Development News

ZendCon 2017 CFP Started

PHP Announcements - Mon, 03/13/2017 - 20:00
We are happy to announce the CFP for ZendCon 2017 has launched at https://cfp.zendcon.com where we will accept talk submissions until April 14th, 2017. With over 250 million PHP applications driven by a global community of more than 5 million active developers and all enterprises adopting open source software, ZendCon 2017 brings you a curated selection of the best experts, training, and networking opportunities to embrace this vast ecosystem. Take advantage of unique opportunities to attend a wide variety of in-depth technical sessions, participate in exhibit hall activities, and connect with experts. Learn about the best in enterprise PHP and open source development, focusing on the latest for PHP 7, the evolution of frameworks and tools, API excellence, and innovation on many open source technologies related to the web. Experience web development with the very best to accelerate great PHP. Come and enjoy ZendCon 2017 at the Hard Rock Hotel & Casino in Las Vegas. Register Now at http://www.zendcon.com/register-now
Categories: Development News, PHP, PHP News

DrupalCon Baltimore: Learn how to delight your customers

Drupal News - Mon, 03/13/2017 - 10:24

Join us at DrupalCon Baltimore from April 24-28 for a week of inspiration, networking, and learning. Meet Drupal experts and industry leaders who will share new ways to create digital experiences that delight customers, citizens, students, patients, and more.

The event offers programming for decision makers (CIO/Director) as well as digital teams (developers, project managers, site builders, content strategists). Be sure to check out these suggested sessions for both audiences.

Top Five Reasons To Attend DrupalCon
  • Get inspired! Hear Dries Buytaert’s vision for digital transformation and Drupal.
  • Network with peers at 4 industry summits and case study sessions on Bluecross Blueshield, Cornell University, Mass.gov, NBA, Quicken, YMCA, and more.
  • Level up your team's skill with 10 trainings and 161 sessions taught by Drupal masters.
  • Find solution partners. Visit the exhibit hall to meet Drupal’s robust vendor ecosystem.
  • Be Amazed. Meet the open source community that powers Drupal.

Register today. Prices increase March 24th. Attendees can come for the week or just for a day. Plus, the Baltimore Convention Center is easy to reach - just 30 minutes from Baltimore Washington Airport and 15 minutes from the Amtrak Station.

We look forward to seeing you at DrupalCon Baltimore!

Categories: Development News, Drupal

What’s new on Drupal.org? - February 2017

Drupal News - Thu, 03/09/2017 - 12:17

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Drupal.org updates Industry Pages Launched

After a great deal of preparation, user research, and content development we've launched the first three 'Drupal in your Industry' pages. These first three pages highlight the power of Drupal in Media and Publishing, Higher Education, and Government. Each of these pages uses geo-targeted content to reach audiences in: the Americas; Europe, the Middle East, and Africa; and the Asia Pacific, Australia and New Zealand regions.

These pages are targeted at evaluators of Drupal in these specific industries. From our research, we've found that these evaluators typically have Drupal on their short list of technology choices, but are not familiar with how a complete solution is built on Drupal, and they're eager to see success stories from their industry peers.

We'll be expanding on this initiative with additional industry pages as time goes on.

Project Application Revamp

In February we completed phases 1 and 2 of the Project Application Process Revamp. This has meant polishing up the security advisory coverage messages that are provided on project pages, adding a new field for vetted users to opt-in to advisory coverage for their projects, and adding security advisory coverage information to the updates xml served from Drupal.org. With these issues complete we'll be able to move forward with Phase 3 (opening the project promotion gates) and Phase 4 (improving code quality signals and incentivizing peer review) as we roll into March.

[Author's note] The project application revamp hit a major milestone in early March with the completion of Phase 3. Now, any user who has accepted the git terms of service may now promote sandbox projects to full projects with releases, and the application process has been re-purposed for vetting users who want the ability to opt into security advisory coverage for their projects. Look for more information in our upcoming March post.

2017 Community Elections are Live

On February 1 we opened self-nominations for one of the two community-at-large seats on the Drupal Association Board of Directors. At the time of this post, self-nominations have closed and now it's time to vote!.

Each year we make incremental improvements to the elections process. This year we've allowed each candidate to present a short 'statement of candidacy' video - and we've updated the ballot to allow easy drag-and-drop ranking of candidates.

