Feed aggregator

Bulgaria PHP Conference 2016

PHP Announcements - Thu, 04/27/2017 - 06:07
Bulgaria PHP Conference is the premier PHP conference, gathering PHP and frontend developers and engineers from all around Europe. Co-organized by the Bulgaria PHP User Group and SiteGround web hosting, the conference is bringing internationally renowned experts from the PHP industry to talk about APIs, Frameworks, Security, Testing, Continuous Integration, and much more! Highlights: 500+ passionate attendees 27 world renowned speakers 4 practical workshops 3 actioned-packed days 1 legendary after party Games, JeoPHPardy, Hackaton Amazing food, swag and gifts inlcuded Get your discounted ticket today. Price increases to the regular one (129 EUR) on September 1, 2016. Still not convinced? Here are several reasons to head to Sofia for Bulgaria PHP Conference.
Categories: Development News, PHP, PHP News

Supporting the next evolution of Drupal's Community Governance

Drupal News - Thu, 04/20/2017 - 23:19

TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together.

-------------

Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter.

The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing.

Evolving Community Governance

There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment.  

It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org.

It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role.

We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions.

We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below]

To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions.

As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model.

Once we have had these discussions we can decide together on the appropriate next steps, and how the Association can help the community continue to move forward, together.

Join Community Discussions

We hope you'll join the conversation as these discussions begin. Again, our overarching aim is to support the community so it can be healthy and continue to thrive. We believe that open conversation is essential to the wellbeing of any community and we look forward to hosting Community Discussions mediated by Whitney Hess. Please join fellow community members to talk through recent community issues and to be part of co-creating Drupal’s new governance model.

Here are the discussions you can join. Please note the ground rules below:

At DrupalCon Baltimore         

Location: Pratt Street Show Office

Details: https://events.drupal.org/baltimore2017/community-discussion

  • Tuesday, 12-1pm, max 45 participants

  • Tuesday, 2:15-3:15pm, max 15

  • Tuesday, 5-6pm, max 15

  • Wednesday, 2:15-3:15pm, max 15

  • Wednesday, 3:45-4:45pm, max 15

  • Thursday, 10:45-11:45am, max 15

  • Thursday, 1-2pm, max 45

Virtual Meetings after DrupalCon

Sign Up Here: https://events.drupal.org/virtual/community-discussions
        

  • Tuesday, May 9: 4pm EDT / 1pm PDT / 9pm BST / 10pm CEST / 6am +1 AEST

  • Wednesday, May 10: 8am EDT / 1pm BST / 2pm CEST / 5:30pm IST / 10pm AEST

  • Thursday, May 11: 9:30am EDT / 2:30pm BST / 3:30pm CEST / 7pm IST / 11:30pm AEST

  • Friday, May 12: 2pm EDT / 11am PDT / 7pm BST / 8pm CEST / 11:30pm IST

  • Tuesday, May 16: 8pm EDT / 5pm PDT / 10am AEST

  • Wednesday, May 17: 12pm EDT / 9am PDT / 5pm BST / 6pm CEST / 9:30pm IST

  • Thursday, May 18: 3pm EDT / 12pm PDT / 8pm BST / 9pm CEST

Ground Rules for Community Discussions

Key Principles of Nonviolent Communication

  • Responsibility for Our Feelings: We aim to move away from blame, shame, judgment, and criticism by connecting our feelings to our own needs. This recognition empowers us to take action to meet our needs instead of waiting for others to change.

  • Responsibility for Our Actions: We aim to recognize our choice in each moment, and take action based on seeing how it would meet our needs to do so; we aim to move away from taking action based on fear, guilt, shame, the desire for reward, or any “should” or “have to.”

  • Prioritizing Connection: We aim to focus on connection instead of immediate solutions, and to trust that connecting with our own and others’ needs is more likely to lead to creating solutions that meet everyone’s needs.

