluate new ways to fight spam as time goes on.

    Infrastructure

    Stability and Maintenance

    We spent a portion of our time in May focused on some basic infrastructure issues. One of the Drupal.org production webnodes experienced a filesystem and networking issue and had to be removed from the rotation. We performed some forensics to identify the cause of the issue, and then rebuilt the virtual machine and put it back into rotation.

    We also spent some time updating the remote access configuration with our data center, to make remote troubleshooting easier and more efficient for our internal team.

    Finally, we performed an audit and inventory of our owned hardware. This helped us to identify underutilized resources that we could re-purpose, and will help us more quickly on-board our new managed infrastructure services partner at the conclusion of our RFP process.

    Infrastructure RFP

    The deadline for responses to our Managed Infrastructure Services RFP was Monday May 8th. Once we'd received proposals from all participating vendors, we began our process to review those proposals internally and schedule interviews with the vendors. As we move into June this RFP process is wrapping up, and we will be announcing the results of the RFP soon.

    DrupalCI

    DrupalCI logo

    General Updates

    One of the primary features of DrupalCI is that it allows developers to test against a variety of environments. To make sure that we're more easily able to keep up with the latest PHP patch releases (e.g: 7.0.x/7.1.x/5.6.x), the PHP environment containers are now rebuilt nightly.

    Coding standards test results were added in April, and to make it easier for developers to see where the code standards issues appear within the code base, we're now linking the standards results to CGIT.

    More efficient test result saving

    Since we began parsing DrupalCI test results onto Drupal.org we pretty rapidly reached more than 100,000,000 database rows of test results, taking up more than 100G of database space. To make offering this service more sustainable, we've implemented changes to how we store test result data. Instead of storing complete results for each test, we now only store the diff between the current test and the last test. This has resulted in a dramatic reduction in the amount of space consumed.

    Re-purposing owned hardware for bots

    DrupalCI is also the most expensive single service that the Drupal Association provides to the community. In addition to the labor costs involved in building and maintaining the system, the amazon spot instance costs average between $2000-$4000 each month. After spending some time doing an owned hardware inventory audit, we've realized that we can repurpose some of our existing hardware as VM hosts for additional testbots. These testbots will not be as fast as the AWS instances, so we'll be reserving them for use with the nightly test builds, however we hope that even this change will represent a significant savings. Work on this continues into June.

    ———

    As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

    If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

    Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

  • Growing community in Moldova

    This guest blog post is from Drupal Moldova's Association (not affiliated with Drupal Association). Get a glimpse of what is happening in Moldova's community and how you can get involved.

    Drupal Moldova Association’s mission is to promote Drupal CMS and Open Source technologies in Moldova, and to grow and sustain the local community by organising Events, Camps, Schools, Drupal meetups and various Drupal and Open Source related trainings, and by establishing partnerships with Companies, the Government, and NGO’s.

    Come and share your expertise in Moldova at our events! We're looking for international speakers to speak about Drupal and open source.

    Among DMA’s (short for Drupal Moldova Association) numerous commitments, the following are of special importance:

    • to gather the community around Drupal and Open Source technologies;

    • to train students and professionals who want to learn and work with Drupal;

    • to organise events to keep the community engaged and motivated to improve, learn, and share experience;

    • to make sure Drupal is accessible to everyone by offering scholarships to those who can't afford our programs;

    • to elaborate a well defined program that helps students learn Drupal, acquire enough knowledge to get accepted for internships by IT companies, and be able to build Drupal powered websites;  

    • to assist new IT companies in establishing a local office, promote themselves, collaborate with other companies, and connect with the local Drupal community by giving them the opportunity to support our projects.

    Over the last 5 years, we have been dedicated to achieving our goals! DMA have organized over 20 projects and events, including Drupal Global Training Days, Drupal Schools, and the regional DrupalCamp -- Moldcamp. Our projects have gathered over 700 local and international participants and speakers, and more than 15 International Companies that have supported us during these years (FFW, Adyax, IP Group, Intellix, Endava and many others).

    Moldova is rich in great developers and people driven to take initiative and to grow and place the country on the world map. We are aiming to go beyond our limits and have a bigger impact in the year (‘17-’18), therefore we have created a yearly plan that contains projects similar to those we have done in the past years, as well as new and exciting ones:

    • Drupal School(3 step program), starting with Drupal School 8 plus PHP (step 1):  Drupal School is an educational program - split into 2 months, 25 courses of different levels (Beginner, Intermediate, Advanced).Drupal School aims to introduce people to Drupal 8 and PHP, and help them become Drupal professionals;

    School of Drupal 8 group photo from Facebook

    • Moldcamp2017: Sep - Oct 2017. A regional DrupalCamp that gathers around 150 Drupal professionals, enthusiasts, beginners and any-Drupal-related-folk in one place for knowledge-sharing, presentations, networking, etc. We will announce the event soon and allow speaker registration. Please follow us and don’t miss out on the opportunity;

    Mold Camp speaker at blackboard

    Mold Camp attendees at table

    Global Training Day presenter

    • Drupal Meetups: These are organized each month and they allow our community to be active and share knowledge.

