Feed aggregator
Vote NOW for Drupal Association at large directors
Voting is now open for the 2012 election of at large directors of the Drupal Association. Two directors will be elected from among the ten candidates.
About the Drupal Association electionsWhen we designed a new governance structure for the Drupal Association last year, we decided that most of the board is selected through a nominating committee with the goal to carefully balance many factors like needed skills and geographical and sector representation. However, it was also deemed important that we have directors chosen directly by the Drupal community to make sure that the community is always well-represented.
We're holding our first open community elections! Two community "at large" directors will be elected to the Drupal Association Board of Directors, and YOU can get to say who they are!
Where to find out about candidates- Review their nomination profiles.
- Read the notes from the two all candidates' meetings at http://groups.drupal.org/node/207398.
Voting is open to all individuals who registered an account on drupal.org prior to January 18, 2012 and who have logged into that account at least once in the one-year period prior to February 3, 2012.
There is no need to register to vote. The voting system has been set up and prepopulated with the list of eligible voters.
How to vote- Log in to this site.
- Visit the https://association.drupal.org/2012-vote page. After clicking through, you will be asked to rank each of the eligible voters, from 1st (top choice) to 10th (last choice). You also need to check a box confirming you're an eligible voter. Make your selections and save the form. That's it!
The voting is done using the "Instant Runoff" voting method, powered by Decisions module. For more about this method of voting, please see this helpful YouTube video which explains it with post-it notes: http://www.youtube.com/watch?v=wA3_t-08Vr0
Can I change my mind after I've voted?Yes! Before the close of voting, you can return to the voting form, cancel your previous vote, and submit a new vote.
When will voting close?Tuesday, February 7, 2012 is the last day of voting. Voting will close at 00:00 UTC on Wednesday, February 8, 2012.
How will results be determined and announced?When voting closes, a four-member elections team will review the results and post them to this site (association.drupal.org). Results will then be forwarded to the Drupal Association board for ratification.
The election team includes Angela Byron, DA board member; Cary Gordon, DA board member; Nedjo Rogers, DA advisory board member; and Thomas Svenson, Drupal community member who participated in the community process of planning the elections.
Why was voting delayed?We had focused a bit too much on organizing the elections and left finalizing the actual voting system till the last minute. After several community members and Drupal Association staff pitched in, we got the elections system up about 3 hours after the planned opening of voting.
Wait. Only XXX eligible voters? What gives?Despite the fact that the voting form lists far fewer, there are actually 270K Drupal.org accounts that fit the voter eligibility criteria. Valid accounts are added to the electorate list when they visit the Association website. These shenanigans are due to the Bakery module, our single-sign on solution, and the requirement to reconcile peoples' Association.drupal.org user IDs and their Drupal.org user IDs.
Problems and solutionsIf you believe you are eligible to vote and try to vote and cannot or encounter some error, please post an issue to the Drupal Association issue queue, selecting "elections" as the component.
More about the elections
Categories: Development News, Drupal
PHP 5.3.10 Released!
The PHP development team would like to announce the immediate
availability of PHP 5.3.10. This release delivers a critical security
fix.
Security Fixes in PHP 5.3.10:
Fixed arbitrary remote code execution vulnerability reported by Stefan
Esser, CVE-2012-0830.
All users are strongly encouraged to upgrade to PHP 5.3.10.
For source downloads please visit
our downloads page, Windows binaries can be found
on windows.php.net/download/.
SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass
- Advisory ID: DRUPAL-SA-CONTRIB-2012-016
- Project: Forward (third-party module)
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery
The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below.
The module includes "Recent forwards" and "Most forwarded" blocks that display the titles of the most recently forwarded nodes and the nodes forwarded the most for all time. The module doesn't check that site visitors have permissions to view the node titles listed in these blocks, resulting in an access bypass. This vulnerability is mitigated by the fact that these blocks are disabled by default.