Voting closes on March 18th, so make sure to vote soon!

Documentation polish, and new "call-out" templates

As the migration of content into the new documentation system continues, we've continued to polish and improve the tools. In February we made a few small improvements including: help text for maintainers and fixes for links to the discuss page in email notifications. We also made one large improvement: Call-out templates for highlighting warning information or version-specific notes within a documentation page. These templates are available using the CKEditor Templates button when editing any documentation page.

The documentation editor may select from the 'Warning note' template, which will highlight cautionary information in a visually distinct orange section on the page, or the 'Version-specific note' template, which allows users to highlight information that may only be relevant to a specific minor release of Drupal.

Here are two examples of what the call-outs will look like to a documentation reader.

DrupalCI Coding standards testing

DrupalCI logo

DrupalCI continues to accelerate the pace of Drupal development as we make the system more efficient and add new features. In February we enhanced the coding standards testing that was added DrupalCI in January. Using PHPCodeSniffer, ESlint, and CSSlint coding standards results are available in the test results' Build Artifacts directory, including automatically generated patches to fix found issues. We've also begun displaying summary information about coding standards testing on Drupal.org test results. Again we'd like to thank community contributor mile23 for his work on this feature.

More useful error output

We also made DrupalCI's error output more detailed, to make it more immediately clear to developers what the issue with a particular patch might be. Developers will now see messages on the test result bubbles, for example a 'patch failed to apply' error rather than a generic 'CI error' message.

Community Initiatives Contrib Documentation Migration

We want to continue to encourage Project maintainers to create documentation guides on their projects using the new documentation content types. Maintainers can then migrate their old documentation content into these new guides, or create new documentation pages. For more information about this process, please consult our guide to contrib documentation.

Help port Dreditor features to Drupal.org

Are you a Drupal.org power user who relies on Dreditor? Markcarver is currently leading the charge to port Dreditor features to Drupal.org, and invites anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

Infrastructure Special note: Drupal Association seeks Infrastructure Services vendor

We'd also like to announce a Request for Information. The Drupal Association seeks an infrastructure services vendor to help us manage the underlying infrastructure that supports Drupal.org, our sub-sites, and the services we maintain. Our internal engineering team will continue to manage the sites and services themselves, while this vendor will help us with systems administration, virtual machine management, monitoring and pager responsibilities, disaster recovery, etc.

For more details about this request for information, please see our post on the Association blog.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association. Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

Drupal Contributed Security - Wed, 03/08/2017 - 13:11
Description

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.

The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account.

In order to exploit, the attacker must have an active account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • PRLP versions prior to 8.x-1.3

Drupal core is not affected. If you do not use the contributed Password Reset Landing Page (PRLP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 (the latest 8.x release as of this advisory date).

Also see the Password Reset Landing Page (PRLP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

Drupal Contributed Security - Wed, 03/08/2017 - 11:39
Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and the Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser. The module does not create endpoints by default, however the "application/vnd.php.serialized" request parser is enabled by default on any endpoints created by a site builder.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.19.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server

However, installing the latest version of the Services module is highly recommended.

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edited 2017 March 9th to add details about which elements of the vulnerability are default or not.

Drupal version: 

The full circle of Drupal adoption

Drupal News - Tue, 03/07/2017 - 20:04

The Engineering Team provides support to many community members and everyone at the Association. Every day, the team helps people who are at different stages of the Drupal adoption journey. As part of our membership campaign, we're taking a close look at how the team makes an impact throughout this cycle through the work to support a few different Association programs.

Industry Pages: convincing decision makers to adopt Drupal

The team played a key role in the Industry Pages project—from conception to execution. The industry pages help decision makers see how Drupal achieves the vision Dries' set forth when he described Drupal as the platform for ambitious digital experiences.

The first three industry pages for media and publishing, higher education, and government are now on Drupal.org. These pages tell stories of success with Drupal for three verticals with geo-targeted content to show our global audience the solutions that are most meaningful to them. We plan to learn from this project and to expand into new verticals. By highlighting what Drupal can do for you, and connecting decision makers to service providers and industry peers, the industry pages are a powerful tool for leading the way to wider adoption.

