Drupal News

Drupal News

Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
  • Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004

    Drupal 8.3.7 is a maintenance releases which contain fixes for security vulnerabilities.

    Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

    Description

    Views - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6923

    When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.

    It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

    REST API can bypass comment approval - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6924

    When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.

    This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

    Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical - Drupal 8 - CVE-2017-6925

    There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

    Versions affected

    • Drupal core 8.x versions prior to 8.3.7

    Solution

    Install the latest version:

    Drupal 7 core is not affected, however, Drupal 7 Views is: see Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

    Also see the Drupal core project page.

    Reported by

    Views - Access Bypass

    REST API can bypass comment approval - Access Bypass

    Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass

    Fixed by

    Views - Access Bypass

    REST API can bypass comment approval - Access Bypass

    Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass

    Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

  • What’s new on Drupal.org? - July 2017

    Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

    Drupal.org updates

    Better Distribution packaging

    Drupal.org Drush upgraded

    Distributions are a cornerstone of Drupal, giving site-builders a head start by packaging together proven modules and themes from contrib to build a Drupal site to purpose. In July we spent some time improving the functionality for packaging distributions on Drupal.org, by updating Drupal.org's packaging system to use Drush 8. This resolves several issues:

    We hope that these changes will help distribution maintainers

    reCAPTCHA

    reCAPTCHA

    One of the key tools we use to prevent spam on Drupal.org is Mollom, which will reach end of life next year. To replace it, we've implemented reCAPTCHA on Drupal.org, and updated our privacy policy accordingly. We have not yet disabled Mollom, because Mollom is a content analysis tool in addition to a captcha tool. Because reCAPTCHA does not duplicate that content analysis functionality we'll be monitoring spam attack patterns on Drupal.org to see whether reCAPTCHA will be a sufficient as a standalone replacement.

    Easier addition of new documentation guides and pages

    Adding new guides and pages from the menu

    It's hard to believe that the new documentation system has been in use for almost a year. We've made a number of improvements after the initial release to improve usability for both contributors and maintainers of documentation, and to encourage project maintainers to migrate their docs. One piece of feedback we've heard several times is that the 'add content' links the sidebar of a documentation guide were too difficult to find. To make it easier for documentation contributors to add new sub-guides and pages, we've added a new page link to the 'Edit' menu of documentation guides.

    Webmasters and documentation moderators can administer all docs

    Finding maintainers for the over 12,000 pages of documentation on Drupal.org continues to be a challenge, and so we've given all users with the Webmaster and Documentation Moderator role the ability to administer any documentation guide. This will expand the pool of users who can help to manage documentation and manage documentation maintainers. Good documentation for a project with Drupal's scale is a community-driven effort and we're incredibly thankful for all the volunteers who contribute.

    Any confirmed user may claim unmaintained documentation guides

    We also now allow any unmaintained guide to be claimed by any confirmed user—automatically adding them as the maintainer for that guide. This should make it much easier for new contributors to take up the mantle of maintaining sections of documentation on Drupal.org.

    Learn more about maintaining documentation by reading our content guidelines.

    For evaluators

    Updated industry page call to action

    Drupal for Healthcare

    The Drupal.org industry pages are a new experiment for the Drupal Association this year, with a goal of reaching out to Drupal evaluators in specific markets. The success stories we showcase on these pages demonstrate the power of Drupal in these industries, but we also want these pages to be an opportunity to connect evaluators with experts who can help them achieve their goals with Drupal. To enhance our efforts to connect Drupal evaluators to experts in their industry - we've added an additional call to action at the top of the industry page to encourage evaluators to connect with experts.

    Front page case study promotion for supporting partners and top contributors

    In July we laid the groundwork for promoting a second row of case studies on the Drupal.org home page. The second row will feature case studies from supporting partners and top Drupal contributors. These will not replace the existing row of case studies that are featured through the community process, but will supplement these case studies with additional stories from organizations that support the Drupal project through monetary and issue contribution. Watch for these new stories in the coming months.

    Digital tote for Vienna

    DrupalCon Vienna

    For DrupalCon Vienna we're implementing a new digital tote bag to deliver benefits to DrupalCon attendees provided by our event sponsors. This digital totebag will feature content for attendees from our Diamond, Platinum, and Gold sponsors.

    Speaking of DrupalCon Vienna - prices are about to go up by €50 + VAT - so make sure to register before early bird ends on Friday.

    Infrastructure

    Audit of monitoring and backups

    One of the first steps our new infrastructure partner is undertaking is an audit of our monitoring and backup regime, to ensure that we are well-prepared for disaster recovery and mitigation. While our internal team (with the help of dedicated volunteers) has maintained these existing systems, the current system is something of a patchwork of several tools, and we're hopefully that we can consolidate our tools and process and make them more robust and efficient.