The module includes a "Dynamic Block" feature which adds a listing of the top 5 node titles to the bottom of the generated email to a friend. The module doesn't sufficiently check that the email recipient has permission to view the node titles included in the block, resulting in an access bypass. This vulnerability is mitigated by the fact that the Dynamic Block feature is disabled by default.
The module includes clickthrough tracking so that the site administrator can determine which emails are generating the most clicks back to the site. The tracking code is vulnerable to CSRF because it uses a publicly available link that could be manipulated to falsely boost the perceived importance of a node.
Versions affected- Forward 6.x-1.x versions prior to 6.x-1.21
- Forward 7.x-1.x versions prior to 7.x-1.3
Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21
- If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3
The upgrade is "code only" and does not require running the database update script.
IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration.
See also the Forward project page.
Reported by- Greg Knaddison (greggles) of the Drupal Security Team
- John Oltman the module maintainer
- Greg Knaddison (greggles) of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CORE-2012-001 - Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AXCVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File moduleCVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Install the latest version:
See also the Drupal core project page.
Reported by- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CORE-2012-001 - Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AXCVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File moduleCVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Install the latest version:
See also the Drupal core project page.
Reported by- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal 7.12 and 6.24 released
Drupal 7.11 and 6.23, maintenance releases which fix security vulnerabilities are now available for download.
Drupal 7.12 and 6.24 also fix other issues reported through the bug tracking system.
Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement, more information on the 6.x releases can be found in the Drupal 6.0 release announcement. Drupal 5 is no longer maintained, upgrading to Drupal 6 is recommended.
Security information
Changelog
We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.
Drupal 7 and 6 include the built-in Update status module, which informs you about important updates to your modules and themes.
Bug reportsBoth Drupal 7.x and 6.x branches are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.
Drupal 7.11 only includes fixes for security issues. Drupal 7.12 also includes bugfixes. The full list of changes between the 7.10 and 7.12 releases can be found by reading the 7.12 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.
Drupal 6.23 only includes fixes for security issues. Drupal 6.24 also includes bugfixes. The full list of changes between the 6.22 and 6.24 releases can be found by reading the 6.24 release notes. A complete list of all bug fixes in the stable 6.x branch can be found at git commit log.
Security vulnerabilitiesDrupal 7.11 and 6.23 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:
To fix the security problem, please upgrade Drupal.
What is included with each release?
We made two versions of both Drupal 7 and 6 available, so you can choose to only include security fixes (Drupal 7.11 and 6.23 respectively) or security fixes and bugfixes (Drupal 7.12 and 6.24). You can choose your preferred version. We are trying to make it easier and quicker to roll out security updates by making security-only releases available as well as ones with bugfixes included. We hope this helps you roll out the fixes as soon as possible. Read more details in the handbook.
Update notesThe default.settings.php file was changed in Drupal 7.12, to add documentation about PDO attribute override capabilities that were added as a result of #1309278: Make PDO connection options configurable.
The robots.txt file was changed in Drupal 6.24 to block filter tips from search engines. The .htaccess and (default.)settings.php files were not changed in Drupal 6. Additionally, indexes were added to the node_comment_statistics and comment tables, for performance.
Known issues # Drupal 7Bug fixes in 7.12 release cause problems with the Internationalization (i18n) module. Users of these modules are encouraged to update to 7.11 to get the security fixes, and hold off on the 7.12 upgrade until the 7.x-1.4 release.
Drupal 7.12 is also only compatible with Menu Block 7.x-2.3 and higher.
Drupal 6In Drupal 6.24, if you have the contributed user_delete module enabled on your site, the update will fail with a Cannot redeclare user_delete_access() error. An update of user_delete module is being worked on.
In Drupal 6.24 if you had locale module enabled earlier, but it is not currently turned on, the update will fail with Call to undefined function locale_inc_callback(). A fix is being worked on for Drupal core.
