Development News

Discover MySQL Cluster 7.5 (22 Mar 2017)

MySQL Web Seminars - Thu, 02/23/2017 - 00:34

MySQL Cluster powers the modern real-time web applications and provides the reliability of carrier-grade communications services. MySQL Cluster with its in-memory, ACID compliant, distributed data storage and online operations for scalability and agility of large scale user applications, has a wide variety of use cases and supports both native SQL and NoSQL.

Discover new features of MySQL Cluster 7.5 and learn how to deliver the next generation apps in a distributed, cost effective and innovative manner for high availability.



Date and Time: Wednesday, 22 Mar 2017, 12:30 Asia/Singapore
Categories: Development News, MySQL

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

Drupal Contributed Security - Wed, 02/22/2017 - 13:22
Description

DownloadFile is a module to direct download files or images.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.

Solution

If you use the download_file module for Drupal 7.x you should uninstall it.

Also see the download file project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Unpublished 404 - Critical - Unsupported - SA-CONTRIB-2017-021

Drupal Contributed Security - Wed, 02/22/2017 - 13:19
Description

The purpose of this module is to emit a 404 error when a user tries to access a unpublished pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed unpublished 404 module, there is nothing you need to do.

Solution

If you use the unpublished_404 module for Drupal 7.x you should uninstall it.

Also see the unpublished 404 project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

Drupal Contributed Security - Wed, 02/22/2017 - 13:18
Description

The Views module allows site builders to create listings of various data in the Drupal database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • views 7.x-3.x versions prior to 7.x-3.15.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the views module for Drupal 7.x, upgrade to views 7.x-3.15

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

Drupal Contributed Security - Wed, 02/22/2017 - 12:45
Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Timezone Detect project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

CakeFest 2017 NYC, the Official CakePHP Conference

PHP Announcements - Tue, 02/21/2017 - 05:19
CakeFest is organized for developers, managers and interested newcomers alike. Bringing a world of unique skill and talent together in a celebration and learning environment around the worlds most popular PHP framework. Celebrating over eleven years of success in the PHP and web development community, CakePHP’s 2017 conference will be an event not to miss. With two workshop days (8th/9th June) as well as two jam-packed conference days (10th/11th June), this is an open source conference not to miss out on! CakeFest is on the lookout for sponsors - keen for more information? Contact us via CakeFest@cakephp.org for more! Are you a speaker looking for a new and interesting conference to speak at? CakeFest 2017 NYC is the place for you! A lot of things interest us, so why not come join in! CFP closes 15th March and Speakers will be announced before 31st March 2017 Tickets are selling fast, so you better grab yours while you still can!
Categories: Development News, PHP, PHP News

Drupal Association membership campaign: February 20 to March 8

Drupal News - Fri, 02/17/2017 - 14:51

Join as a member to keep Drupal.org thriving. Coffee cup with words We are happy to serve you. Drupal Association logo.Drupal.org is home of the Drupal project and the Drupal community. It has been continuously operating since 2001. The Engineering Team— along with amazing community webmasters— keeps Drupal.org alive and well. As we launch the first membership campaign of 2017, our story is all about this small and productive team.

Join us as we celebrate all that the engineering team has accomplished. From helping grow Drupal adoption, to enabling contribution; improving infrastructure to making development faster. The team does a lot of good for the community, the project, and Drupal.org.

Check out some of their accomplishments and if you aren't yet a Drupal Association member, join us! Help us continue the work needed to make Drupal.org better, every day.

Share these stories with others - now until our membership drive ends on March 8.

Facebook logoShare

Twitter logoTweet

LinkedIn logoShare

Thank you for supporting our work!

Categories: Development News, Drupal

PHP 7.1.2 Released

PHP Announcements - Fri, 02/17/2017 - 02:00
The PHP development team announces the immediate availability of PHP 7.1.2. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.2 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.0.16 Released

PHP Announcements - Thu, 02/16/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.16. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.16 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

Drupal Contributed Security - Wed, 02/15/2017 - 13:21
Description

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Metatag 7.x-1.x versions prior to 7.x-1.21.

Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Metatag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

Drupal Contributed Security - Wed, 02/15/2017 - 12:55
Description

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.

This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.8.
  • RESTful 7.x-2.x versions prior to 7.x-2.16.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

Drupal Contributed Security - Wed, 02/15/2017 - 12:42
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not include a token.

This vulnerability is mitigated by the fact that an attacker must be targeting users with the 'clear flags' role. They must also discover a valid combination of flag, content and user IDs for flagged content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

Drupal Contributed Security - Wed, 02/15/2017 - 12:30
Description

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system.

