Drupal: Security update

graphql 8.x-4.1

2 weeks 2 days ago

Security release of GraphQL fixing a minor information disclosure vulnerability, see GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013.

This release contains a small compatibility break on GraphQL error handling which was necessary to fix the information disclosure. Please test this release before deploying as returned new errors could break your frontend code. For further details see https://github.com/drupal-graphql/graphql/pull/1161 (the compatibility mode discussed there was removed to fix the information disclosure).

Full list of changes since 4.0: https://github.com/drupal-graphql/graphql/compare/8.x-4.0...8.x-4.1

Release type: Security updateBug fixesNew features
klausi

drupal 9.2.0-beta2

3 weeks 2 days ago

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This beta release resolved SA-CORE-2021-003, sites running 9.2.0-beta1 are strongly encouraged to upgrade immediately.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.2.x contains new features, and should be the target for new site development. Drupal 8.9.x will continue to have security support until November 2021. Drupal 9.1.x will continue to have security support until December 2021. Security support for 9.0.x ends with the release of 9.2.0 on June 16.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Beta testing program

The Drupal Association and the Drupal core maintainers are partnering with agencies and site owners in an official beta testing program for Drupal core minor releases. The program aims to identify and minimize regressions in minor releases. Participating in the program is a way to contribute to the Drupal project and will be credited accordingly.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or 9.2 directly. The upgrade path for multilingual sites is stable in both Drupal 8 and 9.

Changes since 9.2.0-beta1:

  • #3215916 by catch, larowlan: Update ckeditor to 4.16.1
  • #3202493 by jenniferaube, vsujeetkumar, Sakthivel M, bnjmnm, manojithape, mgifford, guilhermevp, Gauravmahlawat, lauriii, zrpnr, mradcliffe: Claro is missing focus in "Available buttons" within CKEditor toolbar configuration
  • #3186661 by Spokje, longwave, mondrake, paulocs, daffie: [May 24, 2021] Remove usage of drupalPostForm
  • #3133162 by jungle, ravi.shankar, Deepak Goyal, Neslee Canil Pinto, anmolgoyal74, xjm, Kristen Pol: Replace the start verb Test with Tests in method comments of tests
  • #3214140 by Gauravmahlawat, manojithape, mitthukumawat: Olivero: Message icon has border radius in firefox browser
  • #1870006 by nod_, BarisW, alwaysworking, Renrhaf, pk188, andrewmacpherson, ranjith_kumar_k_u, vikashsoni, Gauravmahlawat, wolffereast, Wim Leers, jessebeach, xjm: HTML5 validation with table sticky header is misaligned over the toolbar
  • #3189463 by quietone, Wim Leers, adityasingh, ayushmishra206: all translation/localization migrations should depend on the 'language' migration
  • #3195888 by alexpott, quietone: Check dependencies are correct in core/scripts/dev/commit-code-check.sh
  • #3204461 by quietone, larowlan: Avoid error from sort in ValidateMigrationStateTestTrait
  • #3109767 by quietone, mtodor, Kristen Pol, larowlan: Unable generate sample data with defined random seed for the "string" or "link" field type
  • #3191782 by quietone, Wim Leers, mohit_aghera: Fix dependency in d6 user profile translation migrations
  • #3214920 by catch, longwave, Gábor Hojtsy: Increase DRUPAL_RECOMMENDED_PHP to 7.4
  • #3213557 by Sakthivel M, guilhermevp, tushar_sachdeva: Display title checkbox is misaligned in Configure dialog box of layout builder
  • #3200628 by tushar_sachdeva, chetanbharambe, mherchel: Olivero's small button variation's text seem vertically mis-aligned
  • #3173012 by mherchel, kiran.kadam911, andy-blum, Gauravmahlawat, ankithashetty, djsagar, proeung: Olivero header-search-wide.pcss.css and header-search-narrow.pcss.css adjustments
  • #3215039 by andypost: Update symfony dependencies to latest release
  • #3139404 by mondrake, munish.kumar, pavnish, longwave: [May 25, 2021] Replace usages of AssertLegacyTrait::assertText, that is deprecated
  • #3207734 by Spokje, quietone: Fix Drupal.Commenting.InlineVariableComment
Release type: Security updateBug fixesNew features
catch

drupal 8.9.16

3 weeks 2 days ago

Maintenance and security release of the Drupal 8 series.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

    No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
mlhess

drupal 9.1.9

3 weeks 2 days ago

Maintenance and security release of the Drupal 9 series.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
mlhess

drupal 9.0.14

3 weeks 2 days ago

Maintenance and security release of the Drupal 9 series.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
mlhess

facets 8.x-1.8

1 month ago

Resolves SA-CONTRIB-2021-008.

