Drupal 6 security update for XML sitemap!

by David Snopek on May 25, 2016 - 11:26am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for XML sitemap to fix a Cross-Site Scripting (XSS) vulnerability.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

Download the patch for XML Sitemap 6.x-2.x (also works with 6.x-2.1, the latest release), 6.x-1.x or 6.x-1.2.

If you have a Drupal 6 site using the XML sitemap, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

myDropWizard is providing Drupal 6 Long-Term Support for 424 sites!

by David Snopek on May 6, 2016 - 2:16pm

We've been pretty busy in the 11 weeks since Drupal 6's End-of-Life on February 24th.

Really, CRAZY busy, in fact!

We're currently responsible for providing Drupal 6 Long-Term Support for 424 sites in total!

For some of our bigger clients with large numbers of sites on a single code-base or those subject to regulation (for example, governments and universities) we had to compromise on not providing "security updates only" service - but some protection is certainly better than no protection.

Going through the sales process (which includes performing an in-depth site audit), on-boarding process and subsequently supporting and maintaining 424 sites in only 11 weeks has been enormously challenging for a small company like ours - but also an amazing learning experience.

Things are finally slowing a bit with regard to Drupal 6 LTS, we're heading out to DrupalCon New Orleans next week, and starting to look at the next phase for our business.

This feels like a good time to stop and reflect on the things we've learned from our experience with providing Drupal 6 LTS: what worked, what didn't and what we can improve for the future!

This isn't a marketing post (unlike most of our posts recently - sorry!) but a look Behind the Veil at our growing startup, what we do and why we do it. And it's about time! The last one I did was back in June, explaining why we we're launching myDropWizard.

So, if you're still interested in my meandering reflections, please read on!

Connect with myDropWizard at DrupalCon New Orleans!

by David Snopek on May 2, 2016 - 12:04pm

Next week Drupalers from all around the world we be descending on the beautiful city of New Orleans for DrupalCon 2016 - and myDropWizard will be there too!

If you've never been to a DrupalCon - you're missing out. It's an opportunity to meet the Drupal people you know virtually, be surrounded by a dizzying amount of Drupal knowledge, and get inspired and excited for the future of Drupal. Watching the videos is great, but I'd argue that you can learn more by asking someone in the hallway or attending a sprint.

Anyway, there's lots of great articles about why you should attend DrupalCon - I'm not going to attempt to rehash that all here. :-)

But if you're coming, I am going to try and encourage you to connect with myDropWizard while you're at DrupalCon New Orleans!

Both myself (David Snopek) and myDropWizard co-founder, Elliot Christenson, will be there. If you're interested in ...

... then come and find us!

Drupal 6 security update for Views!

by David Snopek on April 20, 2016 - 12:40pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers fromview_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, theget_field_labels()method, token replacement, and some relationship handling are susceptible.

Download the patch for Views 6.x-2.x or Views 6.x-3.x!

If you have a Drupal 6 site using the Views module (probably most sites), we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Why you SHOULDN'T upgrade from Drupal 6!

by David Snopek on April 12, 2016 - 2:00pm

Ever since Drupal 6's End-of-Life on February 24th, there have been countless blogs and articles about why you should upgrade to Drupal 7 or 8 as quickly as possible.

But this may be the only article arguing that you SHOULDN'T upgrade from Drupal 6! ;-)

If you have a complex Drupal 6 site, and you haven't started the upgrade process yet - contrary to conventional wisdom - the best answer may be: keep waiting.

No, this isn't an April Fools joke, and we're not being sarcastic. :-)

Want to know why? Keep reading!

Security Review 1.3 released for Drupal 6!

by David Snopek on March 24, 2016 - 5:03pm

If you're running a Drupal site of any version (6, 7 or 8), I highly recommend installing the Security Review module and following its recommendations!

What many people don't realize, is that even if you've applied every security update that affects your site, it's possible to introduce vulnerabilities (or make it super easy to escalate a minor vulnerability to a highly critical one) by configuring your Drupal site insecurely.

The Security Review module can identify the most common insecure configurations on your site and tell you how to fix them!

However, if you're planning on keeping your Drupal 6 site running after its End-of-Life (EOL), it's doubly important that you install the Security Review module and harden your site's configuration.

And, yesterday, we released Security Review 1.3 for Drupal 6!

This release is basically the same as 6.x-1.x-dev release has been for a year, but we've been using it successfully with our customers for quite awhile. So, we figured it was time to make a proper release. :-)

However, we intend to continue maintaining the Drupal 6 version of the module and hope to fix (or otherwise close) the last 20 open issues and make more releases.

While most other modules are discontinuing maintenance on their Drupal 6 versions because of the EOL, I think this is one module that needs increased maintenance because of it. :-)

Getting accurate 'Available updates' for Drupal 6

by David Snopek on March 4, 2016 - 8:20am

If you still have a Drupal 6 site and use the 'update' module, you probably noticed that you're no longer getting accurate information about security updates on the "Available updates" report. In fact, it's telling you to disable all your modules, which isn't very helpful. :-)

This is because after February 24th, Drupal 6's End-of-Life date, all Drupal 6 modules on Drupal.org were marked as unsupported. This was always part of the plan, because the Drupal community wants to stop supporting Drupal 6, and leave that work to the Drupal 6 Long-Term Support (LTS) vendors.

However, it had an interesting side-effect!

If a module is marked as unsupported, the 'update' module won't tell you about available security updates for that module!

This is particularly problematic because there were 2 big security releases on February 24th as well: Drupal 6.38 and FileField 3.14. If you didn't update right away on February 24th, then on February 25th, there was already no mention of those security releases on the "Available updates" report. (Those two in particular are temporarily marked as supported, so you should actually see them now.)

And if you only do security updates every few weeks or months, then you could be unaware of even more security releases made before the update status information become unreliable.

(Note: While it's NOT recommended to wait that long, the reality is that people with small budgets can only pay someone to perform updates once a month, or every few months. We apply security updates same day for our customers, but not everyone can afford that.)

However, we've created an alternative to the 'update' module which will allow you to get accurate information about security updates, both past, and going into the future with releases from the Drupal 6 LTS vendors!

First Drupal 6 LTS patch released (for Prepopulate module)!

by David Snopek on March 2, 2016 - 8:49pm

On last week Wednesday, Drupal 6 finally reached End-of-Life (EOL). This means that security for Drupal 6 (both core and select contrib modules) is up to the official Drupal 6 Long-Term-Support vendors -- and we're one of those vendors!

The whole idea of a commercial Long-Term Support (LTS) period is untested (this is a first in the Drupal community) and there's understandably some uncertainty in the community about how this process will work (and if it will work).

Well, it's only a week in, and we've already published our first Drupal 6 LTS patch!

You need to update libc on all your Linux servers NOW!

by David Snopek on February 17, 2016 - 6:35am

If you don't follow security news, you might not be aware of the libc vulnerability published yesterday. The vulnerability was introduced in 2008 - so, it's likely this affects all Linux servers (and desktops, if you run Linux on the desktop) that you're responsible for.

What version of PHP does Drupal 6 need?

by Elliot Christenson on February 12, 2016 - 8:36am

The short answer is: Drupal 6 officially supports only PHP 5.2, but you should use the highest version of PHP that doesn't break your site!

For the longer answer:

PHP 5.2.17 is the latest version of PHP in the 5.2.x branch of the popular programming language. While there are several newer versions, it's a safe bet that legacy code will operate under 5.2.17. However, there are potential security holes with earlier versions of PHP.

Articles aggregated for consumption on Drupal Planet!

o