The module doesn't sufficiently sanitise the name of the sort option which is displayed to users.

This vulnerability is mitigated by the fact that an attacker must have a role with permission 'administer search_api'.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Sorts 7.x-1.x versions prior to 7.x-1.7

Drupal core is not affected. If you do not use the contributed Search API sorts module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API sorts project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

Drupal Contributed Security - Wed, 02/15/2017 - 12:19
Description

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hotjar 7.x-1.x versions before 7.x-1.2
  • Hotjar 8.x-1.x versions before 8.x-1.0

Drupal core is not affected. If you do not use the contributed Hotjar module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Hotjar module for Drupal 7.x upgrade to Hotjar 7.x-1.2
  • If you use the Hotjar module for Drupal 8.x upgrade to Hotjar 8.x-1.0

Also see the Hotjar project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

PHP Experience 2017

PHP Announcements - Tue, 02/14/2017 - 22:35
iMasters PHP Experience 2017 brings together about 1,200 PHP developers in São Paulo, for national and international lectures, workshops, community areas and various networking actions, divided into two days of great content. In 2017 taking place from March 27-28 in São Paulo - Brazil. Curatorship by PHPSP - São Paulo PHP User Group.
Categories: Development News, PHP, PHP News

Drupal.org Industry Pages Are Live!

Drupal News - Tue, 02/14/2017 - 19:30

Media Industry Page

We are excited to announce that the first three industry pages are now live on Drupal.org, highlighting the power of Drupal solutions in higher education, government and media/publishing. The pages are designed to quickly inform and inspire technical evaluators and connect them to service providers and technology vendors who can help them move further through their Drupal adoption journey.

The Drupal Association is incredibly proud to showcase the Drupal community’s innovation, creativity, and ability to solve end users’ challenging problems. More importantly, these pages are a resource that Drupal businesses can point to as they convince potential clients that Drupal is the right choice for them. We know this is a needed resource not only because Drupal agencies have asked for this, but because our user research was resoundingly positive. One government digital director said “I wish this was around when I was pitching my state CIO on Drupal”.

This launch is the first phase for this initiative. We will learn and iterate to keep improving the pages and we will expand the industries to include pages like healthcare, finance, ecommerce, and more.

The Research We Used

Building the industry pages was a community effort. Drupal Association staff framed the concept and then reached out to end-users of Drupal in these industries, service providers who've built solutions for these markets, and the community at large. We listened to all of you who shared your thoughts in the original blog post about this initiative.

We conducted user research, interviewing decision makers and influencers at end user organizations to make sure the pages resonated strongly with them. We talked to organizations like Weather.com, Burda Media, State of North Carolina, Georgia Technology Authority, Duke University, Cornell University - and more!

We also talked to people at agencies who pitch Drupal solutions all day long such as Acquia, Ashday, Blackmesh, Digital Echidna, FFW, Forum One, ImageX Media, Kwall, Lingotek, Lullabot, Palantir.net, Pantheon, and Phase2.

We will continue to take feedback from our global community. Our goal is to keep iterating on these industry pages as we learn more.

About The Pages

The industry pages are part of the About Drupal section and they are promoted from the Drupal.org front page. The homepage of Drupal.org receives about 350,000 visits a month, and about 50% of those visitors are new to Drupal.org The front page is primarily technical evaluators coming to learn more about Drupal and we see this as they click on our evaluator resources like About Drupal, TryDrupal, and Case Studies.

Based on user research, we know that before someone comes to the industry pages, they likely know that Drupal is an open source community-built CMS and their organization is leaning towards an open source solution. However, we did make sure the pages do not assume the visitor already knows what Drupal is, because some will find the page through search.

Another key feature is geo-targeting. Currently, we serve localized content for the Americas, EMEA, and AP/Australia/New Zealand regions. This allows us to showcase case studies that will resonate to visitors based on their location. For example, on the Americas page, we highlight the Department of Energy - a U.S federal agency. In EMEA, we highlight City of London - a UK city, and in AP/Australia/New Zealand we highlight the State Revenue Office of Victoria, Australia - a federal agency.  We took this approach because business owners at digital agencies from each region said that having localized brand names and case studies helps them convince their potential clients that Drupal is a viable option for them.

The Story We Are Telling

The story that the pages tell to visitors is:

  1. Drupal is the open source CMS of choice for this industry. Just look at the strong adoption rate, industry brand names, and their success stories.