In Drupal 6.24 if you run your updates with Drush, you might experience duplicate entry errors in your system table. See the ongoing discussion at http://drupal.org/node/1425868
Categories: Development News, Drupal
Drupal elections this week: all candidates meetings and when to vote
Elections for at large Drupal Association elections are kicking into high gear with two all candidates meetings this week before voting opens Friday.
Election candidates will participate in all candidates meetings are scheduled over the next two days (Wed., Thurs. or Fri., depending on your location). The first meeting, intended to work for people in the Asia and the Pacific, is scheduled for 01:00 UTC on Thursday. That's 5 PM PST on Wednesday for those in the US and Canada.
The second all candidates meeting at 17:00 UTC Thursday is timed for participants in Europe, Africa, and the Americas.
Then on Friday voting will open. Details on voting will be posted to association.drupal.org.
See the elections announcement for more on how to learn about the candidates.
Categories: Development News, Drupal
DrupalCon Denver Final Sessions Are Posted
The final session selections for DrupalCon Denver were announced this week. DrupalCon will take place March 19-23, 2012. Get your tickets soon so that you don't miss out on over 100 sessions across 8 tracks! This year we have added tracks specifically for Non-profit, Government & Education, in addition to Community, Commerce, Mobile, Design & User Experience, Business & Strategy, Coding & Development, Site Building, and Core Conversations.
Conference Dates:
March 19 - Pre-conference trainings -- over 16 from beginners to advanced + API Hack-a-thon
March 20 - 22 - Three complete days of 104 sessions starting with Keynotes: Dries Buytaert, Founder of Drupal and Drupal Project lead, Mitchell Baker, chairperson for the Mozilla Foundation, and Luke Wroblewski, digital product leader coming to talk about mobile.
March 22 - Drupal Means Business - included with conference registration to learn how to integrate Drupal into your business.
March 23 - All-day Contribution Sprint -- one of the largest anywhere!
Plus, parties, ski trips, networking, contests and more, all for the $350 conference fee! Thank you to our wonderful sponsors for helping this to remain one of the lowest cost open source conferences around.
Get your ticket to DrupalCon Denver today. What are you waiting for? We want to see you in Denver!
P.S. Conference registration is $350 until February 21 or when tickets are gone! Early registration helps us to plan the conference and keep our costs low by only ordering what is needed. A limited number of 1/2-priced student tickets are still available.
Follow @drupalcon on Twitter or find us on Facebook.
Categories: Development News, Drupal
SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2012-015
- Project: Managesite (third-party module)
- Version: 6.x
- Date: 2012-January-25
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone (/admin). The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer managesite".
Versions affected- Managesite 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Managesite module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Managesite module for Drupal 6.x, upgrade to Managesite 6.x-1.1
See also the Managesite project page.
Reported by Fixed by- jacinto capote robles the module maintainer
- Greg Knaddison of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2012-014
- Project: Drupal Commerce (third-party module)
- Version: 7.x
- Date: 2012-January-25
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Cart forms. In Drupal Commerce 1.1 this feature was expanded to also incorporate the "extra fields" of products, i.e. the product title and SKU.
The theme functions used to render product titles and SKUs prints those variables to the page without properly sanitizing them first. A user with the proper permissions could create a product that ends up in a node display where a malicious title or SKU is rendered.
This vulnerability is mitigated by the fact that the attacker must have a role with a product creation permission, and since Drupal Commerce 1.1, the site must have been updated to make use of these extra fields in product display nodes as they default to being hidden on all product displays.
Versions affected- Drupal Commerce version 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use Drupal Commerce 7.x-1.1, upgrade to Drupal Commerce 7.x-1.2
See also the Drupal Commerce project page.
Reported by- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Ryan Szrama (rszrama) the module maintainer
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
- Advisory ID: DRUPAL-SA-CONTRIB-2012-013
- Project: Search Autocomplete (third-party module)
- Version: 7.x
- Date: 2012-January-25
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site.
Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability is mitigated by the fact that users must have a role with permission "use search_autocomplete" to exploit.