    ———

    As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

    • Deeson - Renewing Premium Supporting Partner
    • Bits Creative Agency - *NEW* Classic Supporting Partner
    • Tag1 - *NEW* Signature Supporting Partner
    • Pantheon - Renewing Premium Hosting Supporting Partner

    If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

    Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

  • What’s new on Drupal.org? - June 2017

    Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

    Drupal.org updates

    Healthcare Industry Page

    Healthcare industry page launched

    One of our major goals this year is to highlight the power of Drupal in key industries. The Drupal.org industry pages highlight the story of building a custom-tailored solution for each industry using third-party integrations, expert hosting, or even purpose built distributions for the industry. Each page also highlights case studies which show demonstrated success stories using Drupal in each industry. In June we've launched our latest industry page, highlighting the Healthcare industry.

    Semantic Labels for Development Branches

    Semantic labels for core

    With a six month release cycle for Drupal core, the environment that project maintainers should test their code against will change fairly frequently. To make it easier for maintainers to keep up to date with testing - we've introduced semantic labels for the core branches. Maintainers can now configure tests against Default — the current development branch of Drupal, Stable — the most recent release of core, and Supported — the current patch/bug-fix branch.

    These semantic labels should make it easier for project maintainers to manage testing. We hope to expand on this with a few more labels, and may even extend these semantic labels to the version field that issues are filed against in the future.

    UTF8MB4 support

    As mentioned in last month's update, we've updated the Drupal.org and the sub-sites to support the UTF8MB4 extended character set. While the changes for the sub-sites were deployed in May, we finished up by adding support to Drupal.org itself in June. Among other things, this means that Drupal.org will no longer throw errors if emoji are used in content. 😄

    Updating our membership CRM

    Drupal Association Membership is managed using the CiviCRM platform - and in June we spent a bit of time updating to the latest version and troubleshooting some issues around receipting and renewals. Members can check their current membership status on the membership page. If you're not yet a member or you need to renew, check out our membership certificate offer.

    Performance improvements

    To increase performance on Drupal.org we've updated to the latest version of the Advanced Aggregator module (special thanks to u/mikeytown2). The latest updated includes aggregation of font from the Google fonts api, which should make a material difference in Drupal.org page render times.

    Better spam moderation tools

    A recent surge of spam attacks targeting Drupal.org has lead us to take another pass at updating our spam moderation tools. Spammers continue with a never ending escalation of tactics, and so we are constantly evolving our tools for managing spam. We've implemented some rate limiting protections as well as some new moderation views that will make it easier for us to bulk moderate spam. We'll be continuing with some of this work into July so that we can keep Drupal.org's home free from spam and productive.

    Infrastructure

    Infrastructure partner selected

    In March we kicked off an RFP process to find a Managed Infrastructure Services vendor to partner with us to help maintain and improve the Drupal.org infrastructure. In June we reached a decision and have selected Tag1 Consulting as our partner. We're now working with Tag1 to audit our current infrastructure, policies, as well as monitoring and alerting systems as we kick off this relationship. Tag1 brings a tremendous amount of experience in Drupal infrastructure management as well as making Drupal performant at scale - and we're grateful to have them on board. With a partner on board to help us manage our infrastructure our internal team will focus on features and issues that support our mission.
    ———

    As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

    If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

    Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

  • Take the Survey on the Community Governance Summit

    I recently shared the community needs and potential strategies for evolving community governance, which resulted from the Community Discussions we held in person and online throughout April and May. You can find the webinar recording and written transcript, as well as the meeting minutes from all Community Discussions, at https://www.drupal.org/community/discussions.

    Many community members who participated in these discussions agreed that the next step to take in this process is to hold a Community Governance Summit. However, we are not yet clear on where and when this event should take place, who should participate, and several other important details. I worked with community members to develop this survey so we can answer those questions.

    Please take 5 minutes to take this community survey and tell us your thoughts about the Community Governance Summit. This survey will remain open until 11:59pm EDT on July 28, 2017. We will analyze the findings and report back on what we learned in a follow-up blog post by Friday, August 4.

    Thank you for your time and participation.

  • Drupal Association Board Meeting Summary - 28 June, 2017

    On 28 June, 2017, the Drupal Association Board held the second of four annual public meetings. It was a full meeting where staff provided operational updates and gained some strategic direction from board members on how to proceed in various areas. Some highlights included:

    • Summary of DrupalCon Baltimore’s performance and impact.

    • Progress on securing future DrupalCon locations.

    • Discussion on how to unblock community outreach efforts by making appropriate changes to the Drupal.org privacy policy

    • An update on the Drupal.org infrastructure RFP that was recently awarded to Tag1.

    Whitney Hess also attended the board meeting to give an update on the Community Discussion work and invited the community to attend her webinar that shared her findings and next steps. You can learn more and watch the recorded webinar here.

    Also, Jamie Nau, our “virtual CFO” from Summit CPA attended the meeting to review April 2017 financial statements, which showed that DrupalCon Baltimore exceeded expectations, positioning the Drupal Association for a healthier year, financially. This is encouraging news as we work through our financial turnaround, which started a year ago.

    In an effort to be more transparent about board activities, the board chose to use this public forum to vote to approve the January through April 2017 financial statements. April 2017 financial statements showed that April was a successful month primarily due to DrupalCon Baltimore's strong financial performance. 

    You can find the meeting minutes and board materials here

    We were pleased to have community members attend and invite you to attend our next board meeting on 27 September, 2017 at noon CEST. It is located in the DrupalCon Vienna convention center and can also be attended via zoom.