  2. Build amazing Drupal solutions to solve problems related to your industry.

  3. Solutions are made up of Drupal and third party software and hosting solutions. Plus, you can use industry-specific distributions to accelerate your build.

  4. Because of Drupal’s extensibility and our robust ecosystem of third-party technology integrations, modules, Drupal hosting, and distributions, you can tailor a solution to solve your unique problems or create new opportunities. Check out some featured industry-specific vendors.

  5. Read case studies to learn how big names in your industry achieved business gains with a Drupal solution.

  6. These solutions were built by people at well-respected Drupal agencies who are top contributors to Drupal.

  7. If you want to talk to someone about creating a Drupal solution, fill out the form and all three will contact you.

  8. Want to meet your peers? Attend the industry summit at DrupalCon Baltimore.

For the Americas region we have secured partners for Drupal evaluators to reach out to discuss their industry needs. However, we have not yet secured agency and vendor sponsors for these pages. It takes a lot of work to line up those relationships and tee-up the content and we wanted to launch sooner than later so we could start learning how to optimize the pages. So for now, we've selected initial case study content for these regions, and we are promoting a link to the marketplace to show agencies who have industry experience in these regions. Over time, we will open up the opportunity for agencies to sponsor the pages similar to our approach in the Americas region.

Thank you to our sponsors

Contribution comes in three forms: Time, Talent, and Treasure. Many people shared their time and talent to help us create these pages for the community. We could not have built something of value without them. And, there were several companies who contributed treasure as well by investing financially to sponsor these pages. Those companies are: Acquia, Ashday, Blackmesh, Digital Echidna, FFW, Forum One, ImageX Media, Kwall, Lingotek, Lullabot, Palantir.net, Pantheon, and Phase2.

Because the industry pages give premier visibility and sponsorship is so limited, we wanted to be as fair as possible when opening up this sponsorship opportunity. As we say amongst staff, we want to “sell with a soul”. We decided to only sell these sponsorship opportunities to those who are top contributors. We looked at companies’ code contribution levels and how long they supported the Drupal Association financially and came up with an internal ranking system. Only those above a certain threshold were invited to sponsor.

This means that not only are these sponsors contributing time, talent, and treasure to this specific initiative, but they are long time contributors to the Project, helping Drupal thrive over time. It’s important to the Association that we highlight and reward good Drupal citizenship. When good Drupal citizens are doing well, we all do well. When successful, businesses can hire more Drupal talent and sponsor their contributions back to the Project. They can fund more camps and DrupalCon so we can unite and accelerate the Project in person, and they can fund Drupal.org hosting and engineers so the community can build the Project together online. We are thankful for our sponsors' generous giving and proud to work with them on this initiative.

We've created value together

We see this initiative as a great demonstration of serving our mission - “to unite the community to help them build and promote the software”. We united members from all facets of the community: end-users, service providers, and the community at large. The pages promote the software by showing that Drupal is a winning choice for evaluators in these key industries.

This project is a reflection of Drupal’s amazing spirit and culture of respecting diverse opinions, collaboration, and striving to do the best. Thank you to everyone involved in this project for working so well together, listening to each other’s different ideas, and finding ways to incorporate them so together we can build something amazing.

Categories: Development News, Drupal

What's new on Drupal.org? - January 2017

Drupal News - Tue, 02/14/2017 - 12:42

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Drupal.org updates Recognizing more types of contribution in the Drupal.org Marketplace

We were very pleased to announce an expansion of the issue credit system into a broader contribution credit system which recognizes more than just code contributions for the purposes of ranking organizations in the marketplace.

We now calculate the following 4 types of contribution into overall contribution credit:

User research for the upcoming industry pages

In a previous blog post on Drupal.org, we talked about our increasing focus on the adoption journey and our plans to create industry specific landing pages on Drupal.org. In January we did extensive user research with people in media and publishing, higher education, and government, which will be the first industries we promote. We're hoping to launch these pages very soon, so keep an eye on the home page.

Preparing for community elections for the Drupal Association board

Elections

The elections process for the community seats on the Drupal Association board kicks off with self-nominations in February each year. This means that we dedicated some time in January to making small refinements and improvements to the nomination process. In particular we've added more in-context educational materials about the board to the self-nomination form, including a video by executive director Megan Sanicki. We've also refined our candidate questions to help candidates express their unique qualifications.

If you're interested in bringing your perspective to the Drupal Association board, please nominate yourself.

Membership history messaging

To make it easier for members to understand their membership history, we've added new messaging to the membership join and renew pages. Users who go to join or renew their Drupal Association membership will now see a message indicating their current membership expiration date, their last contribution amount, a link to contribute again, and their auto-renewal status.

