News feed

Drupal 7.39 and 6.37 released

Drupal.org - 2015, August 19 - 22:45

Drupal 7.39 and Drupal 6.37, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.39 and Drupal 6.37 release notes for further information.

Download Drupal 7.39
Download Drupal 6.37

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.39 is a security release only. For more details, see the 7.39 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Drupal 6.37 is a security release only. For more details, see the 6.37 release notes. A complete list of all changes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.39 and 6.37 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.39 or Drupal 6.37.

Update notes

See the 7.39 and 6.37 release notes for details on important changes in this release.

Known issues

See the 7.39 release notes for a list of known issues affecting the Drupal 7 version of this release.

Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x
Categories: News

Community Spotlight: Jibran Ijaz (Jibran)

Drupal.org - 2015, August 5 - 18:24

Jibran Ijaz (jibran) is a Drupal developer, and is the only Drupal Core contributor in Pakistan. A member of Drupal.org since he began building websites in 2010, Jibran has become an important member of both his local community and the greater global Drupal community. The Drupal Association spoke with Jibran over email and asked him a few questions. We’re excited to share the conversation with you.

How did you get involved with Drupal and core contribution?

Back in December 2010, I started working as a freelancer on a Drupal 6 site with a friend. It took me a while to understand all the systems like nodes, cck, views, and themes, but I was finally able to find my way. At the time, Drupal 7 RC versions had only just begun being released, so when Drupal 7.0 came out I had to learn a lot of things all over again. For me, the new built-in Entity API and Field API were difficult concepts to understand. It took me a while to understand the changes in theme layer, learn about html.tpl.php, and understand the Render API. These things were so confusing to me that I wound up submitting my first core issue related to documentation.

After going through this learning curve twice, I thought I might as well start learning Drupal 8 now. So I started hanging out in the core issue queue, and began reading a lot of Drupal 8 blog posts on Drupal planet. One day, I read that they were moving all the Drupal Core files to the Core directory and they needed help in re-rolling a lot of trivial patches. I went and found a documentation novice issue in Drupal 8 and helped fix it both for Drupal 8 and for Drupal 7. After that, I was hooked.

What do you do with Drupal these days?

I'm a senior Drupal developer for PreviousNext, where I work remotely from Lahore, Pakistan. I mostly work on large Drupal 7 sites, but lately I have started working on a Drupal 8 site as well. It's fun to work with such a great team of front-end developers, back-end developers, and project managers at PreviousNext.

In my free time, I contribute to Drupal. I do a lot of code reviews. Specifically, I love working on Views issues in Drupal 8. I have also been actively involved in a lot of contrib projects and have been helping with porting them to Drupal 8. During the weekends, I enjoy working on dynamic_entity_reference.

You’re involved with quite a variety of projects in the Drupal community and in your national Drupal community as well. Can you describe some of the things you do and why you like them?

Ever since my childhood, computers have fascinated me. Even though my bachelor's degree is in Telecommunication Engineering, I always loved coding. This means my involvement with Drupal is almost always related to coding. I enjoy solving bugs, writing patches, and performing code reviews. I also like to get involved in technical discussions related to Drupal, and really enjoy helping others understand difficult Drupal concepts, so I mentor people as well.

In Pakistan, we have a very enthusiastic Drupal community. The Drupal Association has helped us with organizing numerous camps, workshops and training opportunities in different cities all over the country. I wasn’t actively involved with local community until about a year ago when I talked to Donna Benjamin (kattekrab), who was the director of community engagement at PreviousNext at the time. Donna encouraged me to participate a lot more in my local Drupal community, so I took part in my first Drupal Camp at Lahore on 3 May 2014. I was the only core developer there, and my fellow attendees were very appreciative and welcoming. At the camp, I talked about Drupal 8, and everybody loved it. So I’ve been attending ever the Drupal Camp I can get to ever since. I was even a keynote speaker at Drupal camp Islamabad back in April.

What’s the coolest project you’ve worked on?

I have worked on a lot of Drupal projects with very complex architecture. It's always fun whenever I get to use a big module like Domain Access, Services, Commerce, Ubercart, Google Maps, or Organic Groups to build features for our clients. It's also fun when I get to build a complex architecture using Drupal API. I'd prefer not to name a specific project, though. It would feel like I'm pointing at my favorite kid.

What changes are you most looking forward to in Drupal 8?

Oh! The simple answer is everything. The change form Functional Programming to Object Oriented Programming is the most important thing for me. Personally, I also like the built-in plugins system of Drupal 8 because if you’re familiar with the plugin API, you can easily use it in Blocks, Entities, Fields, Menus, and Views. Even Drupal 8 contrib modules like Rules and Page Manager are doing a lot of amazing things with plugins.

What is your favorite thing about the Drupal community?