Drupal Jobs: wider adoption leads to more career opportunities

The team is responsible for Drupal Jobs, the subsite dedicated to helping employers and job seekers connect for Drupal-related opportunities. Ever since Drupal Jobs launched in 2015, it has helped increase awareness of the Drupal project. As the pool of employers grows, so do the career opportunities. When more Drupal jobs are available, our ecosystem grows. Wider Drupal adoption becomes possible.

DrupalCon: Events site brings us full circle

DrupalCon unites our global community and people who want to know more about the project. On the Events site, the engineering team supports everyone—event organizers who post content, speakers who submit sessions, and attendees who register using Drupal Commerce and CoD. With a great UX on con sites and fun theme implementation, we show users what Drupal can do for you.

Around we go, thanks for coming along

As the adoption journey goes full circle and we see these efforts continue to help maintain and grow a strong ecosystem, we appreciate that you are coming along with us. To help sustain the work of the Drupal Association, join as a member. Thank you!

Categories: Development News, Drupal

It's Time To Vote - Community Elections

Drupal News - Mon, 03/06/2017 - 18:55

Voting is now open for the 2017 At-Large Board positions for the Drupal Association!  If you haven't yet, check out the candidate profiles including their short videos found on the profile pages. Get to know your candidates, and then get ready vote.

Cast Your Vote!

How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year.

To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.

Elections will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on the candidate profiles.

Have questions? Please contact me: Megan Sanicki

Categories: Development News, Drupal

Conferência PHPRS 2017

PHP Announcements - Sat, 03/04/2017 - 15:33
An event for the PHP Developer community of Rio Grande do Sul, focused on professional growth, exchange of experiences and networking. Strengthening language and the labor market. From May 12 to 13, 2017, in Porto Alegre / RS-Brazil, the first day will be held workshops and the second lectures. Check out the programming at http://conf.phprs.com.br/#schedule Subscriptions at http://conf.phprs.com.br/#tickets
Categories: Development News, PHP, PHP News

Saving time and money for the Drupal community

Drupal News - Thu, 03/02/2017 - 19:20

As you know, we've been highlighting the work of the Drupal Association Engineering Team during our membership campaign. Every day, this small team moves the needle forward so that we all have a better experience as users of Drupal.org. In this post, we explore how the team's recent work results in faster, less expensive Drupal development.  

Helping Drupal development move faster with DrupalCI

DrupalCI testbots are the next generation of testing infrastructure for Drupal.org, funded by the Drupal Association and maintained by the Engineering team. For any project on the site, DrupalCI testing can be enabled from the Automated Testing link on the Project page. Every time a contribution to the Drupal project needs to be tested, DrupalCI spins up a testbot on AWS to test those changes. The DrupalCI testbots are helping Drupal contributors to test patches faster than ever before and they are more cost effective than our last generation testbots, both in price-per-test and in expense to maintain.

In recent months, we've added a number of new features including:

We're proud to say that our work on DrupalCI has increased the speed of Drupal development, saving time and money!

We'd also like to thank the volunteers who've helped us to bring this project to life: Mile23, jthorson, nick_schuch, dasrecht, ricardoamaro, mikey_p, chx, shyamala, webchick, and jhedstrom.

Icon of checklist on a clipboard with a pencilWant to keep up with the engineering team? Subscribe to change notifications so you can see ongoing improvements.

Making the greatest impact with member and donor funds with a leaner Drupal.org

Drupal.org is more portable and maintainable because of updates in 2016 that streamline our infrastructure. We've virtualized the majority of the infrastructure and standardized on Debian 8 images. We've also updated our configuration and user management from Puppet 3 + LDAP to Puppet 4 + Hiera. Dev sites are more robust and we can create staging and development environments faster than before.

All of this makes Drupal.org more cost-effective to run, easier to maintain, and increases our development velocity when we're working on new features to support the community. These efficiencies help to conserve membership and donor funds for other programs to help the Drupal community, like fiscal sponsorship for camps, and Community Cultivation Grants.

Improving developers' lives by supporting Composer workflows for Drupal

Composer is the defacto standard for managing dependencies in the PHP world. Over the course of 2016, the Drupal Association Engineering Team developed Composer endpoints for Drupal allowing Drupal developers to use Composer to manage dependencies, and allowing PHP developers at large to manage Drupal as part of their larger PHP projects in this standard workflow.

