Development News

PHP 7.0.20 Released

PHP Announcements - Thu, 06/08/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.20. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.20 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

China PHP Developer Conference

PHP Announcements - Tue, 06/06/2017 - 15:36
China PHP Developer Conference which organized by the DevLink will hold in Beijing on June 10th and 11th. After “The High Performance PHP”, It’s the another global developer interchange activity that DevLink hosts. During this conference, we will discuss and share the topic of "The High Availability PHP" More information about the China PHP Conference at: php2017.devlink.cn
Categories: Development News, PHP, PHP News

Getting Prepared: The Coming EU GDPR and MySQL (22 Jun 2017)

MySQL Web Seminars - Fri, 06/02/2017 - 16:54

The European Union General Data Protection Regulation or EU GDPR is now Europe’s most exacting Data Security regulation. It will come into full force on 25 May 2018.

"at which time those organizations in non-compliance will face heavy fines. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location" (eugdpr.org).

GDPR focuses on:

  • Protection of personal data of EU-based individuals
  • Restrictions to movement of that data

In this webinar, we’ll focus MySQL capabilities and features for the following core security areas: Assessment, Prevention, Detection and Recovery.



Date and Time: Thursday, 22 Jun 2017, 09:00 US/Pacific
Categories: Development News, MySQL

DrupalCon Vienna t-shirts are back! - but there’s a catch.

Drupal News - Fri, 06/02/2017 - 10:42

DrupalCon Vienna T-shirts

Remember how we are making changes to DrupalCon Europe? These were hard decisions and some things we love we found just weren’t financially viable. Like free t-shirts. But one thing we heard a lot was “please don’t take away the t-shirts!”  

We heard you. And while it doesn’t make financial sense to give free t-shirts to all attendees, we still want to be able to continue to offer them. So we’ve come up with a plan.   

At DrupalCon Vienna, t-shirts will be offered to the following groups:

  • Individual Drupal Association members who register for DrupalCon Vienna between 5 - 16 June 2017. You must register in this two week window AND be an individual member of the Drupal Association.

  • Volunteers who work at least four (4) hours onsite in Vienna 26 - 29 September. You must check the volunteer box during registration and must show up on site to volunteer for four (4) hours or until released by event staff.

  • Volunteers as part of the DrupalCon Program Team

  • Sprint Mentors

The fine print FAQ

I’m already a member, how do I make sure that I'll get a shirt?

If you are already an individual member, you get a t-shirt! BUT you MUST register in the first two weeks of ticket sales. Registrations after 16 June will not receive a t-shirt, member or not.

I’m not a member, can I do that during registration and still get a shirt?

Yes. If you are not a member you can become an individual member during your conference registration. You will be presented with a page during check-out that gives you the option to become a member.

I already registered but JUST saw this post! What do I do?

If you are a true early bird and register in the two weeks, but somehow missed this news post until after registering - that’s ok. As long as you become a member before the end of 16 June and you’ll still get a t-shirt.

The registration didn’t say anything about t-shirts or ask for my t-shirt size? What’s up?

After the 16 June cut-off date, eligible registrants will receive an email confirming their t-shirt along with a link to select their t-shirt size.

You got a session selected? Great!

We’ll refund your registration amount (but not your membership) and you get to keep the t-shirt. Our regular no-refund policy applies to all other sales.

You’re part of an organization that is buying a bulk amount of tickets for employees? Lucky you.

Your organization should provide you with an individual redemption code. You’ll need to redeem your individual registration before 16 June AND also be an individual member of the Drupal Association in order to get a t-shirt.

Categories: Development News, Drupal

LDAP - Critical - Data Injection - SA-CONTRIB-2017-052

Drupal Contributed Security - Wed, 05/31/2017 - 12:27
Description

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data.

If the site administrator chooses to hide the email or password from the user form (instead of showing or disabling it under "Authorization"), these values can be overwritten.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • LDAP 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Lightweight Directory Access Protocol (LDAP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LDAP module for Drupal 7.x-2.x, upgrade to LDAP-7.x-2.2

Also see the Lightweight Directory Access Protocol (LDAP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

Drupal Contributed Security - Wed, 05/24/2017 - 12:37
Description

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads.

The module doesn't sufficiently sanitize input or restrict uploads.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site verify".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Site Verify 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Site verification module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Site verification project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

What’s new on Drupal.org? - April 2017

Drupal News - Wed, 05/24/2017 - 11:20

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

DrupalCon Baltimore logo Apr 24-28

At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna!

Drupal.org updates DrupalCon Vienna Full Site Launched!

DrupalCon Vienna logo Sep 26-29 2017

Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!