I love the Drupal community as whole, and am inspired by the fact that we all share the same enthusiasm towards Drupal. It doesn't matter who you are or what the scope of your technical knowledge is — anyone and everyone can make a difference in the community. I spend a lot of time with Drupal developers on IRC, at local and international Drupal events, and I haven't found a single person who isn’t kind and helpful. No matter how many times you ask the same question or a stupid question, everyone always responds very kindly. No one has ever treated me differently because of my religion or region. Every person I have met in the Drupal community has inspired me on some level, irrespective of their contribution in Drupal. That is my favorite thing about the Drupal community.

What is your most meaningful Drupal moment?

Drupal has given me a lot of beautiful moments. It's very hard to pick one, so I’ve listed several below.

1. First time I attended DrupalCon. Picture by @lsheydrupal

2. First time I met with webchick

3. First time I got a shout-out from webchick on my Drupal contributions at DrupalSouth

And there are countless other moments, like my keynote at Drupal Camp Islamabad, hanging out with VDC team at DrupalCon code sprint, meeting with the whole PreviousNext team for the first time, and dynamic_entity_reference hacking with Lee Rowlands after the DrupalSouth code sprint.

Tell us a little about your background or things that interest you outside Drupal.

Before computers, my first love was math. I like to read, but lately I haven't been able to read many books. I can speak and understand a bit of Arabic, French, and German. I love to learn new stuff and experiences new things in life. I like watching football and Formula1, and I also watch a lot of English TV series and movies. Now I know why I don't have time to read anymore. :D

Categories: News

Secure your account: Two Factor authentication on Drupal.org

Drupal.org - 2015, July 19 - 22:22

Drupal.org users* can now use Two factor authentication to increase the security of their accounts. It can be enabled via Security tab of your user profile page. Read the detailed instructions at Enabling TFA on Drupal.org.

This was made available to Drupal.org admins in May. It is now required for users who have advanced access on Drupal.org. However, every user can benefit from the security that two factor authentication offers.

If you want to make two factor authentication available on your own Drupal site, you can install the TFA module.

* Two factor authentication is available for all users with the 'confirmed user' role. If you don't see 'Security' tab on your profile page, you might be missing the role. Just keep posting content on Drupal.org and it will be granted soon. You can also apply to get the role.

Front page news: Planet Drupal
Categories: News

Drupal.org Git Server Migration (2015-07-09 20:00-22:30 UTC)

Drupal.org - 2015, July 8 - 19:22

On July 9th 8pm UTC, Drupal.org migrated to a redundant cluster of 2 servers. This provides failover in the event one server fails.

After the migration Host keys will change and your client might give an error message when pushing to Git. Consult your OS’s documentation on how to fix this error. For most operating systems, the following should remove the errors:

ssh-keygen -R git.drupal.org  && ssh-keygen -R 140.211.10.43

If you have any questions please raise an issue in the infrastructure issue queue. https://www.drupal.org/project/issues/infrastructure?categories=All

You can follow the progress of the migration at http://twitter.com/drupal_infra

Update: migration was successful

Host keys have changed and your client might give an error message when pushing to Git. The new host key is:

2048 16:f5:44:6c:a1:c6:be:72:cd:98:b5:b7:7d:26:d6:14 git.drupal.org (RSA)
Categories: News

Drupal 7.38 and 6.36 released

Drupal.org - 2015, June 17 - 19:06

Update: Drupal 7.39 and Drupal 6.37 are now available.

Drupal 7.38 and Drupal 6.36, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.38 and Drupal 6.36 release notes for further information.

Download Drupal 7.38
Download Drupal 6.36

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.38 is a security release only. For more details, see the 7.38 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Drupal 6.36 is a security release only. For more details, see the 6.36 release notes. A complete list of all changes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.38 and 6.36 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.38 or Drupal 6.36.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x
Categories: News

Community Spotlight: Solomon Kitumba and Benjamin Lutaaya Kiyita

Drupal.org - 2015, June 2 - 23:01

For our June community spotlight, we’d like to highlight the efforts of two men in Uganda who are working hard to grow their local community and bring more university students into the Drupal fold. In 2014, the two were awarded a Community Cultivation Grant for their Uganda University Drupal Tour program, which will be discussed in today’s spotlight.

For close to three years, Solomon Kitumba(solomonkitumba) and Benjamin Lutaaya Kiyita(benjaminkyta) of Kampala, Uganda, have been working with Drupal. Solomon, a Drupal front end developer, owns Kyta Labs, a mobile and web app development company. Benjamin, a Drupal Dev Ops and UI/UX Developer, is active both in the local Drupal community and in the local Linux community as well. Both men share a fascination with open source, and encountered the same obstacles when learning Drupal — which led them to team up and forge a better path for other Ugandans.

Initially, both Solomon and Benjamin learned Drupal software through online tutorials found on Lynda.com and YouTube, and through free eBooks as well. One struggle that the two bumped up against — and still struggle with — is the lack of a physical space where their local community can come together to teach new Drupalers, learn from each other, and give each other support.

"One of the biggest challenges we have faced is a lack of collaborative space where drupalers can meet daily,” said Solomon.” In our city, there’s nowhere where we can work on solutions together and learn from each other. There are a couple of these places for mobile developers, but we lack one for web people in Kampala.

