Drupal News

Advisory ID: DRUPAL-SA-CORE-2017-002 Project: Drupal core Version: 8.x Date: 2017-April-19 CVEID: CVE-2017-6919 Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Access bypass Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

The site has the RESTful Web Services (rest) module enabled. The site allows PATCH requests. An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites...

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.

Drupal.org updates Project application revamp

As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases!...

Advisory ID: DRUPAL-PSA-2017-001 Project: Drupal core Version: 8.x Date: 2017-Apr-17 Description

There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, the 8.2.x release includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.

This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain...

In October of last year the Technical Advisory Committee was formed to evaluate options for the developer tools we use on Drupal.org. The TAC consists of Angie Byron, Moshe Weitzman, and Steve Francia, acting as advisors to Megan Sanicki, the Executive Director of the Drupal Association.

The TAC's mandate is to recommend a direction for the future of our tools on Drupal.org. Megan will evaluate this recommendation, make a decision, and prioritize that work in the development roadmap of the Drupal...

Drupal 8.3.0, the third minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility.

What's new in Drupal 8.3.0?

This new version includes improvements to authoring experience, site administration, REST support, and a stable version of the BigPipe module. It also includes new experimental modules to abstract workflow functionality, to lay out content types differently (e.g. articles are two column vs. press releases are three column), and to provide a general layout API for contributed modules. Many smaller improvements for the experimental Content Moderation module are included as well. (...

This is a joint statement from project lead Dries Buytaert and Megan Sanicki, Drupal Association Executive Director.

Over the last week, the Drupal community has been in a debate over the various decisions made by us in relation to long-time Drupal developer Larry Garfield. As with any such decisions, and especially due to the circumstances of this one, there has been controversy, misinformation and rumors, as well as healthy conversation and debate. Many people feel hurt, worried, and confused. The fact that this matter became very public and divisive greatly saddens all of us involved, especially as we can see the pain it has caused many.

First off, we want to apologize for not responding sooner. We had to take a pause to process the community’s reaction.  We also wanted to take the time to talk to community members to make sure all of the concerns were heard...