DrupalCon Nashville Announced with new DrupalCon Brand

DrupalCon Nashville logo Apr 9-13 2018

Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.

We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.

Starring Projects

Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.

Starring Projects

At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.

Project Browsing Improvements

One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.

Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.

We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.

Better visual separation of Documentation Guide description and contents

Better Documentation Guide Display

In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.

Promoting hosting listings on the Download & Extend page

To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want Drupal.org to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.

Composer Sub-tree splits of Drupal are now available

Composer Façade

For developers using Composer to manage their projects, sub-tree splits of Drupal Core and Components are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety.

DrupalCI Automatic Requeuing of Tests in the event of a CI Error

DrupalCI logo

In the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a "CI error" message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue.

We have updated Drupal.org's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, Drupal.org will instead automatically queue a retest.

Bugfix: Only retest one environment when running automatic RTBC retests

Finally, we've fixed a bug with the DrupalCI's automatic RTBC retest system. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

Drupal Contributed Security - Wed, 05/24/2017 - 09:59
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-050
  • Project: landing_page (third-party module)
  • Date: 24-May-2017
Description

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer.
If you would like to maintain this module, please read:
https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed landing_page module,
there is nothing you need to do.

Solution

If you use the landing_page module for Drupal you should uninstall it.

Also see the landing_page project
page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via
the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

The 5th Annual China PHP Conference

PHP Announcements - Mon, 05/22/2017 - 07:50
The 5th Annual China PHP Conference – June 17 to 18, Shanghai We will be hosting a 2-days event filled with high quality, technical sessions about PHP Core, PHP High Performance, PHP Engineering, and MySQL 5.7/8.0 more. Don’t miss out on 2-great days sessions, delicious food, fantastic shows and countless networking opportunities to engage with speakers and delegates. Go to www.phpconchina.com for tickets and more information.
Categories: Development News, PHP, PHP News

DevCOnf 2017

PHP Announcements - Thu, 05/18/2017 - 09:43
DevConf 2017 in Moscow, Russia on June 17-18. DevConf is the ultimate meeting place for russian-speaking web-developers, combining several language-specific conferences under one roof. This year the conference will take place in Izmaylovo. DevConf 2017 will include the following sections: DevConf::Backend(); DevConf::Frontend(); DevConf::Management(); DevConf::Storage(); DevConf::DevOps(); Special Events: DevConf::YiiConf(); - June 16 Joomla Day - June 17 Each section will feature several talks from the active contributors/authors of the language. Among the invited speakers are Valentin Bartenev (NGINX), Ilya Gusev (PHP7.1) Dmitry Lenev (MySQL), Oleg Bartunov (Postgres), Ivan Panchenko (Postgres), Grigory Kochanov (Oracle), Vladimir Yldashev (Laravel), Anton Shramko (Rust), Konstantin Osipov (Tarantool), Andrey Trifanov (Lua), Ilya Alexeev (OpenStack), Ilya Klimov (VueJS), Alexey Pirogov (Haskell), Alexey Ohrimenko (Angular), Grigory Petrov (React VR), Adel Fayzrakhmanov (Toptal) and speakers from other companies. See more details on the official website.
Categories: Development News, PHP, PHP News

Display Suite - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-049

Drupal Contributed Security - Wed, 05/17/2017 - 12:37
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

Versions affected
  • Display Suite 8.x-2.x versions prior to 8.x-2.7.
  • Display Suite 8.x-3.x versions prior to 8.x-3.0.

Drupal core is not affected. If you do not use the contributed Display Suite module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048

Drupal Contributed Security - Wed, 05/17/2017 - 12:32
Description

This theme enables you to bridge the gap between the Bootstrap Framework and Drupal.

The theme does not sufficiently exclude the submitted password value when an incorrect value has been submitted

Versions affected
  • bootstrap 8.x-3.x versions prior to 8.x-3.5.

Drupal core is not affected. If you do not use the contributed Bootstrap module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Bootstrap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

php[world] 2017: Call for Speakers

PHP Announcements - Tue, 05/16/2017 - 18:08
The teams at php[architect] and One for All Events are excited to announce we have opened up our Call for Speakers for the 4th annual edition of php[world]. This year we are refactoring php[world] into a more focused PHP conference concentrating on providing our attendees deep-dive content which teach core lessons about PHP. We also want talks covering advanced topics in applications and frameworks built in PHP (such as Drupal, WordPress, Laravel, Symfony, and Magento). We encourage submissions on technologies crucial to modern Web development such as HTML5, JavaScript, and emerging technologies. Ideas surrounding the entire software life cycle are often big hits for our attendees. Finally, we do welcome non-technical proposals that will appeal to a developer audience. This year it will be a 2-day conference with concurrent workshops, preceded by two days of training classes. We've also updated our comprehensive speaker's package this year to simplify it; we will be offering: A free conference ticket Round-trip economy airfare booked by us Accommodations at the conference hotel: 3 nights for speakers & workshop presenters 5 nights for training class teachers Don't hesitate, the Call for Speakers is only open until June 23rd, 2017. So get those submissions in soon, we look forward to hearing from you!
Categories: Development News, PHP, PHP News