  • Equal Care for Everyone’s Needs: We aim to make requests and not demands; when hearing disagreement with our request, or when disagreeing with another’s request, we aim to work towards solutions that meet everyone’s needs, not just our own, and not just the other person’s.

  • Self-Expression: When expressing ourselves, we aim to speak from the heart, expressing our feelings and needs, and making specific, doable requests rather than demands.

  • Empathic Hearing: When we hear others, we aim to hear the feelings and needs behind the expressions, even when they express judgments or demands.

  • Protective Use of Force: We aim to use force only to protect, not to punish others or get our way without the other’s agreement, and only in situations where the principles above were not sufficient to meet immediate needs for safety. We aim to return to dialogue as soon as safety is re-established

How These Ground Rules Work

  • Ground rules will be stated at the beginning of each session.

  • If you are not in agreement with the ground rules, please do not participate in the session.

  • If a participant is repeatedly disruptive of respectful, productive discussion, they will be asked to leave; if they do not leave, the session will be terminated immediately.
Categories: Development News, Drupal

Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

Drupal News - Wed, 04/19/2017 - 13:13
Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

CVE identifier(s) issued
  • CVE-2017-6919
Versions affected
  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.
Solution
  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by
  • The Drupal Security team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Development News, Drupal

Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

Drupal Core Security - Wed, 04/19/2017 - 13:13
Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

CVE identifier(s) issued
  • CVE-2017-6919
Versions affected
  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.
Solution
  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by
  • The Drupal Security team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

What's new on Drupal.org? - March 2017

Drupal News - Tue, 04/18/2017 - 14:02

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

DrupalCon Baltimore logo Apr 24-28

The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.

Drupal.org updates Project application revamp

As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects.

This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review.

That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors.

Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details).

Security Advisory Opt-in and new Security Signals for Projects
Are you responsible for the security of your clients' Drupal sites?

Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact security@drupal.org.

Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage.

We've also:

2017 Community Elections Update

The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past.

Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot.

Drag and Drop Ballot

Finally, we want to congratulate our newest board member Ryan Szrama!

Better international datetime support throughout Drupal.org

Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats for displaying date and time, many of the formats in use were simply arbitrary historical decisions.

As a quality of life improvement, especially for users outside of the USA, we've standardized the datetime format used on Drupal.org. That format is: DD MMM YYYY - hh:mm (UTC±h). For example: 11 Aug 2016 - 16:42 (UTC+8)

DrupalCI CSS Lint check style results

DrupalCI logo

When we implemented coding standards testing in DrupalCI in February we were not able to add CSS Lint testing until the CSSLint configuration file in core was fixed. That issue was fixed in late February and so we added CSSLint to support coding standards testing for CSS at the beginning of March.

Cleaning up coding standards results

The addition of coding standards results to DrupalCI means that Drupal.org is now storing even more test data about the code we test on Drupal.org. Our initial implementation of coding standards testing did not include clean up of older results, and so to preserve database space and testing resources, we implemented some clean-up routines in March. In particular we are now:

  • Cleaning up all results for closed issues
  • For custom one-off tests, keeping results for 30 days to match what is shown on project’s automated testing tab
  • For tests triggered on a schedule or commit, keeping the most recent per-environment per-branch, and keeping anything less than 24h old
Infrastructure Protecting Git services

We experienced some minor Git outages in March, due to malicious authentication attempts. To mitigate these issues in the future, we've implemented fail2ban rules to protect Git authentication. This should improve the stability and uptime of Git services for all developers on Drupal.org.

We want to thank Drupal.org infrastructure volunteer mlhess for his assistance with this.

Community Initiatives Contrib Documentation Migration

New tools for Documentation have been available on Drupal.org for more than half a year. While most of the core documentation has been migrated to the new system, we are still encouraging Contrib maintainers to migrate their docs.

To make it easier for contrib project maintainers to migrate their documentation to the new documentation tools, we've made two improvements:

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

Drupal 8 core upcoming critical release PSA-2017-001

Drupal News - Mon, 04/17/2017 - 11:47
  • Advisory ID: DRUPAL-PSA-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-Apr-17
Description

There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC
that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.