Composer is a force multiplier for enterprise site owners and developers within the Drupal community and at large. By supporting Composer, we've further opened Drupal to the wider PHP community, thus bringing new people into the fold to contribute.

A big thanks to everyone who helped with Composer: seldeak - the creator of Composer and Packagist.org, webflo - the creator and maintainer of http://packagist.drupal-composer.org, timmillwood, dixon_, badjava, cweagans, tstoeckler, mile23, and also Appnovation, who sponsored the initial development of Drupal.org's composer endpoints.

A more secure home for the Drupal community

Keeping Drupal.org secure is also the responsibility of the Drupal Association Engineering Team (though we rely on some trusted volunteers to help - thanks, mlhess and basic!). From heartbleed, to dirtycow, to cloudbleed - the team is always ready to respond when a vulnerability is disclosed. But the team is not just reactive - they also take proactive steps to keep Drupal.org and all our users' data safe. From ensuring that most of our servers are only available to each other on a back-end network, to putting in protections against DDOS attacks, to building anti-spam tools to prevent bad actors from registering accounts on the site- the Engineering Team is looking to prevent problems before they happen.

We'll keep at it, with your support

Every day, we're on call to keep Drupal.org running and improving. The list of small changes we make to have a big impact on your Drupal.org experience grows by the day. You can help sustain the work of the Drupal Association by joining as a member. Thank you!

Categories: Development News, Drupal

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Drupal Contributed Security - Wed, 03/01/2017 - 13:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-028
  • Project: breakpoint panels (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Description

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed breakpoint panels module, there is nothing you need to do.

Solution

If you use the breakpoint panels module for Drupal 7.x you should uninstall it.

Also see the breakpoint panels project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 8.3.0-rc1 is available for testing

Drupal News - Wed, 03/01/2017 - 12:50

The first release candidate for the upcoming Drupal 8.3.0 release is now available for testing. Drupal 8.3.0 is expected to be released April 5.

8.3.x includes new experimental modules for workflows, layout discovery and field layouts; raises stability of the BigPipe module to stable and the Migrate module to beta; and includes several REST, content moderation, authoring experience, performance, and testing improvements among other things. You can read a detailed list of improvements in the announcements of alpha1 and beta1.

What does this mean to me? For Drupal 8 site owners

The final bugfix release of 8.2.x has been released. A final security release window for 8.2.x is scheduled for March 15, but 8.2.x will receive no further releases following 8.3.0, and sites should prepare to update from 8.2.x to 8.3.x in order to continue getting bug and security fixes. Use update.php to update your 8.2.x sites to the 8.3.x series, just as you would to update from (e.g.) 8.2.4 to 8.2.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

Drupal 8 release cycle diagram, showing the 8.3.x alpha/beta and RC phases beginning as 8.2.x nears its end in October, and 8.2.x support ending when 8.3.x is released.

For module and theme authors

Drupal 8.3.x is backwards-compatible with 8.2.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.3.x, and test modules and themes with the release candidate now.

For translators

Some text changes were made since Drupal 8.2.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

For core developers

All outstanding issues filed against 8.2.x were automatically migrated to 8.3.x. Future bug reports should be targeted against the 8.3.x branch. 8.4.x will remain open for new development during the 8.3.x release candidate phase. For more information, see the release candidate phase announcement.

Your bug reports help make Drupal better!

Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.

Categories: Development News, Drupal

AES - Critical - Unsupported - SA-CONTRIB-2017-027

Drupal Contributed Security - Wed, 03/01/2017 - 11:50
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-027
  • Project: AES encryption (third-party module)
  • Version: 7.x, 8.x
  • Date: 2017-March-01
Description

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.

Solution

If you're using the AES only because Drupal Remote Dashboard (DRD) and Drupal Remote Dashboard Server (DRD Server) depend on it, then update to the latest versions of DRD or DRD Server and disable the AES module -- those modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES module:

  • If you don't have a recent backup, make a backup of your site's database and codebase. Consider taking your site offline (e.g. using Drupal's maintenance mode) as some features may not work properly during this upgrade process.
  • Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
  • Download and extract the latest release of Real AES
  • Download and extract the latest release of Key
  • Enable the Real AES, Key and AES compatibility modules
  • Use the Key module to create a new 128-bit encryption key with the name "Real AES Key".
  • Clear all your Drupal caches.
  • Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page

Also see the AES encryption project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

Drupal Contributed Security - Wed, 03/01/2017 - 11:43
Description

This module enables you to display one simple location map via Google Maps.