PHP 7.1.5 Released

PHP Announcements - Thu, 05/11/2017 - 13:44
The PHP development team announces the immediate availability of PHP 7.1.5. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.5 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.0.19 Released

PHP Announcements - Thu, 05/11/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.19. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.19 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047

Drupal Contributed Security - Wed, 05/10/2017 - 11:48
Description

The Drupal Remote Dashboard (DRD) module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites.

The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks, which could allow a malicious user to craft a special URL that would reconfigure the DRD Agent and redirect to any URL if visited by an admin user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • DRD Agent 7.x-3.x versions prior to 7.x-3.1.
  • DRD Agent 8.x-3.x versions prior to 8.x-3.1.

Drupal core is not affected. If you do not use the contributed DRD agent module, there is nothing you need to do.

Solution

Install the latest version:

Also see the DRD agent project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046

Drupal Contributed Security - Wed, 05/10/2017 - 11:39
Description

UPDATE (2017-07-12): This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion!

This module enables you to remotely access remote Drupal sites to monitor and manage them all from one central place.

The module doesn't sufficiently ensure that the system administrator uses a strong enough encryption key per the requirements of the encryption type, which leads to weak encryption for the communication between the management dashboard and the remote site which could be decrypted by an adequately equipped attacker.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • DRD 8.x-3.x versions prior to 8.x-3.2.
  • DRD 7.x-2.x versions prior to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Drupal Remote Dashboard module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.2
  • If you use the DRD module for Drupal 7.x, upgrade to DRD 7.x-2.10

Also see the Drupal Remote Dashboard project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Webform Multiple file upload - Moderately Critical - Access bypass - SA-CONTRIB-2017-045

Drupal Contributed Security - Wed, 05/10/2017 - 10:19
Description

This module enables you to upload multiple files at once in a webform.
The module doesn't sufficiently check access to file deletion urls.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • webform_multifile 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Multiple File Upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044

Drupal Contributed Security - Wed, 05/10/2017 - 08:52
Description

This module provides intuitive ways to manage large libraries of media, insert or display or import various types of media either through fields or a wysiwyg interface.

Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not sufficiently whitelist input parameters for the media browser.

This vulnerability in the versions of media prior to those aforementioned is mitigated by the fact that an attacker must have a role with the permission upload files and view media browser.

Versions affected
  • Media 7.x-2.x versions prior to 7.x-2.1.
  • Media 7.x-3.x versions prior to 7.x-3.0-alpha4.

Drupal core is not affected. If you do not use the contributed Media module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the media module, it is recommended to upgrade to media version 7.x-2.1 (stable) or to 7.x-3.0-alpha5 (cutting edge) or newer.

Also see the Media project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

International PHP Conference 2017 Fall - Call for Papers

PHP Announcements - Tue, 05/09/2017 - 15:44
While we are eagerly waiting for IPC Spring and webinale to come in later May, we are already preparing for the fall edition of IPC this year. The conference's date is October 23th to 27th and the location will be Munich again. We are looking forward to your submissions for workshops, sessions & keynotes. Please submit your proposals in English language. Please see our list below of topics which we'd love to see covered, but we are sure that you'll add also some extra stuff which is great and which we do not expect! THE BASIC FACTS Date: 23 - 27 October 2017 Location & Venue: Holiday Inn Munich City Centre Deadline for submissions: June 9th 2017 URL for submissions: https://callforpapers.sandsmedia.com Please see the spectrum of topics we’d like to see covered: PHP Development Core PHP/PHP 7 PHP Frameworks PHP Security Data Stores Testing & Quality Scaling Automated Testing Quality Web Architecture Software Architecture Microservices Web APIs & API Design RESTful Services DevOps Agile Methodologies Continuous Delivery/Deployment DevOps Server & Deployment Cloud & Infrastructure Docker & Co. Analytics & Monitoring Web Development Performance Security JavaScript/ECMAScript Angular, Node.js & React Responsive Web Design User Experience We are looking forward to your exciting submissions! For further information on International PHP Conference’s sessions and speakers visit: www.phpconference.com
Categories: Development News, PHP, PHP News
Syndicate content