Versions affected- Search Autocomplete versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-2.1
See the Search Autocomplete project page for more information.
Reported by Fixed by- Dominique Clause (Miroslav Talenberg) the module maintainer
- Miguel Hermo (serans)
- Ben Jeavons of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
PHP 5.4.0 RC6 released
The PHP development team announces the 6th
release candidate of PHP 5.4.
PHP 5.4 includes new language features and removes several legacy
(deprecated) behaviours. Windows binaries can be downloaded from the
Windows QA site.
THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.
This is the 6th release candidate. The release candidate phase is intended as
a period of bug fixing prior to the stable release. No new features should
be included before the final version of PHP 5.4.0.
The 6th release candidate focused on improving traits. Please test
them carefully and help us to identify bugs in
order to ensure that the release is solid and all things behave
as expected. Please take the time to test this release candidate
against your code base and report any problems that you encounter
to the QA mailing list and/or
the PHP bug tracker.
A complete list of changes since the last release candidate can be
found at NEWS
The next candidate will be released on Feb 2.
Getting Involved in the Drupal Community: Survey Results
Introduction
Drupal.org has over 725,000 registered members in 228 countries. However, only a very small percentage of this members contribute back to the project. Why is this? How can we attract more contributors? What can we do to make it easier for people to contribute? Which areas of the Drupal project would people want to contribute?
To get answers to these questions, two surveys were conducted in 2011 by the community to understand the experience of contributing or considering to contribute to the Drupal project.
This is a combined report of 358 respondents’ responses to the surveys.
MethodologyThe first survey focused on the Drupal contribution experience for the Prairie initiative and received 303 responses. It was written and conducted by Leisa Reichelt (leisareichelt) that ran from April 25, 2011 to September 20, 2011.
The second, the Getting Involved survey, [list of questions] received 55 responses. It was written and conducted by Heather James (heather), Dharmesh Mistry (dcmistry) and Lisa Rex (lisarex) from October 21, 2011 to November 9, 2011. This survey focused on the respondent’s Drupal profile; their expectations, roadblocks, motivations; and Drupal areas that need most contributors, among many other things.
Profile of the respondents Prairie SurveyOf the 303 respondents, 64% were non-coders and 31% were non-active contributors.
A big majority (71%) of the respondents from the survey identified themselves as “an established, active member of the community”. The majority of the respondents regularly contribute (41%) and a good amount stated that they contribute occasionally (36%). The majority of the non-active contributors (36%) have never contributed to the project.
The majority of the respondents identified themselves as Site Builder (68%), and/or Developer (59%). A significant portion of respondents identified themselves as Themer (34%) and/or Project Manager (29%). It is also worth noting that 73% of the respondents cited Drupal as their source of income.
Note: Each of the surveys focused on different aspects of Drupal contributions.
Executive SummaryThe findings from both surveys are summarized below, but also see:
- Detailed analysis and findings from the Prairie 2011 survey
- Detailed analysis and findings from the Getting Involved 2011 survey
From the Getting Involved survey, it was found that the big motivator for people to contribute was simply to improve Drupal and support its community (40%). The other motivator was to grow their knowledge and network (25%). However, when the Getting Involved survey asked about their opinion about the existing community structure, a majority of the respondents (48.9%) had a negative reaction. They thought it was fragmented, chaotic, not great and could use improvements.
The majority of respondents of the Prairie survey thought the experience of contributing was:
- “Very much” rewarding and collaborative: Majority of the respondents of the Prairie survey thought the experience of contributing to the Drupal project was “very much” collaborative (47%) and rewarding (46%). However, the non-coders and the non-active contributors either stayed with “somewhat” or swayed between “very much” and “somewhat” with no statistical significance.
- “Not really” to “somewhat” efficient: Majority thought the process of contribution was “not really” efficient (43%) or “somewhat” efficient (40%) with no significant statistical difference between the responses. Non coders shared the same feeling.