The module doesn't sufficiently sanitize user input in the configuration text fields of the module (allows any tags and does not respect text format configuration).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer locationmap".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • locationmap 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Location Map module, there is nothing you need to do.

Solution

Install locationmap-7.x-2.4

Also see the Location Map project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Drupal Contributed Security - Wed, 03/01/2017 - 11:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-025
  • Project: Remember Me (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Updates

2017-04-23 — This issue has been resolved with the release of remember_me 7.x-1.1

Description

Remember me is a module that allows users to check "Remember me" when logging in.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Remember Me module, there is nothing you need to do.

Solution

If you use the remember_me module for Drupal 7.x you should uninstall it.

Also see the remember_me project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

Drupal Contributed Security - Wed, 03/01/2017 - 11:31
Description

RestWS makes Drupal Entity data available in a REST API.

The module doesn’t sufficiently check for access to properties when filtering queries.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • restws 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the restws 2.x module for Drupal 7.x, upgrade to restws 7.x-2.7

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

New MySQL Enterprise Backup 4.1: Better Very Large Database Backup & Recovery and More! (23 Mar 2017)

MySQL Web Seminars - Mon, 02/27/2017 - 17:45

Large to very large databases pose additional and unique challenges. Learn how new MySQL Enterprise Backup capabilities can greatly improve the backup and recovery all MySQL databases, but especially very large, multi-terabyte database backups.

Whether for disaster recovery or long term archival, whether backing up to disk, cloud or tape, whether sensitive data or not, MySQL Enterprise Backup 4.1 can provide big benefits – far faster, smaller, with less locking, shorter recovery times, and more.

Join MySQL Product Management Director, Mike Frank, to get an overview of MySQL Enterprise Backup, details on its new features, and real world examples of how to use them. Plus, you can get your MySQL backup questions answered with our online Q and A!



Date and Time: Thursday, 23 Mar 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Analyze & Tune MySQL Queries for Better Performance (14 Mar 2017)

MySQL Web Seminars - Mon, 02/27/2017 - 17:41

SQL query performance plays a big role in application performance. If some queries execute slowly, these queries or the database schema may need tuning. Join Senior Oracle MySQL Engineer and query tuning expert, Øystein Grøvlen, to learn how to speed things up.

He will cover how the MySQL Optimizer chooses a specific plan to execute SQL queries and then will show you how to use tools such as EXPLAIN (including the JSON-based output) and Optimizer Trace to analyze query plans.

Øystein will also review how the Visual Explain functionality available in MySQL Workbench helps to visualize these plans. The webinar will contain several examples of how to use query analysis to improve performance of MySQL queries, and improve application performance.



Date and Time: Tuesday, 14 Mar 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Meet the Drupal Association At-Large Board Member Candidates

Drupal News - Fri, 02/24/2017 - 17:59

Did you know you have a say in who is on the Drupal Association Board? Each year, the Drupal community votes in a member who serves two years on the board. It’s your chance to decide which community voice you want to represent you in discussions that set the strategic direction for the Drupal Association. Go here for more details.

Voting takes place from March 6 - March 18. Anyone who has a Drupal.org profile page and has logged in to their account in the last year is eligible to vote. This year, there are many candidates from around the world. Now it’s time for you to meet them.

Meet the candidates

We just concluded the phase where 13 candidates nominated themselves for the board seat. From now through March 4, 2017 we encourage you to check out each person’s candidate profile, where they explain which board discussion topics they are most passionate about and what perspectives they will bring to the board.

This year, we asked candidates to include a short video - a statement of candidacy - that summarizes why you should vote for them. Be sure to check them out. Videos are found in the candidate’s profile as well as here:

Screenshot of candidates profile page with arrow to highlight video link

What To Consider

When reviewing the candidates, it is helpful to know what the board is focusing on over the next year or two, so you can decide who can best represent you.

Here are the key topics the board will focus on.

  • Strengthening Drupal Association’s sustainability. The board discusses how the Association can improve its financial health while expanding its mission work.

