Development News

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

Drupal Contributed Security - Wed, 02/08/2017 - 12:45
Description

This module enables you to add integration with Facebook API.

The module doesn't sufficiently sanitize incoming data from Facebook.

This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and recreate API endpoints.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Facebook Pull versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Facebook Pull module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Facebook Pull project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

Drupal Contributed Security - Wed, 02/08/2017 - 12:27
Description

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's core_bridge submodule.

It provides two stream wrappers: "Storage API Public" and "Storage API Private".

The private storage API doesn't sufficiently performs access control allowing anonymous users to access the private storage files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Storage API stream wrappers 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Storage API stream wrappers module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Storage API stream wrappers project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

Drupal Contributed Security - Wed, 02/01/2017 - 11:50
Description

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Better Exposed Filters 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Better Exposed Filters module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Better Exposed Filters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

2017 Community Board Election Begins 1 February

Drupal News - Fri, 01/27/2017 - 16:11

Now that Drupal 8 is a year old, it is an exciting time to be on the Drupal Association Board. With Drupal always evolving, the Association must evolve with it so we can continue providing the right kind of support. And, it is the Drupal Association Board who develops the Association’s strategic direction by engaging in discussions around a number of strategic topics throughout their term. As a community member, you can be part of this important process by becoming an At-large Board Member.

We have two At-large positions on the Association Board of Directors. These positions are self-nominated and then elected by the community. Simply put, the At-large Director position is designed to ensure there is community representation on the Drupal Association Board. If you are interested in helping shape the future of the Drupal Association, we encourage you to read this post and nominate yourself between 1 February and 19 February 2017.

How do nominations and elections work?
Specifics of the election mechanics were decided through a community-based process in 2012 with participation by dozens of Drupal community members. More details can be found in the proposal that was approved by the Drupal Association Board in 2012 and adapted for use this year.

What does the Drupal Association Board do?
The Board of Directors of the Drupal Association are responsible for financial oversight and setting the strategic direction for serving the Drupal Association’s mission, which we achieve through Drupal.org and DrupalCon. Our mission is: Drupal powers the best of the Web.  The Drupal Association unites a global open source community to build and promote Drupal.

New board members will contribute to the strategic direction of the Drupal Association. Board members are advised of, but not responsible for matters related to the day-to-day operations of the Drupal Association, including program execution, staffing, etc.

Directors are expected to contribute around five hours per month and attend three in-person meetings per year (financial assistance is available if required).

Association board members, like all board members for US-based organizations, have three legal obligations: duty of care, duty of loyalty, and duty of obedience. In addition to these legal obligations, there is a lot of practical work that the board undertakes. These generally fall under the fiduciary responsibilities and include:

  • Overseeing Financial Performance
  • Setting Strategy
  • Setting and Reviewing Legal Policies
  • Fundraising
  • Managing the Executive Director

To accomplish all this, the board comes together three times a year during two-day retreats. These usually coincide with the North American and European DrupalCons as well as one February meeting. As a board member, you should expect to spend a minimum of five hours a month on board activities.

Some of the topics that will be discussed over the next year or two are:

  • Strengthening Drupal Association’s sustainability
  • Understanding what the Project needs to move forward and determine how the Association can help meet those needs through Drupal.org and DrupalCon
  • Growing Drupal adoption through our own channels and partner channels
  • Developing the strategic direction for DrupalCon and Drupal.org
  • And more!

Please watch this video to learn more.

Who can run?
There are no restrictions on who can run, and only self-nominations are accepted.

Before self-nominating, we want candidates to understand what is expected of board members and what types of topics they will discuss during their term. That is why we now require candidates to:

What will I need to do during the elections?
During the elections, members of the Drupal community will ask questions of candidates. You can post comments on candidate profiles here on assoc.drupal.org and to the public Drupal Association group at http://groups.drupal.org/drupal-association.