Contributors (30)

mkalkbrenner, DamienMcKenna, borisson_, idebr, smustgrave, jannakha, askibinski, capysara, seanB, jgold, nrackleff, Mikechr, helioha, TrevorBradley, szeidler, Piegefull, Megha_kundar, ericbellot, joekers, saraah.jacobs, cgoffin, BramDriesen, Evaldas Užkuras, pierre-nono, c.altosax, pfrenssen, dpolant, heddn, doubouil, flocondetoile

Changelog

Issues: 11 issues resolved.

Changes since 8.x-1.7:

Bug Feature Release type: Security updateBug fixesNew features
mkalkbrenner

samlauth 8.x-3.1

1 month 2 weeks ago

Please disregard 8.x-3.0.

Changes since 3.0-RC2:

Fix SA-CONTRIB-2021-006 - possible access bypass, by way of password reset email.

Change the 'Allow SAML users to log in directly' permission introduced in 3.0-RC1 into a configuration option (set of roles), so it can be turned off for administrator roles.

Prevent users from logging in if they match an existing Drupal user but cannot be explicitly linked to it (because the Drupal user is linked from elsewhere) even though a corresponding linking option would allow this.

Expand/refine linking options.

Add list of existing links (authmap table entries) with a facility to remove individual links.

Add 'Tell disallowed users they must log in using SAML' (local_login_saml_error) config, turned off for new installs to prevent information disclosure.

Add 'Require assertions to be signed' (security_assertions_signed) config.

Add 'library default' option for Signature algorithm and make it default. (The library can occasionally update it; it updated from SHA1 to SHA256 for its v3, but our default setting was still at SHA1.)

Add 'Use Drupal base URL in toolkit library' (use_base_url) config, with the intent of making this the non-configurable situation in v4.x; deprecate 'use_proxy_headers' config option.

Upgrading:

Those still using 8.x-1.3: see the project README.

All: run update.php / drush updb.

Review the new 'Roles allowed to use Drupal login' setting (drupal_login_roles config). If you had 3.0-RC1 installed: any administrator roles are probably enabled here, and you might want to turn them off. If you did not have 3.0-RC1 installed yet: this supersedes the old single checkbox 'Allow SAML users to log in directly' (drupal_saml_login config) and if you had that turned on, you may want to turn this ability off for some user roles.

Review the new 'Tell disallowed users they must log in using SAML' checkbox (local_login_saml_error config); it is on for existing installations but you may want to turn it off if you think the extra security (less information disclosure) outweighs potential confusion.

If you had the 'Attempt to link SAML data to existing local users' checkbox (map_users config) enabled:

  • Review the 'Attempt to link SAML data to existing local users' section (map_users_name / map_users_mail / map_users_roles config) which supersedes the single checkbox. You may want to turn some of them off for extra security (to prevent a subset of existing users from being linked).
  • Please note: until now it was possible for a SAML/IdP user to log in as an existing Drupal user without the user being explicitly linked to that SAML/IdP user, if the Drupal user was already linked to a different SAML/IdP login. From this moment on, login will be denied in this case. If some of your users complain about not being able to log in anymore, their Drupal accounts are likely linked to an older SAML/IdP login that you should remove before they can log in again. A list of links is available at admin/config/people/saml/authmap.

If your 'Signature algorithm' is SHA1: change it (to 'library default' or anything else you prefer) to use current-day security standards.

Check the new 'Require assertions to be signed' (security_assertions_signed) setting; turning it on may provide extra security if your IdP previously did not allow you to turn 'Require messages to be signed' (security_messages_sign) on.

Enable the 'Use Drupal base URL in toolkit library' (use_base_url) setting; it should work for all Drupal configurations. For Drupal sites behind a reverse proxy, this makes sure to use only 'trusted' headers / host values, as configured in settings.php.

Please test this 'Use Drupal base URL in toolkit library' value if you have any nonstandard (e.g. multi-host multilanguage) configuration and file an issue if you see any strange behavior; it will become the non-configurable standard in the next major version of the module.

Release type: Security updateBug fixes
roderik
Checked
3 hours 45 minutes ago
Subscribe to Drupal: Security update feed