This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.

Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.

We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptable.

Drupal 7 core is not affected by this issue. Contact and More Information

The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.

Categories: Development News, Drupal

Drupal 8 core upcoming critical release PSA-2017-001

Drupal Public Security Announcements - Mon, 04/17/2017 - 11:47
  • Advisory ID: DRUPAL-PSA-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-Apr-17
Description

There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC
that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.

This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.

Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.

We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptable.

Drupal 7 core is not affected by this issue. Contact and More Information

The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.

ConFoo Vancouver 2017 Calling for Papers

PHP Announcements - Thu, 04/13/2017 - 15:58
Want to get your web development ideas in front of a live audience? The call for papers for the ConFoo Vancouver 2017 web developer conference is open! If you have a burning desire to hold forth about PHP, databases, JavaScript, or any other web development topics, we want to see your proposals. The window is open only from April 10 to May 8, 2017, so hurry. An added benefit: If your proposal is selected and you live outside of the Vancouver area, we will cover your travel and hotel. You’ll have 45 minutes for the talk, with 35 minutes for your topic and 10 minutes for Q&A. We can’t wait to see your proposals! Until the talks are picked, the price for the tickets will be at its lowest. Once the talks are announced, prices will go up. Check out the last conference to get an idea of what to expect.
Categories: Development News, PHP, PHP News

PHP 7.1.4 Released

PHP Announcements - Thu, 04/13/2017 - 12:12
The PHP development team announces the immediate availability of PHP 7.1.4. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.4 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.0.18 Released

PHP Announcements - Thu, 04/13/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.18. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.18 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

Drupal Contributed Security - Wed, 04/12/2017 - 15:48
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-042
  • Project: Media (third-party module)
  • Date: 12-Apr-2017
Description

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'.

Versions affected
  • Only the 1.x branch is affected. Version 2.0 does not have this vulnerability.

Drupal core is not affected. If you do not use the contributed Media module, there is nothing you need to do.

Solution

If you use the Media 1.x branch you should upgrade to version 2.0 or later.

See the Media 2.0 release notes for more information on how to upgrade (it's more complex than most contrib upgrades - for example, it involves other contrib modules moving from media_entity to file_entity)!

Also see the Media project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Drupal Contributed Security - Wed, 04/12/2017 - 14:01
Description

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public" content might be restricted to only logged in users by disabling anonymous access to the site.

The oa_core and oa_comment modules do not properly respect the "view published content" permission and allows anonymous users to view this "public" content regardless of the permission setting.

This only affects sites that have disabled the "view published content" permission for anonymous users, and only affects a small number of views.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium distribution 7.x-2.x versions prior to 7.x-2.615
  • oa_core 7.x-2.x versions prior to 7.x-2.84.
  • oa_comment 7.x-2.x versions prior to 7.x-2.14.

Drupal core is not affected. If you do not use the contributed Open Atrium Core module, there is nothing you need to do.

Solution

Install the latest version of Open Atrium. Be sure to revert the following features:
oa_comments, oa_core, oa_news, oa_river, oa_section, oa_sections

Also see the Open Atrium project page.

Reported by Fixed by
  • Mike Potter the distribution maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Drupal Contributed Security - Wed, 04/12/2017 - 13:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-040
  • Project: @Base (third-party module)
  • Date: 2017-April-12
Description

Provide some more API for developer to work with Drupal 7.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions.

Drupal core is not affected. If you do not use the contributed @Base module, there is nothing you need to do.

Solution

If you use the @Base module for Drupal you should uninstall it.

Also see the @Base project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39

Drupal Contributed Security - Wed, 04/12/2017 - 13:03
Updates

20170414 - A new module maintainer has been found and a new release for this module has been published.

Description

Provides integration between the Scheduler module and the Workbench Moderation module.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Scheduler Workbench Integration module, there is nothing you need to do.

