Development News

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

Drupal Contributed Security - Wed, 03/08/2017 - 13:11
Description

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.

The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account.

In order to exploit, the attacker must have an active account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • PRLP versions prior to 8.x-1.3

Drupal core is not affected. If you do not use the contributed Password Reset Landing Page (PRLP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 (the latest 8.x release as of this advisory date).

Also see the Password Reset Landing Page (PRLP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

Drupal Contributed Security - Wed, 03/08/2017 - 11:39
Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and the Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser. The module does not create endpoints by default, however the "application/vnd.php.serialized" request parser is enabled by default on any endpoints created by a site builder.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.19.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server

However, installing the latest version of the Services module is highly recommended.

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edited 2017 March 9th to add details about which elements of the vulnerability are default or not.

Drupal version: 

The full circle of Drupal adoption

Drupal News - Tue, 03/07/2017 - 20:04

The Engineering Team provides support to many community members and everyone at the Association. Every day, the team helps people who are at different stages of the Drupal adoption journey. As part of our membership campaign, we're taking a close look at how the team makes an impact throughout this cycle through the work to support a few different Association programs.

Industry Pages: convincing decision makers to adopt Drupal

The team played a key role in the Industry Pages project—from conception to execution. The industry pages help decision makers see how Drupal achieves the vision Dries' set forth when he described Drupal as the platform for ambitious digital experiences.

The first three industry pages for media and publishing, higher education, and government are now on Drupal.org. These pages tell stories of success with Drupal for three verticals with geo-targeted content to show our global audience the solutions that are most meaningful to them. We plan to learn from this project and to expand into new verticals. By highlighting what Drupal can do for you, and connecting decision makers to service providers and industry peers, the industry pages are a powerful tool for leading the way to wider adoption.

Drupal Jobs: wider adoption leads to more career opportunities

The team is responsible for Drupal Jobs, the subsite dedicated to helping employers and job seekers connect for Drupal-related opportunities. Ever since Drupal Jobs launched in 2015, it has helped increase awareness of the Drupal project. As the pool of employers grows, so do the career opportunities. When more Drupal jobs are available, our ecosystem grows. Wider Drupal adoption becomes possible.

DrupalCon: Events site brings us full circle

DrupalCon unites our global community and people who want to know more about the project. On the Events site, the engineering team supports everyone—event organizers who post content, speakers who submit sessions, and attendees who register using Drupal Commerce and CoD. With a great UX on con sites and fun theme implementation, we show users what Drupal can do for you.

Around we go, thanks for coming along

As the adoption journey goes full circle and we see these efforts continue to help maintain and grow a strong ecosystem, we appreciate that you are coming along with us. To help sustain the work of the Drupal Association, join as a member. Thank you!

Categories: Development News, Drupal

It's Time To Vote - Community Elections

Drupal News - Mon, 03/06/2017 - 18:55

Voting is now open for the 2017 At-Large Board positions for the Drupal Association!  If you haven't yet, check out the candidate profiles including their short videos found on the profile pages. Get to know your candidates, and then get ready vote.

Cast Your Vote!

How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year.

To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.

Elections will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on the candidate profiles.

Have questions? Please contact me: Megan Sanicki

Categories: Development News, Drupal

Conferência PHPRS 2017

PHP Announcements - Sat, 03/04/2017 - 15:33
An event for the PHP Developer community of Rio Grande do Sul, focused on professional growth, exchange of experiences and networking. Strengthening language and the labor market. From May 12 to 13, 2017, in Porto Alegre / RS-Brazil, the first day will be held workshops and the second lectures. Check out the programming at http://conf.phprs.com.br/#schedule Subscriptions at http://conf.phprs.com.br/#tickets
Categories: Development News, PHP, PHP News

New MySQL Enterprise Backup 4.1: Better Very Large Database Backup & Recovery and More! (23 Mar 2017)

MySQL Web Seminars - Mon, 02/27/2017 - 17:45

Large to very large databases pose additional and unique challenges. Learn how new MySQL Enterprise Backup capabilities can greatly improve the backup and recovery all MySQL databases, but especially very large, multi-terabyte database backups.

Whether for disaster recovery or long term archival, whether backing up to disk, cloud or tape, whether sensitive data or not, MySQL Enterprise Backup 4.1 can provide big benefits – far faster, smaller, with less locking, shorter recovery times, and more.

Join MySQL Product Management Director, Mike Frank, to get an overview of MySQL Enterprise Backup, details on its new features, and real world examples of how to use them. Plus, you can get your MySQL backup questions answered with our online Q and A!



Date and Time: Thursday, 23 Mar 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Analyze & Tune MySQL Queries for Better Performance (14 Mar 2017)

MySQL Web Seminars - Mon, 02/27/2017 - 17:41

SQL query performance plays a big role in application performance. If some queries execute slowly, these queries or the database schema may need tuning. Join Senior Oracle MySQL Engineer and query tuning expert, Øystein Grøvlen, to learn how to speed things up.

He will cover how the MySQL Optimizer chooses a specific plan to execute SQL queries and then will show you how to use tools such as EXPLAIN (including the JSON-based output) and Optimizer Trace to analyze query plans.

Øystein will also review how the Visual Explain functionality available in MySQL Workbench helps to visualize these plans. The webinar will contain several examples of how to use query analysis to improve performance of MySQL queries, and improve application performance.



Date and Time: Tuesday, 14 Mar 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Drupal 6.12

Drupal 6.x Upgrade Project - Thu, 05/14/2009 - 13:07

Drupal 6.12 and 5.18, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.12 also fixes "account page opens automatically after login" among other smaller issues.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended.

For more info see Drupal 6.12 and 5.18 released, SA-CORE-2009-006 - Drupal core - Cross site scripting and Upgrade Drupal to 6.12.

read more

Drupal 6.11

Drupal 6.x Upgrade Project - Wed, 04/29/2009 - 21:03

Drupal 6.11 and 5.17, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.11 also fixes performance issues with the menu cache and update status cache among other smaller issues.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended.

For more info see Drupal 6.11 and 5.17 released, SA-CORE-2009-005 - Drupal core - Cross site scripting and Upgrade Drupal to 6.11.

read more

BobbyMods Drupal 6.x Upgrade Project

Drupal 6.x Upgrade Project - Tue, 02/24/2009 - 14:32

Here you can find all 'loose' Drupal 6.x core upgrade projects.

If your project is maintained by BobbyMods.com then your upgrade will be found at your project.

This project is only for CORE upgrades that do not fall within a regular project.
If you need to also update modules and themes (or the need to do so arises during the update), that will be a separate project.

Pending

Drupal 6.x Upgrade Project - Tue, 02/24/2009 - 14:32
TitleIssue StatusPriorityCategoryVersionComponentChanged

read more

Syndicate content