In the past, we held group “meet the candidate” interviews. With 22 candidates last year, group videos didn’t allow each candidate to properly express themselves. This year, we will replace the group interview and allow candidates to create their own 3 minute video and add it to their candidate profile page. These videos must be posted by 20 February, the Association will promote the videos to the community from 20 February through 4 March, 2017.

How do I run?
From 1 - 19 February, go here to nominate yourself.  If you are considering running, please read the entirety of this post, and then be prepared to complete the self-nomination form. This form will be open on 1 February, 2017 through 19 February, 2017 at midnight UTC. You'll be asked for some information about yourself and your interest in the Drupal Association Board. When the nominations close, your candidate profile will be published and available for Drupal community members to browse. Comments will be enabled, so please monitor your candidate profile so you can respond to questions from community members.

Reminder, you must review the materials listed above before completing your candidate profile:

Who can vote?
Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year. If you meet this criteria, your account will be added to the voters list on association.drupal.org and you will have access to the voting.
To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.

Elections process
Voting will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on candidate profiles on assoc.drupal.org and engage all candidates through posting to the Drupal Association group. Have questions? Please contact Drupal Association Executive Director, Megan Sanicki. Many thanks to nedjo for pioneering this process and documenting it so well!

Flickr photo: Clyde Robinson

Categories: Development News, Drupal

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

Drupal Contributed Security - Wed, 01/25/2017 - 14:21
Description

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.

Solution

If you use the salescloud module for Drupal 7.x you should uninstall it.

Also see the salescloud project page.

Reported by Fixed by

Not applicable

Updates

2017-01-29

The maintainer of this project has released an update that fixes the issue. Install version 7.x-1.5

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

Drupal Contributed Security - Wed, 01/25/2017 - 14:18
Description

This module enables microblogging on Drupal sites using it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

Solution

If you use the microblog module for Drupal 7.x you should uninstall it.

Also see the microblog project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

Drupal Contributed Security - Wed, 01/25/2017 - 14:14
Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by Fixed by Coordinated by Changelog
  • 2017-01-25: Released the advisory as unsupported module.
  • 2017-01-25: Updated the advisory as the module is supported again and a security release was made.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

What’s new on Drupal.org? - December 2016

Drupal News - Tue, 01/24/2017 - 20:04

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Our December update comes to you a bit later than our usual monthly posts, for all the usual practical reasons: holidays, vacations, and our staff retreat in early January. But also, because we've been reflecting on the past year, and planning for the year to come. You'll soon hear about our initiatives for 2017, but for now— let's dive into what we did in December.

Drupal.org updates DrupalCon Baltimore

DrupalCon Baltimore logo Apr 24-28

At the beginning of December we launched the full site for DrupalCon Baltimore, which is coming up April 24-28. For the first time, we launched the full event site including the call for papers, scholarship applications, and registration all on the same day.

Early bird pricing is available for a limited time, so we encourage you to register today.

Stable release of the Composer Façade

Project Composer logo

Drupal.org's support for Composer has been in development since the beginning of last year. We released the public alpha of our composer endpoints at DrupalCon New Orleans, and then entered beta over the course of this past summer. After a period of feedback, bug fixes, and further refinement with the help of core and contrib developers we announced the stable release of Drupal.org's composer support on December 21st.

We'd like to thank the following community members for their help with this initiative: seldeak, webflo, timmillwood, dixon_, badjava, cweagans, tstoeckler, and mile23. We'd also like to thank Appnovation for sponsoring our initial Composer support work.

Improved messaging for new users

One of the innovations of Drupal.org's online community that we introduced about 2 years ago, is the process by which new users get confirmed by trusted users. As a user of Drupal.org, you know that when you see a new user with a 'confirm' button under their user icon, you can check their recent activity and help confirm for us that they're a real user (not a bot or spammer who managed to slip through).

However, we received some feedback from recently registered users, that this process was too opaque. New users did not have enough guidance to understand that they can only perform a sub-set of site activities until another user confirms them.

After hearing this feedback, we spent some time in December improving the messaging tonew users when they first sign up on Drupal.org— so they can better understand how to become confirmed.