Solution

If you use the Scheduler Workbench Integration module for Drupal you should uninstall it.

Also see the Scheduler Workbench Integration project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

References - Unsupported - SA-CONTRIB-2017-38

Drupal Contributed Security - Wed, 04/12/2017 - 12:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-38
  • Project: References (third-party module)
  • Date: 12-Apr-2017
Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2

2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.

The specific details of the original vulnerability cannot be shared. While we also cannot promise a specific date for a fix, the Drupal Security team will work with the potential new maintainer to get this issue resolved as soon as possible.

Description

Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

This project provides D7 versions of the 'node_reference' and 'user_reference' field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed References module, there is nothing you need to do.

Solution

If you use the References module for Drupal you should uninstall it.

Also see the References project page.

Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37

Drupal Contributed Security - Wed, 04/12/2017 - 12:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-37
  • Project: Filemaker Form (third-party module)
  • Date: 12-Apr-2017
Description

Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Filemaker Form module, there is nothing you need to do.

Solution

If you use the Filemaker Form module for Drupal you should uninstall it.

Also see the Filemaker Form project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Drupal Contributed Security - Wed, 04/12/2017 - 12:32
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-36
  • Project: Legal (third-party module)
  • Date: 12-Apr-2017
Description

Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Legal module, there is nothing you need to do.

Solution

If you use the Legal module for Drupal you should uninstall it.

Also see the Legal project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via
the contact form at https://www.drupal.org/contact.

Learn more about the
Drupal Security team and their policies
, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Book access - Critical - Unsupported - SA-CONTRIB-2017-35

Drupal Contributed Security - Wed, 04/12/2017 - 12:25

  • Advisory ID: DRUPAL-SA-CONTRIB-2017-35
  • Project: Book access (third-party module)
  • Date: 12-April-2017
Description

This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have specific rights for specific books.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Book access module, there is nothing you need to do.

Solution

If you use the Book access module for Drupal you should uninstall it.

Also see the Book access project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Technical Advisory Committee Update

Drupal News - Tue, 04/11/2017 - 13:12

Workflow iconIn October of last year the Technical Advisory Committee was formed to evaluate options for the developer tools we use on Drupal.org. The TAC consists of Angie Byron, Moshe Weitzman, and Steve Francia, acting as advisors to Megan Sanicki, the Executive Director of the Drupal Association.

The TAC's mandate is to recommend a direction for the future of our tools on Drupal.org. Megan will evaluate this recommendation, make a decision, and prioritize that work in the development roadmap of the Drupal Association engineering team.

What is the motivation behind looking at our developer tools now?

Close followers of the Drupal project will have noticed a trend in the last several months. From Dries' announcement of easy upgrades forever, to the revamp of the project application process, to the discussion about making tools for site builders— there is a unifying theme: broadening the reach of Drupal.

This is the same motivation that underlies this evaluation of our developer tools, and defines the goals and constraints of this initiative:

  • Adopt a developer workflow that will be familiar to the millions of developers outside our community
  • Preserve those unique elements of how we collaborate that have made the Drupal project so successful
  • If possible, leverage an expert partner who will help keeping our tooling up to date as open source collaboration tools continue to evolve

This means looking at a number of elements of the Drupal.org developer tool stack:

  • The underlying git service
  • How we tag and package releases
  • The contribution workflow (patch vs. pull request)
  • Project management workflows (the issue queues and tags)
  • CI integration
  • Maintainership
  • Project pages

If this looks like a tremendous undertaking - that's because it is. But there are some things we already know:

  • Drupal.org should continue to be the home of project pages
  • We should adopt a pull request workflow (and ideally we want to be able continue to accept patches as well, at least in the interim)
  • We should move contrib projects to semver, following core's lead
  • We want to preserve our familiar understanding of maintainership
  • We want to avoid forked code and forked conversation
  • We want to ensure the security team still has the tools they need to provide their service to the community

We also know that whatever decision is made, these changes cannot happen all at once. We'll need to take a progressive approach to the implementation, and focus on the parts of the stack that need to change together, so that we don't bite off more than we can chew.