- “Somewhat” intimidating, confusing, unwieldy and supportive: The respondents of the second survey thought the experience of contributing to the Drupal project was “somewhat” intimidating (46%), confusing (49%), unwieldy (43%) and supportive (52%).
- Split between “Very much” and “Somewhat” inspiring, exciting and friendly: When asked about the experience of contributing in terms of inspiration, excitement and friendliness, the majority swayed between “very much” and “somewhat” responses with no significant statistical difference. It is worth noting that in all the four categories (Rewarding, Inspiring, Excitement and Friendly), the majority of non-coders and non-active contributors stuck to “somewhat”.
Respondents of the Getting Involved survey mostly want to contribute on Documentation/technical writing and PHP development/LAMP (54% each). The next area with the most interest is training (46%) and Mentoring/Support (32%).
What areas need the most contributions?The respondents thought documentation (12 respondents), Drupal.org. (7 respondents) and Design/UX/Usability (6 respondents) needed the most attention from other contributors.
What areas of Drupal community do you think need the most contributions?
Although the respondents from the second survey thought the contributing experience was “very much” collaborative, majority (47%) thought “Redesign the issue page to make it easier to collaborative effectively” as a “very important” initiative. Besides that, the respondents (overall, non coders and non active contributors) agreed (47%) that “Redesigning parts of Drupal.org to help newbies find ways to start contributing” as “very important”. This number was higher for non active contributors (55%) than the others.
Other FindingsAcross profiles (of the second survey), “Creating ‘team’ pages to aggregate activities and people interested in a topic” (48%) and “Designing better tools for planning large initiatives” (41%) were deemed as “quite important”.
For “Designing a reputation system to show what different people are expert in and how well they are known by the Drupal community” majority of respondents swayed between quite important (32%) to less important (39%). This was also true for non coders and non active contributors.
Roadblocks to contributingThe major roadblock from they getting involved was lack of information on how to get involved (and whom to contact) (42%). This issue of getting started (48%) was also found in the Prairie survey.
- Lack of information on how to contribute, what to work on or whom to contact (42%)
- Don’t have time (18%)
- “I don’t know enough technically” (16%)
- Intimidation factor (13%)
- Want to talk/need guidance from mentors (13%)
- Slow turn around time to get feedback/or to get committed (7%)
Only 16% of the respondents of the Prairie survey visit the ‘Get Involved’ pages on Drupal.org. 46% of Prairie survey respondents took the opportunity to complain about Drupal.org. They wanted a better Drupal.org. (24%), better tools to collaborate (5%), and an efficient issue queue (5%). For Drupal.org., they particularly wanted to find information easily (4%).
How could we improve the experience?To make the experience of contributing better, non-contributors wanted better information to get started. And the contributors reiterated this when asked what would have been helpful when they started contributing. Besides that, the second most important thing that mattered was the human aspect. The personal touch would have been helpful to the contributors while they were starting and the non contributors want to work with experienced contributors. It is worth noting here that a significant number of respondents are interested in helping with this (Training - 46%, Mentoring/Support - 32%). (Responses from the Getting Involved survey)
Other noteworthy things- Designers and non-programmers who responded (11) to open-ended question in the Prairie survey complained that contributing to the project was heavily code focused, that designers did not get the credit they deserved, and that they did not know how the non-coders could contribute to the project. Like the respondents from the Getting Involved survey, the non-programmers also reiterated that they did not know where they were needed.
- A small but considerate amount of Prairie survey respondents were discouraged by other community members and slow turn around time (8% each)
- The Getting Involved survey also asked as to what do they expect from a community leader, and they wanted someone who could moderate discussions/issues, offer guidance, and carve a plan for the community.
We hope the findings from the survey will be helpful to the Drupal Association and the community on the next big priorities for Drupal.org. It is evident from the findings that a significant effort is required to provide effective, easy-to-find information on how to get started with contributing to the Drupal community. However, help from other community members is needed to keep the momentum going.