DrupalCI refactored and updated to use composer

DrupalCI logo

In December we also completed a refactor of DrupalCI and updated the testing system to use Composer when testing Drupal. This means we can now test projects with external composer dependencies on Drupal.org. Other new features and bugfixes include: more available test artifacts; dependency changes can now be submitted in patches to composer json; the test runner produces a build file that can be downloaded and run locally to re-execute any test verbatim. There are more added features as well..

This work has continued into January, particularly around making more testing environments available, and adding new test types (such as code sniffer). Look for additional updates in the upcoming January report.

Special thanks to mile23 for collaborating with us on this work.

Jenkins upgraded to better manage our EC2 Instances

The cost of automated testing for the Drupal project is a significant expense for the Drupal Association. In December we updated Jenkins and several of the plugins that are used to orchestrate the creation and management of DrupalCI testbots, and now our enforcement of instance limits is much more reliable. In December this saved us nearly 50% on our testing bill, without a significant increase in testing wait times. In January we are projecting a similar savings.

The work of community member fabianX might also provide similar savings for the project, so we encourage contributors involved in core to help review: #2759197: [D7] Improve WebTestCase performance by 50% and #2747075: [meta] Improve WebTestCase / BrowserTestBase performance by 50%

HTTP/2 Support enabled

HTTP/2 is the next generation network protocol that decreases latency in page loads by using better data compression, pipelining, and server push. In December we enabled HTTP/2 support for Drupal.org, improving performance for all users with modern browsers that support the standard.

Community Initiatives Preparing for the Project Applications Revamp

In November the Drupal 8 User Guide went live, so in December we prepared for the next community initiative on our roadmap - the Project Application Revamp. Over the course of the last several months we've been doing pre-work around this initiative to ensure that the appropriate signals about security advisory coverage and recommended releases are provided on project pages. This pre-work will help ensure that Drupal users still have good signals to project quality, even as we open up the creation of full projects.

Initiatives need your help

Are you a Drupal.org power user who relies on Dreditor? Markcarver is currently leading the charge to port Dreditor features to Drupal.org, and invites anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

Is the written word your domain? Consider putting your skills to use by becoming a maintainer of Drupal documentation. If you are a developer interested in contributing code to the new documentation system, please contact tvn.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

MySQL for IoT: How to Digest Volumes and Create Actionable Intelligence (16 Feb 2017)

MySQL Web Seminars - Mon, 01/23/2017 - 15:15

Data is proliferating. The Internet of Things fuels much of this growth, along with new data management challenges. The good news is that MySQL has solutions!

In this technical webinar, John will cover:

  • The challenges that IoT data presents to collection and analysis
  • How MySQL handles ingestion with both SQL and NoSQL interfaces
  • Using a fast JSON data type and integrating the JSON function into SQL
  • Scaling MySQL to handle IoT design requirements
  • Using for MySQL for high speed ingestion and real-time analytics
  • Integrating MySQL with Hadoop for ingestion and post map reduce analysis


Date and Time: Thursday, 16 Feb 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Overcoming SaaS Data Challenges with MySQL (21 Feb 2017)

MySQL Web Seminars - Mon, 01/23/2017 - 15:14

As the leading open source database for Web-based applications, MySQL is extremely well suited to Software-as-a-Service (SaaS) and Cloud applications, used by leaders including Box, Dropbox, Zendesk and many others.

Join this webinar to learn:

  • How to scale your SaaS applications with MySQL replication
  • How to ensure business continuity with MySQL Group Replication and MySQL Router
  • How to sustain performance with MySQL Enterprise Monitor
  • How to prevent security breaches and help you ensure regulatory compliance
  • How to effectively manage database backups
  • How to do all of this more easily with MySQL Cloud Service by Oracle


