Drupal: Security update

drupal 7.73

1 week 6 days ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

    Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 8.8.10

1 week 6 days ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

    If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

  • Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.

  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Known issues Release type: Security update
xjm

drupal 8.9.6

1 week 6 days ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.10 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

    If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

  • Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.

  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Known issues Release type: Security update
xjm

drupal 9.0.6

1 week 6 days ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x should update immediately to Drupal 8.9.6 instead.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.10 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

    If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

  • Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.

  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Known issues Release type: Security update
xjm

group 8.x-1.2

1 month 3 weeks ago

Fixes security issues: Moderately critical - Information disclosure - SA-CONTRIB-2020-032 & Moderately critical - Information disclosure - SA-CONTRIB-2020-033

The "When it rains, it pours" release

The fixes introduced in the 1.1 security release contained a few minor mistakes.

Because buggy security checking code is a security issue in its own right, we have to make another security release to fix these mistakes.

Important note

Some users are reporting that their site's node access behaves differently since the 1.1 security release. Group now interacts differently with other node access modules because of the fix introduced in 1.1 that made sure we always deny access to grouped nodes if you do not have the group permissions to view said nodes. This is by design and has to be that way because Group would otherwise be considered insecure.

The real problem lies with the fact that a lot of node access modules return a neutral access result where they should explicitly forbid access. This is a really troubling situation because they all rely on some shady code in NodeGrantDatabaseStorage that only kicks in once any module implements hook_node_grants(). They should instead properly return a Forbidden result themselves and then they would all still work fine with Group.

See the explanation in #3162511-13: The forbidden() result in group_entity_access() breaks regular node grants for more details. However, I do realize this might make life hard on some existing projects and so I intend to work on a way for people to revert to the old way of returning access for nodes ASAP, but as a deliberate opt-in. This means that you acknowledge that all bets are off if you decide to undo the changes in 1.1 and that it's your own responsibility to make sure Group is still secure from that point on.

Release type: Security updateBug fixes
kristiaanvandeneynde

apigee_edge 8.x-1.12

2 months 1 week ago

Fixes Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028.

Github milestone: 8.x-1.12

Changelog:
  • Replace the email autocomplete field on the "add members" team form with a textfield to avoid disclosing the emails of other users in the system, via PR #450.
  • [#430] Enforce the cache expiring time on app listing pages, via PR #437.
  • [#421] Show "member" role on team members listing page, via PR #435.
  • Lock rules version to 3.0.0-alpha5 due to breaking changes in 8.x-3.0-alpha6, via PR #449.
Known Issues
  • Currently, if you do not configure the connection between Drupal and Apigee Edge, you will not be able to register developers on Drupal and may cause other issues with Drupal core functions. If you do not plan to configure the connection between Drupal and Apigee Edge, you should disable the Apigee Edge module. In a future release, additional enhancements will be implemented to make this experience more user-friendly.
Providing feedback

To provide feedback and report issues, use the GitHub issue management tools. See Managing your work with issues in the GitHub documentation.

The GitHub repo for the Apigee Edge Drupal module is https://github.com/apigee/apigee-edge-drupal.

Release type: Security updateBug fixes
Arlina

easy_breadcrumb 8.x-1.13

2 months 1 week ago

Fixes Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027.

Large bug fix release with updated support for the latest Drupal 9.

Contributors (43)

idebr, Neslee Canil Pinto, narendra.rajwar27, Project Update Bot, mirom, godotislate, jtriguero, Greg Boggs, Grimreaper, mrinalini9, kbrodej, DeaOm, baikho, sleitner, leymannx, skouf, kurtismccartney, novchuk.v, Suresh Prabhu Parkala, lolandese, blacklabel_tom, Feng-Shui, Hardik_Patel_12, callumgare_ix, tatarbj, SivaprasadC, ThomWilhelm, jernejbeg, Sahana _N, RenatoG, junkuncz, guaneagler, sudoman0, Shivalik, TimeBandit, dexiecarla, carstenG, jhuhta, gmangones, pascalrioux, dshumaker, Rohit Tiwari, Denes.Szabo

Changelog

Issues: 26 issues resolved.

Changes since 8.x-1.12:

Bug Feature Task Release type: Security updateBug fixesNew features
Greg Boggs

group 8.x-1.1

2 months 1 week ago

Group - Critical - Information Disclosure - SA-CONTRIB-2020-030

The "I should have known node grants were a powerful enemy" release

By removing node grants in 8.x-1.0, we made some regular access checks (not query access) too permissive but only if Group was the only module implementing hook_node_grants().

For some reason node grants thinks it's cool to affect regular access checks even though it's primary goal is to kick in on node query access checks. I have fixed this by moving all regular access checks into a generic implementation that checks access for all plugins, not just nodes, and by making sure they now always deny access rather than allow the node grants system to kick in.

The same restrictions apply as in the 8.x-1.0 release: Your plugin must specify a "permission_provider" and "access" handler for the new code to apply.

Changelog

Issues: 1 issues resolved.

Changes since 8.x-1.0:

Bug
  • #3160329: Some sites have different node access results because we removed the last "hook_node_grants" implementation
Release type: Security updateBug fixesInsecure
kristiaanvandeneynde

drupal 7.72

3 months 1 week ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • Previously, if a form failed submission failed Drupal's cross-site request forgery protection, the submitted form values would be re-displayed to the user along with a message advising them to copy their previously submitted values and reload the page. Beginning with this release, the form is shown without any values for security reasons, and the user is prompted to press the back button to return to their previously entered values.

    The user-facing error message that appears when a form is outdated has also been changed, and translations of it will need to be updated.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.8.8

3 months 1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
  • Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Important update information
  • Previously, if a form failed submission failed Drupal's cross-site request forgery protection, the submitted form values would be re-displayed to the user along with a message advising them to copy their previously submitted values and reload the page. Beginning with this release, the form is shown without any values for security reasons, and the user is prompted to press the back button to return to their previously entered values.

    The user-facing error message that appears when a form is outdated has also been changed, and translations of it will need to be updated.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.9.1

3 months 1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.8 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Previously, if a form failed submission failed Drupal's cross-site request forgery protection, the submitted form values would be re-displayed to the user along with a message advising them to copy their previously submitted values and reload the page. Beginning with this release, the form is shown without any values for security reasons, and the user is prompted to press the back button to return to their previously entered values.

    The user-facing error message that appears when a form is outdated has also been changed, and translations of it will need to be updated.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.0.1

3 months 1 week ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.8 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Previously, if a form failed submission failed Drupal's cross-site request forgery protection, the submitted form values would be re-displayed to the user along with a message advising them to copy their previously submitted values and reload the page. Beginning with this release, the form is shown without any values for security reasons, and the user is prompted to press the back button to return to their previously entered values.

    The user-facing error message that appears when a form is outdated has also been changed, and translations of it will need to be updated.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm
Checked
3 hours ago
Subscribe to Drupal: Security update feed