Next stepsSome conversations/efforts have begun toward this goal of improving the contributor experience, such as redesigning the Community, Support and Getting started landing pages, redesigning the issue queue and more.
We need to identify areas that need leaders, and areas that need contributors. Contributors are in demand for documentation especially.
If you are interested to contribute to this effort to provide better documentation for getting started with contributing, great! There are several open issues on improving Getting Involved content, including the Getting Involved landing page and Getting Involved Guide. Please visit this link to read about other community initiatives that might be of interest to you. If you are unsure where you can best help, please contact Lisa Rex (lisarex), who can point you in the right direction.
If you have any questions about the survey/findings, please feel free to contact Dharmesh Mistry (dcmistry).
Categories: Development News, Drupal
ConFoo 2012
ConFoo 2012 in Montreal, Canada on Feb 29 - Mar 02
ConFoo is the unique web conference in Canada gathering different
tech communities in one place.
find working solutions for your day to day challenges;
discover new tools that increase your productivity;
network with people from some of the world’s biggest companies;
160 presentations focusing on core competencies improvement;
Don't miss this great opportunity and register today!
Also check out our two training days
around PHP, HTML5, Symfony2 and security topics right before the
conference.
Candidates Needed: Drupal Association 2012 elections are on!
Come one, come all! As of January 18, 2012 nominations are open for the 2012 elections of two "at large" directors of the Drupal Association.
The at large directors are intended to represent the Drupal community. Specifics of the election were decided through a community-based process with participation by dozens of Drupal community members. More details are in the proposal that was approved by the Drupal Association board.
Who can vote?Voting is open to all individuals who have a drupal.org account by the time the elections begin and who have logged in at least once in the past year. These individuals' accounts will be added to the voters list on association.drupal.org and they will have access to the voting.
To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.
How to runCandidates needed! If you are considering running, please head over to the nominations page and read up on what's involved. From there you can fill out a candidate profile. You'll be asked for some information about yourself, like why you're running . When the nominations close, your candidate profile will be published and available for Drupal community members to browse. Comments will be enabled, so please monitor your candidate profile so you can respond to questions from community members.
Elections processElections will be held from January 30 to February 7, 2012. During this period, you can review and comment on candidate profiles on association.drupal.org and engage all candidates through posting to the Drupal Association group. We'll also be scheduling and announcing two phone-in all candidates meetings, where community members and candidates can ask questions and get to know each other.
Thanks and see you at the polls! We'll post another front-page announcement and announce via @drupal on Twitter when we're ready to go.
Categories: Development News, Drupal
SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2012-012
- Project: Quick Tabs (third-party module)
- Version: 6.x, 7.x
- Date: 2012-January-18
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs.
Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit a Quicktabs instance.
- Quicktabs 6.x-2.x versions prior to 6.x-2.1.
- Quicktabs 6.x-3.x versions prior to 6.x-3.1.
- Quicktabs 7.x-3.x versions prior to 7.x-3.3.
Drupal core is not affected. If you do not use the contributed Quick Tabs module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Quicktabs 2.x module for Drupal 6.x, upgrade to Quicktabs 6.x-2.1
- If you use the Quicktabs 3.x module for Drupal 6.x, upgrade to Quicktabs 6.x-3.1
- If you use the Quicktabs 3.x module for Drupal 7.x, upgrade to Quicktabs 7.x-3.3
See also the Quick Tabs project page.
Reported by- Owen Barton of the Drupal Security Team
- Michael Smith
- Katherine Bailey the module maintainer
- Michael Smith
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2012-011
- Project: Panels (third-party module)
- Version: 6.x
- Date: 2012-January-18
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Panels module allows a site administrator to create customized layouts for multiple uses.
The module doesn't sufficiently sanitize administrator supplied data.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer panel layouts".
- Panels 6.x-2.x versions prior to 6.x-3.10.
Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Panels module for Drupal 6.x, upgrade to Panels 6.x-3.10
See also the Panels project page.