  • Understanding what the Project needs to move forward and determine how the Association can help meet those needs through Drupal.org and DrupalCon.

  • Growing Drupal adoption through our own channels and partner channels.

  • Developing the strategic direction for DrupalCon and Drupal.org.

There are certain duties that a candidate must be able to perform as a board member. The three legal obligations are duty of care, duty of loyalty, and duty of obedience. In addition to these legal obligations, there is a lot of practical work that the board undertakes. These generally fall under the fiduciary responsibilities and include:

  • Overseeing Financial Performance

  • Setting Strategy

  • Setting and Reviewing Legal Policies

  • Fundraising

  • Managing the Executive Director

Hopefully providing this context gives you a helpful way to assess the candidates as you decide how to vote from March 6 - March 18.

We encourage you to ask the candidates questions. Use comments to leave a question on their candidate profile page.

Categories: Development News, Drupal

Madison PHP Conference 2017

PHP Announcements - Fri, 02/24/2017 - 12:59
Join us on Friday, September 22nd, 2017 for a full day of tutorials followed by three tracks of amazing talks on Saturday, September 23rd, 2017. Now in its fifth year, Madison PHP Conference in Madison, Wisconsin, USA focuses on PHP, related web technologies, and professional development - everything you need to energize your career. This event is organized by the locally-run Madison PHP user group and is designed to offer something for attendees at all skill levels. Madison PHP Conference 2017 will be two days of networking, learning, sharing, and great fun! The Call for Papers will be open until April 30th, 2017. Madison PHP Conference offers reimbursement for travel and accommodations. To view the full speaker package and to submit a talk, please visit: http://cfp.madisonphpconference.com. Have you ever thought about giving a talk at a user group or at a conference but weren't sure what to talk about? Weren't sure how to format your slides? Weren't sure where to even start? Learn some tips for finding a topic, creating your talk, and engaging your audience at our speaker's workshop: Speaking at a Conference or User Group Thursday, April 6, 2017 - 7:00 PM RSVP: https://www.meetup.com/madisonphp/events/233865912/
Categories: Development News, PHP, PHP News

Doing our part for the community

Drupal News - Thu, 02/23/2017 - 13:25

The Drupal Association Engineering Team delivers value to all who are using, building, and developing Drupal. The team is tasked with keeping Drupal.org and all of the 20 subsites and services up and running. Their work would not be possible without the community and the project would not thrive without close collaboration. This is why we are running a membership campaign all about the engineering team. These are a few of the recent projects where engineering team + community = win!

Icon of screen with person in center of itWant to hear more about the work of the team, rather than read about it? Check out this video from 11:15-22:00 where Tim Lehnen (@hestenet) talks about the team's recent and current work.

Leading the Documentation System migration

We now have a new system for Documentation. These are guides Drupal developers and users need to effectively build and use Drupal. The new system replaces the book outline structure with a guides system, where a collection of pages with their own menu are maintained by the people who volunteer to keep the guides updated, focused, and relevant. Three years of work from the engineering team and community collaborators paid off. Content strategy, design, user research, implementation, usability testing and migration have brought this project to life.

Basic structure doc page for Drupal 8 Creating Custom Modules section
Pages include code 'call-outs' for point-version specific information or warnings.

Thanks to the collaborators: 46 have signed up to be guide maintainers, the Documentation Working Group members (batigolix, LeeHunter, ifrik, eojthebrave), to tvn, and the many community members who write the docs!

Enabling Drupal contribution everywhere

Helping contributors is what we do best. Here are some recent highlights from the work we're doing to help the community:

Our project to help contributors currently in development is revamping the project applications process. More on this soon on our blog.

When a community need doesn't match our roadmap

We have a process for prioritizing community initiatives so we can still help contributors. Thanks to volunteers who have proposed and helped work on initiatives recently, we've supported the launch of the Drupal 8 User guide and the ongoing effort to bring Dreditor features into Drupal.org itself.  

Thanks to the collaborators: jhodgdon, eojthebrave, and the contributors to the user guide. Thanks also to markcarver for the Dreditor effort.

How to stay informed and support our work.

The change list and the Drupal.org roadmap help you to see what the board and staff have prioritized out of the many needs of the community.

You can help sustain the work of the Drupal Association by joining as a member. Thank you!

Categories: Development News, Drupal
Syndicate content