Membership messaging

Migration of Drupal Association content to Drupal.org

Drupal Association

In January we also migrated the majority of content from assoc.drupal.org to a new section on Drupal.org itself. This effort is part of our larger content restructure initiative. By moving Drupal Association content into Drupal.org we hope to increase discoverability of information about the DA, and create a tighter integration between Drupal Association news and the front-page news feed.

DrupalCI Checkstyle results now available on the DrupalCI dispatcher

DrupalCI logo

Thanks to community member mile23, DrupalCI now supports automated code style testing. To see checkstyle results for any test on Drupal.org, click on the test result bubble and then click the 'view results' link to view the detailed test results on DrupalCI's jenkins dispatcher.

We're still gathering input and feedback for this initial release of the checkstyle feature, as we decide how to integrate the checkstyle results more tightly with Drupal.org. If you have feedback or suggestions please leave your comments in this issue: #1299710: [meta] Automate the coding-standards part of patch review.

Updated testing environments

DrupalCI supports testing code against a matrix of php and database versions. In January we updated the php environments that DrupalCI supports, so that you can test against the minimum supported versions or the latest point releases. Our 5.X containers have been upgraded to the latest version for each minor release (5.3.29, 5.4.45, 5.5.38, 5.6.29). The singular PHP 7 environment that we were using was following the 7.0.x branch of php7. This has now been expanded into four php 7 environments, 7.0 (7.0.14), 7.1 (7.1.0), 7.0.x, and 7.1.x.

The dev versions of php are primarily intended for Core to sense upstream changes to php before they become released, as our comprehensive test suite often finds unanticipated bugs in php7. Additionally some missing features in the php7 containers were added, specifically apcu.

Local testing improvements

DrupalCI has always supported local testing, in order to allow developers to test changes on their own machines. This is helpful for several reasons: it allows people to test on their own machines before triggering one of the DrupalCI test bots, it lets users troubleshoot failing tests, and it helps to eliminate the 'works on my machine' problem where code appears to work in a local environment, but fails on the test bots.

To make local testing even easier, DrupalCI now automatically generates a vagrant environment for local testing. To use this functionality simply clone the drupalci_testrunner.git repo and then run $ vagrant up from within the directory. Furthermore, DrupalCI can download a build.yml file from a dispatcher.drupalci.org url to replicate any test that has been run on Drupal.org. More information about this will be added to the DrupalCI documentation soon.

Adding test priority

DrupalCI runs thousands of tests of the Drupal codebase for core and contrib modules every month. These tests include commit and patch testing for the active development which may be occurring at any time day or night, as well as the hundreds of daily regression tests run for both core and contrib projects. To help make testing more responsive, we've added a notion of testing priority. When there is a queue of waiting tests, Drupal 8 core patch tests will take priority; followed by D8 branch tests; followed by D8 contrib tests; followed by Drupal 7 patch, branch, and contrib tests.

Community Initiatives Project Applications Revamp

Our primary community initiative priority for the first quarter of the new year is the Project Application Revamp. There are four phases to the revamp: 1) preserving security advisory coverage signals about projects, 2) transitioning security advisory coverage to an opt-in process, 3) opening the gates to allow any user to promote a project to full and create releases, 4) building new tools to incentivize code review and provide code quality signals on project pages. One of the changes we made as part of phase 1 was to adjust the way recommended releases are highlighted on Drupal.org project pages.

Contrib Documentation Migration

Project maintainers are now able to create documentation guides on their projects using the new documentation content types. Maintainers can then migrate their old documentation content into these new guides, or create new documentation pages. For more information about this process, please consult our guide to contrib documentation.

Help port Dreditor features to Drupal.org

Are you a Drupal.org power user who relies on Dreditor? Markcarver is currently leading the charge to port Dreditor features to Drupal.org, and invites anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

Drupal Contributed Security - Wed, 02/08/2017 - 15:20
Description

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OSF for Drupal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

Drupal Contributed Security - Wed, 02/08/2017 - 14:35
Description

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service.

The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4.

Drupal core is not affected. If you do not use the contributed Acquia Content Hub module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Acquia Content Hub project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

Drupal Contributed Security - Wed, 02/08/2017 - 13:00
Description

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme.

When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them.

This is mitigated by the fact that the unprivileged users won't be able to actually visit the links.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • wetkit_omega 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Web Experience Toolkit: Omega module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Web Experience Toolkit: Omega project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Syndicate content