Planet Drupal

Not so highly critical?

The Drupal security team published a PSA to warn about upcoming security advisories. I shared my advice and predicted attacks within the hour after the security advisories are published. The security advisories are now published. Here is my followup.

I applaud the Drupal Security Team for warning about the highly critical updates. However the public service announcement (PSA) left the impression that this event was going to be much more serious than it was. Such a PSA would have been perfectly appropriate for SA-CORE-2014-005 "Drupalgeddon". But the only PSA there was in hindsight.

I guess it is resonable for the Drupal Security Team to be over cautious, especially given the lessons learned from Drupalgeddon fallout. And of course, such decisions and criticism is much easier with hindsight.

But now I am concerned how the Drupal Security Team can realistically raise the level further there is another vulnerability that is as serious as Drupalgeddon. Even if they raise the alert level using language in the PSA, will people still believe them? It reminds me of the boy who cried wolf.

Of course serious vulnerabilities like these are rare events in Drupal, so there is not yet a standard to compare alert levels to.

Drupalgeddon; Are you ready?

Just arrived here? Read my followup first.

Original post

The Drupal security team announced multiple highly critical updates to Drupal contrib modules in PSA-2016-001. Expect attacks within less than one hour from the announcement; 18 hours from the time this article is published. This is probably going to be Drupalgeddon all over again.

My advice

If you are prepared, you will save yourself a lot of time. If you are late or too slow, you will probably find yourself with a lot more work, e.g. the rescue workflow for Drupalgeddon 1.

Today

Don't skimp on the first two. And do at least one of "3. Update a contrib module" or "4. Learn how to apply patches". Which one you choose depends on your skills and how out of date contrib modules are on your Drupal websites. Ideally, do both steps 3 & 4; You might find one of them is significantly challenging for you.

Your Drupal website has a backdoor

I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.

Help Wanted; QLDfloods.org Drupal 7 Multiple-server Configuration & Infrastructure

There is currently severe flooding in Queensland Australia. An area twice the size of Texas is underwater. Entire homes are completely inundated. Bridges and cars have been washed away like toys. In Brisbane, airports are closed and the CBD has been closed down. There are at least 15 dead and more than 60 still missing.

QLDfloods.org is a Drupal 7 website set up by several members of the Australian Drupal community to provide information, track missing persons, find resources and people that need them (like beds), track damage and provide support. It was mentioned four times on CNN on Wednesday and multiple times on Australian national media.

The site builders are seeking help with Drupal 7 multiple-server configuration & infrastructure. Do you have expertise to help? Join #Drupal-AU on IRC, speak up in g.d.o/australia or contact Ryan Cross directly.

Celebrating 2010 & the Achievements of the Drupal Association

2010 has been a big year for the Drupal Association. Early in the year new members were brought on and the Board of Directors saw some changes. But most noteworthy is what the Drupal Association did for the Drupal community;

Screenshot of the newly redesigned Drupal.org.

Drupal.org Redesign Completion

Drupal.org has a new look and feel. If you have not seen it (have you been under a rock!?) go check out Drupal.org right now!

It took a few years and many iterations and volunteers, and even that was not enough. This year the Drupal Association came to the party with funding to finish the job. Contracts went to tender and were won by Neil Drumm, Achieve Internet and 3281d Consulting.

Thank you to everyone who contributed to the Drupal.org redesign for all your hard work and effort to pull this off. And especially thank you to the Drupal Association for funding the last several miles that could not be covered by volunteers alone.

Drupal.org will never be the same again! Find out what is next for Drupal.org.

DrupalCon San Francisco

Photo of chx with a large DrupalCon San Francisco logo on the projector screen behind him.
Photo by Kathleen Murtagh

How could we ever forget? DrupalCon San Francisco, was epic. By all measures, it was the largest and most spectacular Drupal event yet.

The Drupal Association bootstrapped the funding and locked in critical contracts in order to secure the venue and other services. Many of the DrupalCon San Francisco committee members also serve the Drupal Association. The Drupal Association managed all the finances for the event and coordinated the local team and service providers with the rest of the Drupal community.

And that is just the beginning of what the Drupal Association did to make DrupalCon San Francisco a reality!

Git Migration

Photo of Sam Boyer posing with a Druplipet on his head.
Sam Boyer. Photo by Fox

The Drupal Association recognized the urgency to update Drupal.org's version control system (currently CVS).

Drupal has an active, amazingly awesome and amiable community. One of the reasons for this, is that Drupal.org is our home. It has everything Drupal developers need, all in one place. However the last couple of years has seen a trend for contributions to be distributed elsewhere.

The Drupal Association realised that if Drupal.org did not offer modern version control and code-distribution tools, then Drupal.org would cease to be a central repository for contributed Drupal code. And that would ultimately be damaging to the community and the project.

Git logo

So earlier this year, the Drupal Association hired Sam Boyer to work on detailed planning and foundation work in preparation for the migration of Drupal's gigantic CVS repository, including about 9000 contributed themes modules and other projects, to Git.

This work is underway and is making good progress, but has some way to go yet. Sam is leading the effort but the success of the project is highly dependent on volunteer effort too. You can get involved on g.d.o.

Dries Buytaert in Brisbane for DrupalDownunder

DrupalDownunder is just 2 months away and is expected to be a sell-out event, with Dries Buytaert (the Drupal project lead and founder) presenting a keynote and attending.

The keynote speakers are:

Starting at Palantir

Logo of Palantir.netToday is a new beginning. Today is my first day at Palantir.net. I am now a "Palantiri"! (That's Palantiri-speak for someone who works at Palantir.net. ;)

jQuery.dashboard() in CiviCRM 3.1

In January 2009 I wrote and released jQuery.dashboard() plugin, which extends jQuery to quickly and easily create dashboard UIs like iGoogle. A handful of people have using it for a while, but in December 2009, it was announced that CiviCRM 3.1 would include a dashboard feature utilising jQuery.dashboard() plugin! CiviCRM 3.1 was released late January 2010. (So this blog post is a little late!)

tpl.phps are not templates

Drupal's template files (*.tpl.php) are not really templates. This is what my DrupalCon core developer summit submission is about. The slides briefly explain why tpl.phps are not real templates, what real templates are, why this is a problem for the Drupal project and community, and mentions some possible solutions to the problem. It also provides some basic guidelines as a starting point for tpl.php standards, should that be pursued.

Syndicate content