Reported by Fixed by- Justin Klein Keane
- Earl Miles the module maintainer
- Greg Knaddison of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CONTRIB-2012-010
- Project: stickynote (third-party module)
- Version: 7.x
- Date: 2012-January-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery
This module enables you to add textual notes in a block to perform quality assurance of your site.
Previously it did not sufficiently protect against Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "delete stickynotes" or "edit stickynotes".
- Stickynote 7.x-1.x versions prior to 7.x-1.1
Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use Stickynote version 7.x-1.x download 7.x-1.1.
See also the stickynote project page.
Reported by- Greg Knaddison of the Drupal Security Team
- Luke Herrington the module maintainer
- Greg Knaddison of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Docs Team 4th Quarter 2011 Update
Hello from Jennifer, your friendly Drupal Documentation Team leader! It’s time for a quarterly update on what’s happening in the Documentation team. As you probably heard, Ariane's role in the Documentation Team has changed, and she is no longer my co-leader (sob!), so I'm looking for a new deputy leader or co-leader (watch http://groups.drupal.org/documentation-team for details). Here's what Ariane and I oversaw in the Documentation Team at the end of 2011, with a look forward to 2012.
September - December Events- The Documentation Team is holding weekly ”Documentation Office Hours"—one-hour IRC meetings on Tuesday afternoon (North American time), open to anyone for questions and discussions about contributing to documentation. It seems like it's been very helpful to have a definite time when people can get together on IRC, and we plan to continue with this schedule for the foreseeable future.
- In October, I was able to attend the Friday of the Bay Area Drupal Camp (BADCamp). We had a small documentation sprint, and a few people got up to speed on writing API documentation patches. Also, Kathy (kathyh) spent the afternoon writing a new guide for novice contributors to Drupal core, based on her experiences as a novice contributor -- thanks Kathy!
- We started an API documentation cleanup sprint in November, to bring the Drupal 8 and Drupal 7 core API documentation much more in line with our documentation standards (see meta issue). My big hopes for this sprint:
- Lots of documentation cleanup -- YES! The sprint is not finished yet, but MUCH more of our documentation is up to standards. In the process, a lot of weird wording has been fixed, and the documentation is clearer and easier to scan. Also, people usually copy/paste an existing documentation header when creating new documentation (or at least use an existing one as a model), so the more we clean up existing documentation, the better future documentation is likely to be.
- Lots of participants -- YES! My hope was that some people new to contributing to Drupal API documentation would see the sprint as a good way to get up to speed on making Drupal patches, and on the API documentation standards. And they did!
- Build a Drupal Core Documentation Issue Queue Squad -- Yes! Part-way through the sprint, I put out a call for participants to start reviewing other people's patches as well as creating patches, and they did! And now some of them are helping out with the "documentation" component of the Drupal Core issue queue -- watching for new issues, making patches, reviewing other's patches -- which was my secret hope all along (for the last several years, it's been a rather lonely issue queue, since I have had to either write or review nearly every patch in it -- that model is not sustainable, so I'm really happy to have some company).
Thanks to xjm, xenophyle, sven.lauer, Lars Toomre, aenw, rc_100, jn2, aspilicious, chris.leversuch, barlantz, synth3tk, agentrickard, ... and probably more who joined after I made this list -- sorry if I forgot your name! This sprint is still going on, so if you’d like to participate, visit the meta issue, which has full instructions (novice contributors welcome!).
The last quarter of 2011 saw some changes to Drupal.org that are quite beneficial to Documentation writers, editors, and users -- and more are on the way! Here's a list:
- After much discussion, we came up with an overview plan for how to restructure Drupal documentation into Community, Curated/Help, API, and External Index documentation in September of 2011 (see http://groups.drupal.org/node/175174). During this quarter, we started putting the transformation into place. The first step was a mammoth design issue (190+ comments!) for the Community Documentation (which is a rename of the existing Documentation on Drupal.org in the early fall. The results of that process are partly deployed (read on for details), and more are coming soon.
