Blog

What happens when the Drupal Security Team marks a module as unsupported?

by David Snopek on November 13, 2019 - 8:44pm

You may have noticed that today the Drupal Security Team marked 16 modules as unsupported, due to the module maintainer not fixing a reported security vulnerability after a sufficiently long period of time.

Among those modules, there were a few very popular ones like Admininistration Views and Nodequeue, which have have reported ~118k and ~40k sites using them, respectively.

Everytime a popular module is unsupported, there's a certain amount of panic and uncertainty, so I wanted to address that in this article, both for the Drupal community at large, and for our customers in particular, because we promise to deploy security updates the same day they are released.

Read more to see our perspective!

Wizards & Robots Save Drupal Websites From Non-Stop Attack!

by Elliot Christenson on October 16, 2019 - 7:53am

All versions of Drupal are under attack - no different than other software. What can be different is that websites are often custom, complex, and can be attacked seconds after an exploit is made public. myDropWizard's Support "Wizards" and our automated process "Robots" are continually working to keep you backed up, supported, and secured from all types of threats.

Drupal 6 security update for Ubercart module

by David Snopek on October 2, 2019 - 1:32pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Ubercart module to fix a Cross Site Scripting (XSS) vulnerability.

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the Ubercart module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Contact myDropWizard About Drupal 7 Life Support

by Elliot Christenson on September 18, 2019 - 8:22pm

We are less than 260 days from the release of Drupal 9. Whether you are moving away from Drupal, planning on updating to Drupal 8, or updating to Drupal 9 in 2020, you need your current Drupal 7 website kept up to date and watched over for security issues in the meantime.

My Drupal Developer Stopped Drupaling! What Now?

by Elliot Christenson on August 1, 2019 - 12:39am

If you have a Drupal website, then you have a Drupal developer. In some cases, that might be you. In other cases, that could be an employee or intern on your staff. In other cases, it could be an employee or team from a consulting team or "Drupal Shop". For all sorts of reasons, any or all of these types of people may eventually not be able to continue to maintain the website they built for you. Read on!

Why are We Called Wizards?

by Elliot Christenson on July 4, 2019 - 3:30am

Every morning, our team meets, as so many development teams do, for a daily "standup". Since we all work remotely, at some point, we decided it would be a great idea to have "ice breakers" to get to know our far-flung teammates better. It's worked great, and I feel like I know my teammates like they are working across the room instead of across the planet!

It was during one of these sessions that my blogging writer's block came up, and Arturo mentioned that I should just explain "Why are We Called Wizards?". This was exactly the sort of inspiration that I was hoping for. I hadn't seen the forest for the trees, so to speak! We never really have explained why we have such a seemingly silly company name.

Maybe today I can show you how it's, perhaps not just appropriate - but maybe even perfect - to describe what it is that we try to do!

Drupal 6 security update for Advanced Forum module

by David Snopek on June 26, 2019 - 11:42am

Today, there is a Critical security release for the Advanced Forum 6.x-2.x module to fix an Cross Site Scripting (XSS) vulnerability.

Advanced Forum builds on and enhances Drupal's core forum module.

The module doesn't sufficiently sanitise user input in specific circumstances relating to the module's default functionality. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

Note: This only affects Advanced Forum 6.x-2.x -- not 6.x-1.x.

If you have a Drupal 6 site using the Advanced Forum 6.x-2.x module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Drupal 6 supports MySQL 8 (starting in Drupal 6.51)

by David Snopek on May 21, 2019 - 9:17am

As you probably know, Drupal 6 reached its End-of-Life (EOL) on February 24th, 2016. However, the mantle of supporting Drupal 6 was taken up by the Drupal 6 Long-Term Support vendors - including the team here at myDropWizard!

Long-Term Support isn't glamorous or exciting.

It's making security releases. It's minor bug fixes. Sometimes it's updating a contrib module that hasn't had an official release since 2009 to work with PHP 7. :-)

In fact, a big part of Drupal 6 Long-Term Support (D6LTS) is updating Drupal 6 core and contrib to work with new technologies, especially as the older versions that it was originally designed to work with become deprecated or reach their own EOL, like when PHP 5 reached its EOL at the end of last year. (Did you know that Drupal 6 now works with PHP 7?)

Today, I'd like to announce that Drupal 6 supports MySQL 8, starting with Drupal 6.51!

This was implemented in collaboration with the community, largely the contributions of f1mishutka, but also a number of others who contributed testing and bug reports.

I know there's a lot of anxiety over how Drupal 7 Extended Support (D7ES) is going to work, however, I think that this is more evidence that the vendor-supported model used by D6LTS (and soon, D7ES) is working.

You can download the latest Drupal 6 LTS core release from GitHub.

Experimental Composer repository with CKEditor plugins

by David Snopek on May 17, 2019 - 8:49am

In my experience, a big part of making a Drupal 8 site usable for content editors is customizing the WYSIWYG, which usually includes adding a couple additional CKEditor plugins.

Of course, you can simply download the plugins into the 'libraries' folder, and that's fine. But these days, it's becoming best practice to pull in all of your site's dependencies using Composer.

Adding 'package' repositories to your composer.json for the CKEditor plugins (the current best practice) works fine - but only for your individual site.

It doesn't work so well if you want to install:

A Drupal "Feature" (like with the Features module) that configures the WYSIWYG, including adding some CKEditor plugins, or
A Drupal distribution (like Panopoly or Lightning)

In those cases, you can't depend on what the individual site may have in its top-level composer.json, and asking the user to manually copy-paste a bunch of 'package' repositories in there may create enough confusion or problems that potential users will just give up.

Well, I've got an possible solution to this problem: an experimental Composer repository which includes CKEditor plugins for use on a Drupal site.

It works better for Feature modules and distributions, but can also make life easier for individual sites too.

Read more to find out how it works and how to use it!

Drupal 6 core security update for SA-CORE-2019-007

by David Snopek on May 8, 2019 - 12:31pm

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in the protections added in SA-CORE-2019-003. You can learn more in the security advisory:

Drupal core - Moderately Critical - Third-party Libraries - SA-CORE-2019-007

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

1 of 18
next ›

What happens when the Drupal Security Team marks a module as unsupported?

Wizards & Robots Save Drupal Websites From Non-Stop Attack!

Drupal 6 security update for Ubercart module

Contact myDropWizard About Drupal 7 Life Support

My Drupal Developer Stopped Drupaling! What Now?

Why are We Called Wizards?

Drupal 6 security update for Advanced Forum module

Drupal 6 supports MySQL 8 (starting in Drupal 6.51)

Experimental Composer repository with CKEditor plugins

Drupal 6 core security update for SA-CORE-2019-007

Popular topics

We're a Top 40 Drupal Blog!

You are here

Blog

Popular topics

We're a Top 40 Drupal Blog!