What options are being considered?

At this time, the technical advisory committee is considering three options as they prepare to make their recommendation. The options are: GitLab, which offers both self-hosted and SaaS options; GitHub, which has recently been adding long-requested new features; or continuing to evolve our custom-built tooling, perhaps via issue workspaces.

GitLab

GitLab is the up-and-comer among Git hosts. GitLab can be self hosted using either their community or enterprise editions, or repositories can be hosted at GitLab.com. Though they recently stumbled, they have been notably open and transparent about their efforts to build a leading collaboration platform.

Gitlab is itself open-source, and has just released its 9.0 edition. GitLab has aggressively pursued the latest in development tools and workflow features, including project management tools, a ui for merge conflict resolution with in-line commenting and cherry-picking, docker registries for projects, integration with CI tools, and even Gitter, an IRC alternative for real-time collaboration.

GitHub

For quite some time, GitHub was the only real player in git repository hosting outside of rolling a custom solution (as we did for Drupal.org). Over the years it has become the home of many open source projects, and while most of those don't match the sheer scale of Drupal in terms of codebase size and number of contributors, there are certainly other major projects that have made their home there.

However, for all of its presence and longevity in the open source world, there are very few options for customizing its toolset for our needs, and we could no longer self-host our canonical repositories. The Drupal project would need to adapt to GitHub, rather than the other way around.
 

That said, in recent months, GitHub has been putting a strong focus on feature development, adding a number of new features including: automated licensing information,  protected branches, and review requests.

Custom tooling

We also must consider that the tools we have now are what built Drupal into what it is today. A great deal of work has gone into our existing developer tools over the years, and we have some unique workflows that would have to be given up if we switched over to a tooling partner. An idea like the issue workspaces proposal would allow us to achieve the goal of modernizing our tools, and likely do so in a way that is better tailored to those unique things about the Drupal workflow that we may want to preserve. However, doubling down on building our own tooling would come at a cost of continuing to be unfamiliar to the outside development community, and dependent on an internal team's ability to keep up with the featureset of these larger players.

Each of these three options would be a compromise between reaching outward and creating familiarity, and looking inward to preserve the Drupal specific workflows that have brought the project to where it is today.

What have we learned so far?

The TAC has conducted their own internal evaluation of the options as well as worked with Drupal Association staff in a two day exploratory session at the end of last year. The primary focus was to identify and triage gaps between the different toolsets in the following areas:

  • Migration effort
  • Project management
  • Code workflow
  • Project handling
  • Testing
  • Git Back-end/Packaging
  • Integrations beyond tools

This initial study also looked at the impact of each option on Drupal community values, and some key risks associated with each.

What comes next?

The next step for the TAC is to make their formal recommendation to the Executive Director of the Drupal Association. At that point, she will direct staff to validate the recommendation by prototyping the recommended solution. Once the recommendation has been validated, Megan will make a final decision and prioritize the work to fully implement this option, relative to other Drupal Association imperatives.

In the comments below, we would love to hear from the community:

What aspects of the way the Drupal community collaborates are the most important to you? What workflow elements do you feel need to be preserved in the transition to any new tooling option?

Categories: Development News, Drupal

Drupal 8.3.0 is now available

Drupal News - Wed, 04/05/2017 - 18:03

Drupal 8.3.0, the third minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility.

Update: Drupal 8.3.1 is available and fixes a security vulnerability. You should update directly to 8.3.1 instead of 8.3.0.

What's new in Drupal 8.3.0?