“We’ve used our Drupal careers to create a presence in the local tech industry,” said Solomon by email. “People know who to talk to if they want to discuss Drupal and getting paid to develop using Drupal. Initially, our local community was pretty inactive. There were a few people who knew how to use Drupal, but lacked the force and momentum to get good attendance at events and meetups. We’ve been working to attract more people, like site builders and module developers, and we’ve seen a lot of growth in our local community because of it."

And how have the two grown the Drupal community in Uganda?

“We started doing some outreach to use local universities as meeting spaces, but they’re so far from the main city that it became very costly. Getting together outside of the city means dealing with expenses like hotel fees, transportation costs, and a few other things, and those costs would put our projects at a standstill in times when we can’t afford it."

However, the outreach to nearby universities — though expensive — has its benefits. “We’re doing a lot of work to get university students interested in Drupal while they are still at school. Students have a lot of time available to learn new things, so we put together a Drupal University tour that we are still conducting, and so far it has been very well received."

For Solomon and Benjamin, the university tour seemed like a natural extension of the work they’d been doing at local meetups.

"We got the idea from the tech meetups we attended in Kampala that were also attended by university students in the same field. They were all curious about the platforms we use to build our online technologies, and we told them about Drupal. After the meetups they knew it was a CMS and a few of them could even install it — but that was it. We asked ourselves how we could help these students learn Drupal more easily, which led us to the idea of holding training through the major universities in Uganda. And for us, it just made sense to call the campaign the Drupal University Tour."

Planning the University Tour was no easy task: the duo encountered no small amount of hesitation from universities, and came up against financial obstacles as well. “We started off by writing down the things we would need, and figured out from there how we would hold the trainings — what we would teach specifically, and so on. Then, we started communicating with the department heads of the universities we wanted to train at. Some of them were hesitant at first, but eventually they accepted our proposal.

"When we were preparing the tour, we realized that we needed funding for the whole campaign. The universities weren't ready to financially facilitate our sessions, so we applied for the Drupal Community Cultivation Grant. Through it, we were awarded $1,488 USD, and we were able to kick off the tour."

The two knew that, for maximum efficacy, they’d have to go to a number of different schools to speak to as many students as possible. So they decided to go to the best schools in the country. “We went to all the major universities in Uganda. Makere University, Kampala International University, Kyambogo University, and Mbara University of Science and Technology were all on our list. Because of scheduling conflicts, we weren’t able to run the tour in the timeframe we had planned, but we eventually made it. And, we managed to have a little money left over — about $50 USD, which was enough for us to go to another institution called Datamine Technical Institute. So they were able to benefit from the campaign as well,” Solomon concluded.

The Drupal University tour has been a big success, the two felt.

“We spent a day teaching the students about Drupal itself as a software. We taught them about making contributions to the development, such as by submitting code to the project. We also emphasized the power of both the local and global Drupal communities, and discussed what a big benefit it is,” Solomon said. “We talked about how to share resources with people in the Drupal community, and how we can mobilize both locally and internationally to help people learn Drupal and organize training."

We couldn’t be more thrilled and grateful for the work that Solomon and Benjamin have done. We often hear conversations about the difficulties of bringing new talent into the Drupal community, and the work that Solomon and Benjamin have done is invaluable, both for their local community and for the wider Drupal world. Thank you for your work!

Categories: News

Drupal 8 Security bug bounty program: Get paid to find security issues in D8

Drupal.org - 2015, June 2 - 15:38

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.

How does this work?

Install a local copy of Drupal 8 from Git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc. If you find any, go to www.bugcrowd.com/drupal and submit them. You will have to sign up for an account on bugcrowd.com for this. Bugcrowd is a crowdsourced security bug finding platform suggested by security team members, and it is used by many, including LastPass, Pinterest, Heroku, Pantheon, and CARD.com.

I can get paid to do this?

We will be paying anywhere from $50-$1000 per issue. The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it. We will also take into account the severity of the security issue.

Can I get paid for finding issues in contrib or Drupal 7?

No, however if you do find security issues in Drupal core other than version 8 or in contrib projects please submit them via our issue reporting process.

Who is running this program?

The Drupal Security Team with funds from the D8 Accelerate program.

If I find something will I get credit?

Yes, just like our regular reporting policy you will get credit as long as you don’t disclose it until a fix is released. If an issue is suitable for public discussion, we will disclose it and give you credit.

Do all security issues count?

If a task requires the attacker to have one of the following permissions it would not count:
Access site reports (a.k.a. "View site reports"), Administer filters, Administer users, Administer permissions, Administer content types, Administer site configuration, Administer views, Translate interface.

Issues excluded from the bounty program:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Username enumeration
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Other exceptions not listed.

However, we would still like to know about it, and you will still get credit for it. but we will not be issuing payments for it.

I have a question not listed here

Email security@drupal.org

Drupal version: Drupal 8.x
Categories: News