    • Tech Pizza: - Jun, Aug, Oct, Dec. A bi-monthly event, where the ICT community can gather in a casual and an informal environment around a pizza and  soda and discuss the latest IT trends and news. The core of this event is a speaker / invitee from abroad with a domain of expertise;

    • Moldova Open Source Conference: March 2018. It is a regional conference for over 200 participants that aims to gather all the Open Source Communities (Wordpress, Laravel, Ruby on Rails, JavaScript, etc.) under one roof, where they will attend sessions that enhance the expertise of existing experts in various Open Source technologies and allow them to mix their technologies into new ideas.

    The proposed program “Drupal and Open Source in Moldova 2017 - 2018” is made possible through the support of USAID and the Swedish Government. Thanks to these organizations we can focus on the quality of our projects make sure they happen as planned. Also, we have a very important partnership with Tekwill / Tekwill Academy, which helps us even more in our quests.

    School of Drupal 8 + PHP promotional page

    We start with School of Drupal 8 plus PHP program, which will be held on 19th of June 2017. So far we have 3 sponsors--IPGroup, Adyax and Intellix--and two trainers.

    We, The DMA, believe in pushing the limits! Our long term goal is to build and maintain big an active Open Source community by attracting more local and International participants to our Projects and Events, and continuously improve our sessions. This will make our presence felt in the global Drupal and Open Source communities and markets. Find us on Twitter @drupalmoldova, or on our Facebook page. If you are interested in speaking in Moldova, contact us at info@drupalmoldova.org.

  • DrupalCon Vienna t-shirts are back! - but there’s a catch.

    DrupalCon Vienna T-shirts

    Remember how we are making changes to DrupalCon Europe? These were hard decisions and some things we love we found just weren’t financially viable. Like free t-shirts. But one thing we heard a lot was “please don’t take away the t-shirts!”  

    We heard you. And while it doesn’t make financial sense to give free t-shirts to all attendees, we still want to be able to continue to offer them. So we’ve come up with a plan.   

    At DrupalCon Vienna, t-shirts will be offered to the following groups:

    • Individual Drupal Association members who register for DrupalCon Vienna between 5 - 16 June 2017. You must register in this two week window AND be an individual member of the Drupal Association.

    • Volunteers who work at least four (4) hours onsite in Vienna 26 - 29 September. You must check the volunteer box during registration and must show up on site to volunteer for four (4) hours or until released by event staff.

    • Volunteers as part of the DrupalCon Program Team

    • Sprint Mentors

    The fine print FAQ

    I’m already a member, how do I make sure that I'll get a shirt?

    If you are already an individual member, you get a t-shirt! BUT you MUST register in the first two weeks of ticket sales. Registrations after 16 June will not receive a t-shirt, member or not.

    I’m not a member, can I do that during registration and still get a shirt?

    Yes. If you are not a member you can become an individual member during your conference registration. You will be presented with a page during check-out that gives you the option to become a member.

    I already registered but JUST saw this post! What do I do?

    If you are a true early bird and register in the two weeks, but somehow missed this news post until after registering - that’s ok. As long as you become a member before the end of 16 June and you’ll still get a t-shirt.

    The registration didn’t say anything about t-shirts or ask for my t-shirt size? What’s up?

    After the 16 June cut-off date, eligible registrants will receive an email confirming their t-shirt along with a link to select their t-shirt size.

    You got a session selected? Great!

    We’ll refund your registration amount (but not your membership) and you get to keep the t-shirt. Our regular no-refund policy applies to all other sales.

    You’re part of an organization that is buying a bulk amount of tickets for employees? Lucky you.

    Your organization should provide you with an individual redemption code. You’ll need to redeem your individual registration before 16 June AND also be an individual member of the Drupal Association in order to get a t-shirt.

  • What’s new on Drupal.org? - April 2017

    Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

    DrupalCon Baltimore logo Apr 24-28

    At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna!

    Drupal.org updates

    DrupalCon Vienna Full Site Launched!

    DrupalCon Vienna logo Sep 26-29 2017

    Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!

    DrupalCon Nashville Announced with new DrupalCon Brand

    DrupalCon Nashville logo Apr 9-13 2018

    Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.

    We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.

    Starring Projects

    Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.

    Starring Projects

    At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.

    Project Browsing Improvements

    One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.

    Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.

    We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.

    Better visual separation of Documentation Guide description and contents

    Better Documentation Guide Display

    In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.

    Promoting hosting listings on the Download & Extend page

    To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want Drupal.org to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.

    Composer

    Sub-tree splits of Drupal are now available

    Composer Façade

    For developers using Composer to manage their projects, sub-tree splits of Drupal Core and Components are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety.

    DrupalCI

    Automatic Requeuing of Tests in the event of a CI Error

    DrupalCI logo

    In the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a "CI error" message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue.

    We have updated Drupal.org's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, Drupal.org will instead automatically queue a retest.

    Bugfix: Only retest one environment when running automatic RTBC retests

    Finally, we've fixed a bug with the DrupalCI's automatic RTBC retest system. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project.

    ———

    As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

    If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

    Follow us on Twitter for regular updates: @drupal_org, @drupal_infra