This new version includes improvements to authoring experience, site administration, REST support, and a stable version of the BigPipe module. It also includes new experimental modules to abstract workflow functionality, to lay out content types differently (e.g. articles are two column vs. press releases are three column), and to provide a general layout API for contributed modules. Many smaller improvements for the experimental Content Moderation module are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)

Download Drupal 8.3.1

New and improved content authoring

Drupal 8.3 ships with the updated CKEditor 4.6, which contains a host of improvements, including better paste from Word, and a new default skin that better matches Drupal's Seven administration theme. We've also added the AutoGrow plugin, to better utilize larger screen sizes.

CKEditor 4.6 with AutoGrow and new default skin.

Quick editing images now supports drag and drop.

Drag and drop image replacement

Site building and administrative improvements

Drupal 8.3 ships with a redesigned admin status report, to better surface important status messages for your site.

Redesigned status report page

Other incremental enhancements include:

  • The Views listing page is now standardized with other administrative listings.
  • The "Allowed HTML tags" input has been converted to a textarea, which significantly improves the usability of HTML filter configuration (and thereby makes it easier to configure filters securely.)
  • The Content and People overview pages' Views filters have been rearranged to match the column order of the listing, for more intuitive filtering.
  • Image fields are now limited to only accepting images, so that users on mobile clients are not offered a confusing and non-functional video upload option.
BigPipe for perceived performance

The Drupal 8 BigPipe module (now stable!) provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.

The core BigPipe improvements introduced in 8.3.0 are also utilized by the Sessionless BigPipe contributed module to use the same technique for serving the first (yet uncached) response to anonymous visitors.

Platform features for web services

Drupal 8.3 continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, improved responses, and new features. It is now possible to register users from the REST API, 403 responses now return a reason why access was denied, for greatly improved developer experience, and anonymous REST API performance has been increased by 60% when utilizing the internal page cache. The REST API also got a massive overhaul of its test coverage.

Experimental: Choose different form and view display layouts for your entity types

The new experimental Field Layout module provides the ability for site builders to rearrange fields on content types, block types, etc. into new regions, for both the form and display, on the same forms provided by the normal field user interface.

Field Layout also uses the new the Layout Discovery module, which provides an API for modules or themes to register layouts as well as five common default layouts. By providing this API in core, we help make it possible for core and contributed layout solutions to be compatible with each other. The following contributed modules already have development versions that support the new API:

Drupal 8.3.0 Field Layout screens

Experimental: Content moderation improvements

The Content Moderation module included with Drupal 8.2.x is now accompanied by a more abstract Workflows module that took over the underlying workflow functionality and API. This allows additional modules to apply workflows that do not deal with content publication, such as for users or products. The Workflows module provides a user interface to package states with their transitions in a workflow, which Content Moderation can then apply to content, making configuration much easier.

There are several other smaller improvements. It is now possible to moderate non-translatable entity types, entity types without bundles, and any entity type that supports publishing (not just nodes). Moderation states are also reverted when revisions are reverted.

Workflow edit screens in Drupal 8.3.0

What does this mean to me? Drupal 8 site owners

Update to 8.3.0 to continue receiving bug and security fixes. The next bugfix release (8.3.1) is scheduled for May 3, 2017.

Updating your site from 8.2.7 to 8.3.0 with update.php is exactly the same as updating from 8.2.6 to 8.2.7. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

Most high-priority migrations from Drupal 7 to 8 are now available, but the migration path is still not complete, especially for multilingual sites, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Core now provides migrations for most Drupal 6 data, but the migrations of multilingual functionality, references, and dates in particular are not complete. If you find a new bug not covered by the known issues with the experimental Migrate module suite, your detailed bug report with steps to reproduce is a big help!

Translation, module, and theme contributors

Minor releases like Drupal 8.3.0 include backwards-compatible API additions for developers as well as new features. Read the 8.3.0 release notes for more details on the improvements for developers in this release.

Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.2.x and Drupal 8.1.x will be compatible with 8.3.x as well. However, the new version does include some changes to strings, user interfaces, and internal APIs (as well as more significant changes to experimental modules). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.3.0 release candidate for more background information.

Categories: Development News, Drupal
Syndicate content