Date and Time: Tuesday, 21 Feb 2017, 09:00 US/Pacific
Categories: Development News, MySQL

php[tek] 2017: Atlanta

PHP Announcements - Mon, 01/23/2017 - 09:25
We are excited to announce the full schedule for the 12th edition of php[tek] 2017, the longest running community focused PHP conference. This year taking place from May 24-26 in Atlanta, GA. There is an amazing schedule that has been put together for you, including: 4 Full-day Training Classes 8 Hands-on Workshops 40 Breakout Sessions 6 Keynotes This is all being provided by 40 different speakers from around the world, including speakers from companies like Slack, Oracle, MongoDB, Etsy, Rackspace, IBM, Salesforce, GitLab, AOL, and much much more. We sincerely look forward to seeing you in Atlanta this May! It's going to be the best php[tek] ever!
Categories: Development News, PHP, PHP News

PHP 5.6.30 Released

PHP Announcements - Thu, 01/19/2017 - 17:30
The PHP development team announces the immediate availability of PHP 5.6.30. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. According to our release calendar, this PHP 5.6 version is the last planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of two years. PHP 5.6 users that need further bugfixes are encouraged to upgrade to PHP 7. For source downloads of PHP 5.6.30 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

MySQL on Windows (21 Feb 2017)

MySQL Web Seminars - Thu, 01/19/2017 - 17:00

Join us in this webinar to learn how we have improved our server and auxiliary components to work with Microsoft Windows.

The webinar will give a clear understanding that why MySQL is so popular on Windows.



Date and Time: Tuesday, 21 Feb 2017, 12:30 Asia/Singapore
Categories: Development News, MySQL

PHP 7.0.15 Released

PHP Announcements - Thu, 01/19/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.15. This is a security release. Several security bugs were fixed in this release. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.15 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.1.1 Released

PHP Announcements - Thu, 01/19/2017 - 05:56
The PHP development team announces the immediate availability of PHP 7.1.1. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.1 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

Nominations are now open for the 2017 Aaron Winborn Award

Drupal News - Tue, 01/17/2017 - 01:00

The Drupal Community Working Group is pleased to announce that nominations for the 2017 Aaron Winborn Award are now open. This annual award recognizes an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. It will include a scholarship and stipend to attend DrupalCon and recognition in a plenary session at the event.

Nominations are open to not only well-known Drupal contributors, but also people who have made a big impact in their local or regional community. If you know of someone who has made a big difference to any number of people in our community, we want to hear about it.

This award was created in honor of long-time Drupal contributor Aaron Winborn, whose battle with Amyotrophic lateral sclerosis (ALS) (also referred to as Lou Gehrig's Disease) came to an end on March 24, 2015. Based on a suggestion by Hans Riemenschneider, the Community Working Group, with the support of the Drupal Association, launched the Aaron Winborn Award.

Nominations are open until March 1, 2017. A committee consisting of the Community Working Group members and past award winners will select a winner from the submissions. Members of this committee and previous winners are exempt from winning the award.

Previous winners of the award are:

*  2015: Cathy Theys  
*  2016: Gábor Hojtsy  

If you know someone amazing who should benefit from this award please nominate them at https://www.drupal.org/aaron-winborn-award

Categories: Development News, Drupal

Predictions for 2017

Drupal News - Sun, 01/15/2017 - 15:18

Like last year around this date, it is the time of year where we predict what the future wil bring for Drupal. Will decoupled Drupal get a head start? Wil chatbots be written in Drupal, will our tool fuel the Internet of Things, will the Whitehouse still run Drupal and will there be an IPO of a Drupal company?

Time to put your predictions, deep thoughts and even deeper thoughts online, and post them as a comment here. And in case you lack inspiration, see the previous predictions for 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 and 2016.

Categories: Development News, Drupal

Recognizing more types of contribution in the Drupal.org Marketplace

Drupal News - Thu, 01/12/2017 - 16:56

Within weeks of introducing the contribution credit system on Drupal.org we realized we had created something powerful. Like all open source projects, Drupal has a behind-the-scenes economy of contribution in which individuals, organizations, and end users work together to maintain the software as a public good. That behind-the-scenes economy was brought to the fore when we chose to rank the Drupal Marketplace by issue credits. For the first time, Drupal.org gave businesses a direct financial incentive to contribute code.  