- One of the main conclusions of the mammoth design issue was that one of the biggest barriers we see to people contributing to the online documentation on drupal.org is reluctance to click the Edit button -- people just aren’t sure whether it’s really OK. So, the redesign of the documentation pages that was deployed in January 2012 included:
- The existing Documentation pages on Drupal.org have now been renamed "Community Documentation", to reduce the perception that you have to be part of the "documentation team" in order to edit.
- The page status and other meta-information has been moved to the sidebar
- At the top, there’s a list of several people who have edited the page, with a clear invitation for you to edit the page.
Hopefully these changes will help overcome this barrier -- we’ll see!
- We added two taxonomies to Drupal.org documentation pages: keywords and experience level. Right now, they have only been selected on a few pages, but hopefully going forward the keywords will help people find related pages, and the level will help set expectations for the knowledge level needed to understand the page.
- Everyone can now upload images to Drupal.org (issue). Angie/webchick and Daniel/sun made a module that made it safe for people to upload images, and it was deployed in October of 2011. There are followup plans to remove the restrictive Documentation input format from most pages (i.e., to unlock those pages), and to get rid of the Documentation Admin role -- no one should need this role now, since everyone can now upload images and use tables using the default Filtered HTML input format.
- BUEditor was deployed on Drupal.org in October of 2011. This module adds a small toolbar with HTML shortcuts to rich text fields (documentation node bodies, comments, etc.). While this falls short of being a WYSIWYG editor, due to security concerns with existing WYSIWYG modules, this is probably as close as we'll get for the foreseeable future.
- Neil Drumm and Jennifer spearheaded an effort to commit and deploy some updates to the software for api.drupal.org in November 2011 -- thanks to aenw, solotandem, and Greyside for contributing patches for that deployment! If you would like to work on the API module, check out the issue queue (http://drupal.org/project/issues/api) or find jhodgdon in IRC to get oriented. A new deployment to api.drupal.org should be coming shortly, with a lot of user interface updates and more new contributors. Stay tuned!
If you're interested in helping with Drupal documentation:
- New contributors: start at http://drupal.org/contribute/documentation to learn all about contributing to documentation, or come to the weekly office hours (see Events section above) to ask questions and get started. (Jennifer recently edited this whole section, so it should be up to date.)
- Drupal Documentation announcements, discussions, and events are posted on http://groups.drupal.org/documentation-team and on Twitter (@drupaldocs).
- API documentation cleanup sprint (for programmer-documenters): http://drupal.org/node/1310084
- Work on the API module: http://drupal.org/project/issues/api -- the issues are all prioritized, so look for ones with priority "major" for the current priorities. Or pick up any issue you're interested in -- we won't say No to a good patch.
Categories: Development News, Drupal
SA-CONTRIB-2012-009 - Revisioning - Access bypass
- Advisory ID: DRUPAL-SA-CONTRIB-2012-009
- Project: Revisioning (third-party module)
- Version: 7.x
- Date: 2012-January-18
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher.
The module's implementation of hook_node_access() assumes that access is to granted/denied based on the logged-in user's permissions. However, the hook may be invoked in contexts whereby the access grants are to be returned for a particular account passed into the hook. This could result in an access bypass vulnerability if node_access() is called for a specific user account.
This vulnerability happens when using the XML sitemap module which as a result will disclose the URLs of un-accessible or unpublished content to anonymous users. The actual content itself is not disclosed.
Versions affected- Revisioning 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.
SolutionInstall the latest version:
- If you use the Revisioning module for Drupal 7.x, upgrade to Revisioning 7.x-1.3.
See also the Revisioning project page.
Reported by- Dave Reid, Drupal Security Team member
- Adam Bramley
- Dave Reid, Drupal Security Team member
- Rik de Boer, module maintainer
- Dave Reid, Drupal Security Team member
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