Being good stewards of these incentives is a sobering responsibility, but also a great opportunity. We can use this system to recognize the selfless effort of our community volunteers, to reward the organizations that sponsor their employees' time to give back to the project, and to connect end-users with the organizations that are the biggest contributors.

But as we often say in this community—contribution is more than code. It is the time provided by dedicated volunteers; the talent of community organizers, documentation maintainers, and developers; and the treasure provided by organizations that sponsor Drupal events and fund the operations and infrastructure that maintain the project.

What are we changing?

We’re updating the ranking algorithm for Drupal.org’s Marketplace of service providers and list of all organizations in the Drupal ecosystem. We've expanded on the issue credit system to create a more generic contribution credit system which lets us recognize more types of contribution. Each type of contribution is now weighted to give the organization an overall amount of contribution credit. We've built this system so that we can continuously evolve the incentives it creates by adjusting the weight given to each type of contribution as the project's needs change. To prevent gaming, we will not be publishing the exact weights or total contribution score, but those weights have been reviewed by the Association Board and Community Working Group.

We've carefully chosen a few new types of contribution to factor into the ranking. These were selected because they create incentives to reach specific goals: encouraging organizations to sponsor development of Drupal, gathering more Drupal 8 success stories that can be used to promote Drupal adoption, and recognizing the financial contributions that promote the fiscal health of the Drupal association.

We now calculate the following 4 types of contribution into overall contribution credit:

What about other types of contribution?

Of course, these new factors still don't include all types of contribution. This iteration aims to add measurable factors that reward the behavior of organizations that are good Drupal citizens, and incentivize some of the most important contributions that have a big impact in moving the project forward. But there are other factors we'd like to include in the future! We're keeping track of these additional kinds of contribution, such as sponsoring local user groups, organizing training days, writing documentation, and more, in this issue: #2649100: Improve contribution statistics on user and organization profiles.

There are two factors in particular that we are not yet including that we'd like to address.

The first is project application reviews. These reviews are a critical part of the lifecycle of a new project on Drupal.org, but because we are making the Project Application Revamp a key priority for the first part of 2017, this was not our focus in this initial update. We may revisit this factor as the Project Application Revamp initiative gets underway.

The second is camp organization. We know that there are many individuals and organizations who invest heavily in Drupal Camps, and this has been a critical part of the project's success. However, at this time our data about the individuals and organizations who participate in camp organization is purely self-reported, and therefore too vulnerable to manipulation to include in the algorithm at this time. In the future we hope we can find a responsible way to measure and credit this kind of contribution.

We’ll continue to look for other good factors to add, and do our best to weigh them fairly.

How often will the algorithm change? Who governs these changes?

As this is our first major change to the marketplace ranking system since the launch of issue credits, we may need to make some small adjustments in the first weeks following the launch. However, we know that too frequent changes to the incentive structure will be frustrating for the individuals and organizations who are contributing to the project. Therefore, after the initial tuning we intend to update the marketplace ranking system on a roughly 6 month cycle.

While the primary responsibility to manage the contribution credit system is ours, we have committed to vetting these and future changes with members of the Drupal Association Board and Community Working Group.

Categories: Development News, Drupal

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

Drupal Contributed Security - Wed, 01/11/2017 - 12:25
Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mailjet 7.x-2.x versions prior 7.x-2.10.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

Also see the project page.

Reported by Fixed by Coordinated by Changelog
  • 2017-01-11: Initial release of the advisory.
  • 2017-01-25: Updated advisory to recommendation using the newer 7.x-2.10 release.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

Drupal Contributed Security - Wed, 01/11/2017 - 12:23
Description

OpenLucius is a work management platform for social communication, documentation, and projects.

The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery (CSRF) vulnerability.

The distribution does not sufficiently filter taxonomy term names before outputting them to HTML thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have permissions to insert malicious taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Openlucius 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed OpenLucius News module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OpenLucius News project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Syndicate content